Question: How much is an autographed picture of Chuck Norris worth?
Answer: Whatever someone is willing to pay for it.
In the real, physical world of commerce, the free market economy does a good job of establishing value; both perceived and real. Perceived value is how much folks think something is worth, and real value is how much hard-earned cash they shell out to actually pay for it.
These principles guide a great deal of the global economy. The question, though, when protecting your organization’s data, is “how do you know which data is really worth something, so you know where to place your security budget dollars wisely?”
To answer that question, you must understand the real value and mission criticality of your resources and data. The following categories assist as an early step in isolating the electronic keys to the kingdom from the worthless clutter.
If this info gets out or is destroyed, we are out of business. If this portion of our networks is compromised, we are out of business. If this system gets attacked, the water supply (power, gas, other utility) is shut off. The space-bound launch vehicle will blow up. The phones won’t work. The bank stops functioning. And when this news hits the papers, it will cost us a fortune and we won’t recover from the losses.
Almost Mission Critical
Destroying or leaking this data would result in extreme damage at a cost that is barely survivable. We are going to be fined by government entities, scolded by the media, and customers will leave in hordes, driving our organization to the edge of a total loss.
Damn, That Hurts
If this data gets out it will hurt, and it will cost us. If these services go away, we have a heck of a lot of catching up to do and a lot of financial fallout to contend with. But we can spin doctor our way back to health if we absolutely have to.
If this information is leaked or stolen, it’s no disaster. It might cost us a bit; it might prove embarrassing and temporarily disrupt our objectives, but there is no major impact on the organization’s ability to stay in business.
Take the information, have a ball with it. We don’t really care what you do with it. It’s public, or we want it made public. If you modify it, no one will care or even notice. Denial of Service does not find a home in this category.
With those categories established, use the following chart to:
- Identify the existence of the information which fits into these categories for various portions of a network. Ideally, consider Confidentiality, Integrity, and Availability, in all three domains: Cyber, Human, and Physical.
- Specify the logical, networked-based storage location of the assets you have categorized. This process defines the pathing and logical organization of the assets with respect to the rest of the network. Don’t forget to calculate in the Cloud.
- Specify the physical location of the assets in step #2 above.
By defining categories and specific locations and processes for storing data/assets, you improve your chances of protecting the organization from security incidents. And while some of this requires a bit of technical know-how, most of it falls under the main umbrella of information security: common sense. Because, even if you haven’t gone through the process of identifying your most valuable assets, there’s a good chance someone else (cybercriminals) already has.
The Security Awareness Company works with you 1-on-1 to implement cyber awareness & compliance programs. With a greater than 95% client retention rate, we’re experts at creating human firewalls out of end-users! Get started here.
Latest posts by Justin Bonnema (see all)
- Multi-factor Authentication: What it is and Why You Need It - June 27, 2019
- Summer of Security 2019 - June 20, 2019
- How Much for That Data in the Window? - May 28, 2019