home
NEWS       BLOGS       FORUMS       NEWSLETTERS       RESEARCH       EVENTS       DIGITAL LIBRARY       CAREERS  
Network Computing Network Computing Powered by InformationWeek Business Technology Network

IMMERSE YOURSELF:

SOA

  |

Data Center

  |

802.11n

  |

Data Privacy

  |		 APO  |

Virtualization

  |

NAC

  |

Security

  |

Network Mgmt

  |

Enterprise Apps

  |

Storage & Servers


Security
F E A T U R E  
Secure to the Core

  January 23, 2003
  By Greg Shipley


>> continued from previous page

Cover Your Assets
TOC Issue TOC
Printer Print full article
Printer Print this page
Printer Download as PDF
E-Mail E-Mail this URL
Discuss Discuss this article
flame author Flame the author
 
  In this article
arrow
 Introduction
arrow
 Cover Your Assets
arrow
 Old Shortcomings Still Hurt
arrow
 Executive Summary
arrow
 The Legal Beast Begins to Stir
arrow
 Epoll Results

Rather then debate the location of the attacker, why not consider the location of the target? Circling back to the concept of triage, forward-thinking security teams are combating the problem by working with the business side to identify key targets, then creating identification and classification systems. Once they know which assets are most important, prioritization efforts can follow. Classification strategies typically start with data-grouping efforts, which can be rolled into more complex asset-classification systems when combined with variables such as system type, function or criticality.

Starting with data classification, these frameworks can be as simple as two- or three-tier systems or as complex as variable asset-value models (see "Companies Struggle With Data Classification").

A basic data-classification plan may start with the data and provide a framework for grouping that data into two or more classification tiers. A three-tier method may include categories such as public data, private data, and proprietary and confidential data.


For example, schematics for the next-generation Strong-Bad 3000 cannery machine--which is capable of packaging potted meat at the rate of 3,000 CPMs (cans per minute) and could revolutionize the potted-meat industry--would be considered sensitive and valuable by the machine's maker. In our three-tier model, the data relating to these schematics would be classified as proprietary and confidential. In contrast, last year's sales brochures touting the aging Strong-Bad 325i models, available via the company Web site, would be classified as public data.

While this example is simplistic, the success of a classification effort is often determined by its simplicity. A four-tier model might introduce a tier between private and proprietary--after all, the more tiers, the more granular the organization's data-classification efforts can be. However, with that granularity comes added complexity, larger margin for error, and potentially higher costs associated with making the classification process a reality.



Loss Costs

click to enlarge
Let's move from data classification to asset classification. In this case, an asset might be a piece of data, a single system or a group of systems that perform a given business function. For example, all the data, servers and applications that comprise the payroll system might be viewed as a single asset (with multiple components). Or, depending on the classification policies, components might be rated/ranked differently. Asset rankings might also take into account less tangible factors, such as "visibility." For example, a public Web server may not contain critical data, but a defacement of the site could result in public embarrassment and a decrease in customer confidence. Regardless, how a given organization views its digital assets depends on defined policies and strategies and the organization's ability to execute on those strategies.

Unfortunately, many organizations complete their classification policies but fall flat on their faces when it comes to completing the classification process. According to both our own observations and Network Computing reader polls, most organizations have not even completed their data-classification efforts, much less mapped those classifications to IT assets, essentially removing the possibility of an "effortless" move to a practical asset-based risk ranking system.

If you're in this boat, don't jump overboard. Often, existing tools found within the organization can help. For example, while many infosec programs are in their infancies, many disaster-recovery efforts are mature. Asking the disaster-recovery folks what they discovered during their business impact analysis studies can often provide security personnel with a much needed jump-start in identifying critical assets at a high level.

Again, business participation is critical, because neither IT nor security can be expected to understand all of an organization's dynamics. Finally, consider using third-party resources to help in the classification process, particularly if your organization is short staffed or there are concerns about business units objectively performing the task without aid or supervision.


start top  Introduction Old Shortcomings Still Hurt 





Ready to take that job and shove it?

Function:

Keyword(s):

State:
SPONSOR
RECENT JOB POSTINGS
CAREER NEWS
10 Search Engines You Don't Know About
Go beyond Google and get vertical. These specialized search sites will help you find the business information you need -- fast.

Yahoo Profits Fall 23%, Cuts 1,000 Jobs
Ari Balogh was named to the post of chief technology officer as the companys for a "realignment" of employees.

More articles from our career center










InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Download Today
 
ROLLING RIGHT ALONG
Follow key Network Computing Reviews from conception to completion. This Week: Holistic APM.



Network Computing Reports Emerging Enterprise Podcast Series: Secrets to Success








TechSearch
Microsite of the Week


Powerful Information at Your Fingertips



InformationWeek Business Technology Network
InformationWeekInformationWeek 500InformationWeek 500 ConferenceInformationWeek AnalyticsInformationWeek CIO
InformationWeek EventsInformationWeek ReportsInformationWeek MagazinebMightyByte and SwitchDark Reading
Digital LibraryIntelligent EnterpriseInternet EvolutionNetwork ComputingNo JitterPlug Into The Cloud
space
Techweb Events Network
InteropVoiceConWeb 2.0 ExpoWeb 2.0 SummitEnterprise 2.0 ConferenceMobile Business ExpoSoftware ConferenceCSI - Computer Security Institute
Black HatGTECEnergy CampMashup CampStartup Camp
space
Light Reading Communications Network
Light ReadingLight Reading EuropeUnstrungLight Reading's Cable Digital NewsConstantinopleInternet EvolutionPyramid Research
Heavy ReadingLight Reading Live!Light Reading InsiderEthernet ExpoOptical ExpoTeleco TVTower Technology Summit
space
Financial Technology Network
Advanced TradingBank Systems & TechnologyInsurance & TechnologyWall Street & TechnologyAccelerating Wall StreetBank Systems & Technology Executive SummitBuyside Trading SummitInsurance & Technology Executive Summit
space
Microsoft Technology Network
MSDN MagazineTechNetThe Architecture Journal
space


App Infrastructure   |   Messaging & Collaboration   |   Network & Systems Mgmt   |   Network Infrastructure   |   Security  |   Storage & Servers   |   Wireless   |   Enterprise Apps
About Us  |  Contact Us  |  Site Map  |  Technology Marketing Solutions  |  Advertising Contacts  |   Briefing Centers
Copyright © 2008  United Business Media LLC  |  Privacy Statement  |  Terms of Service  |  Your California Privacy Rights