Java Reference
In-Depth Information
be able to function. For an architecture irm, the designs of its buildings are probably its most
critical piece of information. hese assets are extremely valuable to the entity. he irm would not
be able to do business without their building designs. In a similar vein, every organization would
have its set of information assets that are critical for their business, and the organization would
like to ensure that their business is not hindered because of a loss of conidentiality, integrity, or
availability of the asset, depending on its sensitivity. A nation's defense is deeply dependent on its
key defense secrets, and any breach of conidentiality of the same information could result in a
great loss of national security. he price quoted by a vendor to a potential customer is a critical
information asset, and any modiication of the said information (breach of integrity) could result
in a major loss of revenue for the vendor. For an e-commerce merchant, the Web application (the
information transacted over it) is a critical asset, and if the Web site is unavailable for a long period
of time, such organizations would sufer debilitating losses of revenue.
As part of a security risk assessment exercise, it is always important to identify critical informa-
tion assets. With reference to Web applications, the critical information assets constitute the infor-
mation assets that are being stored, processed, or transmitted via the Web application. Diferent
information assets have diferent security requirements as part of the CIA Triad. For instance, in
the case of defense secrets, conidentiality is the most important attribute that needs to be main-
tained. While availability and integrity may also be secondary considerations, conidentiality is
the primary attribute of focus. In the case of inancial information like stock quotes, integrity
would be the most important attribute, as even a slight change in the igure of the stock quote
would result in several millions of dollars lost or gained in some cases.
Identifying critical information assets is one of the most important phases of a risk assessment
activity, because a lawed identiication of assets would result in the misapplication of the risk
assessment activity or would result in the activity being rendered inefective. Several risk assess-
ments go of-course because of faulty identiication and evaluation of information assets. If a
vulnerability scanning activity were to be conducted for 3000 servers, of which only 500 servers
contained the critical asset, then the activity would be wasteful and inefective and the organiza-
tion would unnecessarily spend precious time and resources trying to mitigate the vulnerabilities
in the 2500 servers that do not require that level of protection. hat said, it should also be noted
that all risks cannot be mitigated. he focus on the critical information assets provides a clear
scope for implementation of controls, based on which a protection strategy may be developed. In
several cases, critical assets are closely tied to other elements that may be noncritical. he orga-
nization, in its quest to secure critical assets, could unknowingly add a layer of security for these
elements as well. While the focal point for protection is the critical information asset, it usually
ensures security for the noncritical information elements as well.
5.2.2.1 Developing a List of Critical Information Assets
In the irst phase of the risk assessment phase, identifying critical information assets and evaluat-
ing them based on their criticality for the organization are important activities. It is important to
appropriately identify the information assets in this phase, failing which the entire risk assessment
will be rendered inefective and misguided. Let us explore the ways in which one can create a col-
lated set of information assets that are stored, processed, or transmitted by a Web application:
◾
Questionnaires
Workshops
◾
◾
Description sheets
Search WWH ::
Custom Search