Jump to content

Asset (computer security)

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Pnm (talk | contribs) at 01:17, 21 December 2010 (Self-revert. Hold off on Afd nom for now. Undid revision 403448328 by Pnm (talk)). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
This article is about Computer security. For other uses, see Asset (disambiguation).

In Information security, Computer security and Network security Asset is defined as [1][2]

Anything that has value to the organization, its business operations and their continuity, including Information resources that support the organization's mission.

Definitions

Some other definitions has been proposed

FAIR

According to Factor Analysis of Information Risk (FAIR) [3], adopted by The Open Group[4], asset is:

Asset as any data, device, or other component of the environment that supports information-related activities, which can be illicitly accessed, used, disclosed, altered, destroyed, and/or stolen, resulting in loss.

NIST

According to NIST SP 800-26[5]:

Asset - Asset is a major application, general support system, high impact program, physical plant, mission critical system, or a logically related group of systems.

ISACA

ISACA in the glossary section of Risk It framework defines asset as:[6]

Something of either tangible or intangible value worth protecting, including people, information, infrastructure, finances and reputation

IETF

In Internet Engineering Task Force RFC 2828 asset is named system resource.

Phenomenology

The Information security is the discipline on how to maintain the value of information asset against probable loss caused by accident or human being. Risk is the probability to lose the asset value, or more precisely:[3]

Risk – The probable frequency and probable magnitude of future loss

When applied to information technology related stuff, risk is called IT risk.[7]

Risk management is the discipline to manage the risk.

The methods and organization to manage the IT risk constitute the Information Security Management System ((ISMS)).[8]

In Information security the paradigm is that a threat agent can cause harm to an organization asset, causing a loss of value of the asset, attack, exploiting a vulnerability of the same asset of a related asset, causing negative consequences.[9] For example a Black hat hacker, belonging to a criminal organization, can use a software bug (vulnerability) of the communication software of the computer (related asset)that stores the company customer credit card numbers to gain access to the main asset (credit card numbers) and copy, modify or delete them. 

      + - - - - - - - - - - - - +  + - - - - +  + - - - - - - - - - - -+
      | An Attack:              |  |Counter- |  | A System Resource:   |
      | i.e., A Threat Action   |  | measure |  | Target of the Attack |
      | +----------+            |  |         |  | +-----------------+  |
      | | Attacker |<==================||<=========                 |  |
      | |   i.e.,  |   Passive  |  |         |  | |  Vulnerability  |  |
      | | A Threat |<=================>||<========>                 |  |
      | |  Agent   |  or Active |  |         |  | +-------|||-------+  |
      | +----------+   Attack   |  |         |  |         VVV          |
      |                         |  |         |  | Threat Consequences  |
      + - - - - - - - - - - - - +  + - - - - +  + - - - - - - - - - - -+

The threat agent can compromise one (or all) of the properties of information asset: Confidentiality, Integrity and Availability, the so called CIA triad.

The result of the security incident is called impact.[1]

The actions put in place to mitigate the risk are called countermeasures.[9]

The overall picture represents the risk factors of the risk scenario.[10]

Asset value for the sake of risk analysis

Main article: Factor_Analysis_of_Information_Risk § Main_concepts
File:FAIR-Loss Factors.png
FAIR-Loss Factors

From a risk analysis viewpoint, the value of asset is not unique: one should consider the value of the asset but also other related values that can be even bigger. For example the value of replacement of a lost laptop hard disk on which valuable information is stored is much less than the effort to recovery the data from a paper copy. If the stored data were related to the health of patients of the organization, a huge fine can apply, perhaps a thousand times larger than the cost of the disk.

Assets have characteristics related to value, liability, and controls strength that represent risk factors.[3]

An asset’s loss potential stems from the value it represents and/or the liability it introduces to an organization.[3] For example, customer information provides value through its role in generating revenue for a commercial organization. That same information also can introduce liability to the organization if a legal duty exists to protect it, or if customers have an expectation that the information about them will be appropriately protected.

Six forms of loss are defined within FAIR[3]:

  1. Productivity – the reduction in an organization’s ability to generate its primary value proposition (e.g., income, goods, services, etc.)
  2. Response – expenses associated with managing a loss event (e.g., internal or external person-hours,logistical expenses, etc.)
  3. Replacement – the intrinsic value of an asset. Typically represented as the capital expense associated with replacing lost or damaged assets (e.g., rebuilding a facility, purchasing a replacement laptop, etc.)
  4. Fines and judgments (F/J) – legal or regulatory actions levied against an organization. Note that this includes bail for any organization members who are arrested.
  5. Competitive advantage (CA) – losses associated with diminished competitive advantage. Within this framework, CA loss is specifically associated with assets that provide competitive differentiation between the organization and its competition. Within the commercial world, examples would include trade secrets, merger and acquisition plans, etc. Outside of the commercial world, examples would include military secrets,secret alliances, etc.
  6. Reputation – losses associated with an external perception that an organization’s leadership is incompetent, criminal, or unethical

FAIR defines value/liability as:[3]

  1. Criticality – characteristics of an asset that have to do with the impact to an organization’s productivity. For example, the impact a corrupted database would have on the organization’s ability to generate revenue
  2. Cost – refers to the intrinsic value of the asset – i.e., the cost associated with replacing it if it’s been made unavailable (e.g., stolen, destroyed, etc.). Examples include the cost of replacing a stolen laptop or rebuilding a bombed-out building
  3. Sensitivity – the harm that can occur from unintended disclosure. Sensitivity is further broken down into four sub-categories:
    1. Embarrassment/reputation – the information provides evidence of incompetent, criminal, or unethical management. Note that this refers to reputation damage resulting from the nature of the information itself, as opposed to reputation damage that may result when a loss event takes place.
    2. Competitive advantage – the information provides competitive advantage (e.g., key strategies, trade secrets, etc.). Of the sensitivity categories, this is the only one where the sensitivity represents value. In all other cases, sensitivity represents liability.
    3. Legal/regulatory – the organization is bound by law to protect the information
    4. General – sensitive information that doesn’t fall into any of the above categories, but would result in some form of loss if disclosed

The loss can depend on the attitude of the organization while dealing with incident.

See also

References

  1. ^ a b ISO/IEC 13335-1:2004 Information technology -- Security techniques -- Management of information and communications technology security -- Part 1: Concepts and models for information and communications technology security management
  2. ^ ENISA Glossary
  3. ^ a b c d e f "An Introduction to Factor Analysis of Information Risk (FAIR)", Risk Management Insight LLC, November 2006;
  4. ^ Technical Standard Risk Taxonomy ISBN 1-931624-77-1 Document Number: C081 Published by The Open Group, January 2009.
  5. ^ NIST SP 800-26 now NIST SP 800-53
  6. ^ The Risk IT Framework, ISACA, 1989
  7. ^ Risk IT Introduction, ISACA
  8. ^ Free download of ISO/IEC 27000:2009 from ISO, via their ITTF web site.
  9. ^ a b IETF RFC 2828
  10. ^ ISACA THE RISK IT FRAMEWORK (registration required)
Retrieved from "https://en.wikipedia.org/w/index.php?title=Asset_(computer_security)&oldid=403448638"