Java Reference
In-Depth Information
long-term business interests are hindered if the conidentiality, integrity, or availability of these
assets is breached in any way.
Critical information assets are ideally gathered based on inputs provided by the business lead-
ership of an organization and/or its operational management, as they are the individuals who will
be able to identify the criticality of the information assets most efectively, based on experience and
expertise with the organization. It is imperative that this knowledge be leveraged, as the process
of identiication of critical information assets would be an efective and comprehensive exercise,
providing a strong base to perform a more efective risk assessment subsequently.
It is important to note that the critical information assets that are identiied are stored, pro-
cessed, or transmitted through an appropriate Web application in the present-day context. An
organization might have many other information assets, which may be remotely related to the
Web application, and while these information assets may be identiied during an organizational
risk assessment, these information assets will be purely out-of-scope for the Web application
in question.
A workshop is one of the most efective ways of creating a collated list of information assets
pertaining to the organization in question. Workshops provide a conducive environment to gather
information about the various critical information assets and are also ideally suited for debate.
his process is akin to the brainstorming session in corporate workshops. he OCTAVE method-
ology, for example, prescribes that senior management, operational management, and staf work-
shops need to be conducted to gain a detailed insight into the critical assets of the organization.
Although OCTAVE is a risk assessment methodology for enterprise risk assessment, its principles
may be adopted for a Web application as well. Discussions with management or customers regard-
ing the types of critical information that will be stored, processed, or transmitted need to take
place before formulating the requirements of the application. A workshop facilitated with a brain-
storming session among the right stakeholders will ensure that the most comprehensive picture of
critical information assets will be revealed during the course of the interactions with management/
customers. he workshop will help to leverage on the existing knowledge of the organization for
getting the comprehensive picture of the critical information assets. Using the knowledge of a few
key individuals with the right kind of knowledge ensures that the organizational experience is
tapped to the fullest and the comprehensive view of information assets is achieved.
As discussed in Chapter 5, there are three main methods for identifying and formulating the
list of critical information assets for the Web application. hey are workshops, questionnaires, and
description sheets. However, since workshop is the most efective technique for the identiication
of critical information assets, we have focused on the workshop method in this chapter.
6.1.3 Identiied Critical Information Assets for
Panthera's Web Application
We have already explored Panthera's need for developing an e-commerce application, with security
being an important consideration. In this section, we will delve into the critical information assets
that will be stored, processed, or transmitted by Panthera's envisaged e-commerce application.
Jaguar InfoSolutions, Panthera Retail's application development partners, have decided to ini-
tiate the process of identifying the critical information assets based on the reading of the RFP
(Request for Proposal, which was discussed in Chapter 4) and discussions with Panthera's top
management. hey have identiied the following as the critical information assets that will be in
scope for the risk assessment for the e-commerce application:
Search WWH ::
Custom Search