Are you making the mistake of adopting a security model just because it worked for somebody else? This happens more often than you would think. You either do it willingly, thinking it will help improve your security posture, or the idea is sold to you by a service provider who claims to have used the exact same security approach for another organisation.
Either way, a one-size-fits-all approach does not work for security. Agreed that security is aligned with the implementation of standards, but standards only act as a useful guide; they don’t tell you which standard is more relevant to your business or which one you should prioritise over others.
When you go with a generalised approach to security, you are either under-protected or over-protected, and both are not good scenarios. So, what’s the best approach? Since your assets as an organisation are unique, taking on security from the perspective of assets is the best.
Asset-based approach to security
When you take the asset-based approach, you group assets into different classifications and then apply security policies and standards that are relevant to those groups. It optimizes budget and efforts and also makes it easier to manage risks. This type of asset management is mentioned in the requirements for ISO 27001 and NIST CSF. It is also present in government standards such as the Victorian Protective Data Security Standards (VPDSS).
The approach starts with identifying your assets through an asset register. You need to take into account your organisation’s context and the scope of the security program to either use existing asset registers or creates new ones. An asset can be hardware, software or information – basically anything that is valuable to the business.
Hardware asset registers can include servers, workstations, mobile devices, portable media, etc. Software asset registers can include source codes and cloud services. Information assets include anything associated with critical business processes such as purchase orders, invoices, passwords, financial statements, etc.
Once the assets are identified, the next step is to assign ‘owners’ to the assets. The asset owners are responsible for the day-to-day management, risk decisions, and security of the assets. You will end up having different asset owners for different types of assets. However, care should be taken to assign the ownership of an asset to someone who is dependant on these assets as a core part of their jobs. For instance, asset owner for the hardware can be the IT manager. Do note that according to Annex 8 of ISO 27001, an asset owner can be an individual or an entire department.
Classifying the sensitivity and security of the asset
Owners need to classify the assets based on the confidentiality, integrity, and availability (CIA) requirements associated with the asset. The classification could be on the scale of High, Medium, and Low, or on a numerical scale. Governments too have their own classification systems which can be used where applicable.
6clicks lets you create an asset register by adding assets, assigning owners, and assigning Confidentiality, Integrity, and Availability levels to each asset. The platform sends reminders to review assets regularly to ensure that the asset register is always up-to-date.
Asset management and risk management
Standards such as ISO 27001 do not mandate identifying assets and assigning asset owners. In ISO 27001, identification of assets and assigning owners to each asset are security controls as per the Annex A.
However, asset management described above is a good ISMS practice that paves the way for streamlined risk management. It helps to create an organised information security system by giving you a complete inventory of the assets and the level of security they need. By reviewing these assets regularly and assigning owners, you can create a robust ISMS. Read more about the challenges in risk management in the blog The Four Big Risk Management Challenges in 2022.
Written by Andrew Robinson
Andrew started his career in the startup world and went on to perform in cyber and information security advisory roles for the Australian Federal Government and several Victorian Government entities. Andrew has a Masters in Policing, Intelligence and Counter-Terrorism (PICT) specialising in Cyber Security and holds IRAP, ISO 27001 LA, CISSP, CISM and SCF certifications.