gary rotter

Risk and asset security

Common Asset classifications

You can only protect what you know you have.

Asset classification helps organizations implement an effective risk management strategy. It also helps them prioritize security resources, reduce IT costs, and stay in compliance with legal regulations.

The most common classification scheme is:

Restricted: the highest level. This category is reserved for incredibly sensitive assets, like need-to- know information.

Confidential: refers to assets whose disclosure may lead to a significant negative impact on an organization.

Internal-only: describes assets that are available to employees and business partners

Public: the lowest level of classification. These assets have no negative consequences to the organization if they’re released.

How the above scheme is applied depends on the organization as well as the characteristics of an asset. This is a complicated task.

Security plans

Types of risk categories:

  • Damage
  • Disclosure
  • Loss of information

Elemenets of a security plan

  • policy
    • a set of rules that reduces risk and protects information
    • focus on the strategic side of things
  • standards
    • References that inform how to set policies
    • create a point of reference, EG: password standards
  • procedures
    • Step by step instructions to perform a specific security task
    • playbooks, guides

NIST cybersecurity framework (CSF)

CSF was developed by NIST in 2014. The CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk to protect critical infrastructure in the United States. NIST eventually adapted the CSF to fit the needs of businesses in the public and private sector.

Components of the CSF

  1. Core
    A set of desired cybersecurity outcomes that help organizations customize their security plan. It consists of five functions (or parts):
    • Identify
    • Protect
    • Detect
    • Respond
    • Recover

      These functions are commonly used as an informative reference to help organizations identify their most important assets and protect those assets with appropriate safeguards.
  2. Tiers
    A way of measuring the sophistication of an organization’s cybersecurity program. Designed to show organizations what is and isn’t working in the security plans
    • Range from level 1 – 4
      • level 1: passive – a limited set of security controls have been implemented.
      • level 4: adaptive –
  3. Profiles
    CSF profiles are premade templates of the NIST CSF that are developed by a team of industry experts. CSF profiles are tailored to address the specific risks of an organization or industry. Used to help organizations develop a baseline or to compare their current security posture to specific industry standards.

Implementing the CSF

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) provides detailed guidance that organizations can use to implement the CSF.

  • Create a current profile – security operations and outline the specific needs of your business.
  • Perform a risk assessment – identify your current operations that do or do not meet business and regulatory standards.
  • Analyze and prioritize existing gaps – identify security operations that place assets at risk.
  • Implement a plan of action – a focused plan to achieve your organization’s goals and objectives.

Leave a Reply

Your email address will not be published. Required fields are marked *