Java Reference
In-Depth Information
•
Identifying Critical Information Assets.
Critical
Information Assets
•
Understanding the users of the web application and their roles
•
Creating an access control matrix with user roles and their access to critical
information assets
User Profiling
•
Illustrating the application deployment architecture
•
Understanding the external interfaces of the web application
•
Creating trust boundaries based on external interfaces
•
Identifying the flow of data across the web application
Application
Architecture
Figure 5.4
the system characterization phase and its subprocesses.
which the application would be adversely afected. hese information assets are indispensible to
the organization and are stored, processed, or transmitted via the Web application. Identiication
of critical application data/information assets is imperative, as it would be the sole determinant of
the controls and risk mitigation plans that are drawn up later for the protection of the application
data. he rationale is simply this: how do we know what to protect and how much? he answer
clearly lies in identifying critical assets and understanding the impact of a breach of conidenti-
ality/integrity/availability of the same. Another aspect of system characterization considers the
various users of the application and their access to critical information assets. his provides a great
deal of clarity about the type of users and their interaction with the critical information assets.
For instance, a Web application with users constituting the general public would be more at risk
than an application constituting only the employees of an organization. Finally, system charac-
terization involves understanding the basic application architecture and its deployment environ-
ment. Network diagrams are used to understand the deployment environment of the application.
Application architecture diagrams are used to understand the system interfaces of the application
and the systems the application interacts with to formulate the levels of trust to be established with
each interface of the application. Figure 5.4 illustrates the list of sub-processes that constitute the
System Characterization process.
5.2.2
Identifying Critical Information Assets
An organization in today's world is a giant storehouse of information. Financial information,
marketing information, production information, and customer information are some types of
information among several others. A quote from the 1987 movie
Wall Street
rings true. he movie
is about the stock market and its players. he protagonist Gordon Gekko says, “he most valu-
able commodity I know of is information.” Information, without doubt, is the lifeblood of any
organization. However, critical information forms the most valuable of all the other information
and needs to be treated as an asset. For a bank customer, account information, customer records,
and the like would be extremely valuable information. Without information, the bank wouldn't
Search WWH ::
Custom Search