Classification of Information Assets in Technological Risk Management Practice
A constantly underestimated practice is the classification of information assets
This is because when reviewing the plans of the areas of technological risk and information security, there is not always an adequate classification of the information.
Generally, inventories are used to keep track of equipment or applications.
It is considered what you have and for what, but without further support for other activities.
The classification of information assets is of great importance.
Since it can provide feedback on other elements of technology, security and risk management.
Generally, there are two fundamental objectives:
– The first is to provide adequate administration to the resources available to the organization.
– The second is to protect them properly from the threats to which they are exposed.
This allows the development of appropriate risk management over them and better use of assets, mitigating risks and generating value to the organization.
The practice itself allows the classification of information assets based on their level of exposure, as well as the relative importance it represents for the business.
Consequently, if these processes are critical, it is very possible that assets that are also critical and require protection, according to the level of sensitivity observed.
As can be seen, information asset management is a management framework that could be independent, but that under this perspective is useless.
It is appropriate to derive (feedback) to other practices in the organization to strengthen the control environment.
For example, specific plans to mitigate events or incidents that threaten the ideal condition of the business, which is to be constantly operational.
Rarely are technology or organizational plans where an input for the development of such plans is the product of the classification of information assets.
In general, a security or business continuity plan begins with a risk analysis without feedback from the classification of information assets.
This is because it has not been done, or simply because it is underestimated, the value that this management represents for the rest of the control practices.
Carrying out a classification management of information assets in an organization is simple.
Its method varies little and is supported by traditional risk assessment models, which allows identifying assets, describing and cataloging them.
If we had to list the steps, they would be the following:
Identify assets that have common attributes
Such as storage, processors, applications, digital documents, databases, physical documents and even areas.
The objective is to identify the degree of confidentiality, integrity and availability.
We add a differentiating element outside the triad of information security that refers to “use.”
The intensive use of the asset can influence the control aspects.
Identification of inherent risks
The evaluation is carried out to identify the inherent risks to which the asset is exposed, visualizing the context where it operates.
That is, within the business process. All this under known practices to determine its impact and probability of occurrence.
Controls, their efficiency and operation are identified in order to determine the residual risk.
Finally, the classification of the asset is given and it is derived from the practice that advises its degree of classification.
This last step is the fundamental one, because in general, this recommendation can be addressed to different specialized areas in the organization.
For example, if the asset requires more protection, since its integrity requires it, it is possible that it will go to the area of information security and those responsible for managing the technology architecture.
They must apply the established policies for data protection through hardware cryptography.
It may also happen that there are areas that handle physical information that are not giving them adequate protection and custody.
In this case, the physical infrastructure area of the organization must adapt the physical environment to protect said asset from moisture, dust, monitoring and access.
In conclusion, the practice of classification of information assets is essential to carry out many of the activities that make up the technology control environment in the organization.
Many processes can feed on products that are derived from such practice.
The benefit obtained is representative when it is identified that with a control, many of the gaps that may arise in assets in critical business processes can be mitigated.
As well as the benefit of reprocessing and the maximization of resources in the execution of projects as important as operational risk management or the creation and administration of business continuity plans.
Which are projects that give excellent use to the information provided by the “classification of information assets”.
The framework for risk assessment that is commonly used is adopted from ISO 31000: 2009, Risk management – Principles and guidelines, of the International Organization for Standardization (ISO) aims to help organizations of all types and sizes to manage the risk effectively.