Shulou(Shulou.com)06/01 Report--

Hierarchical management of information assets

1. Classification and identification of information assets

To achieve and maintain the proper protection of organizational assets, it is appropriate to identify all assets, and to produce and maintain all important assets

All information and assets related to the information processing facility should be designated by the organization. The rules for the acceptable use of information and assets related to information processing facilities should be classified, documented and implemented. Each unit responsible for information assets shall regularly update and maintain the list of information assets, summarize and integrate all units, and be uniformly controlled by the information security team to ensure the integrity of the list of information assets. According to their nature, information assets can be divided into five categories: personnel, hardware, software, electronic data and written documents in the following order:

Personnel: refers to business supervisors, contractors, outsourced manufacturers, contractual personnel, etc.

Hardware: refers to network equipment, host equipment, communication equipment, environmental equipment and other related hardware facilities. For example: server host, personal computer, uninterruptible equipment and so on.

Software: refers to self-developed or outsourced application system programs, outsourced software packages, etc. For example: application system, operating system, software package, tool program and so on.

Electronic data: refers to the information data that exists in electronic form. For example: network setting data, backup files, etc.

Written documents: refers to the documentary data, statements and other related information that exist in paper form. For example: contracts, specifications, system documents, user manuals, training materials, etc.

All assets are classified into "information asset lists".

two。 Value identification of information assets

Information should be classified according to its value, legal requirements, sensitivity and importance, and value identification criteria should be used.

Information assets are classified according to confidentiality, availability and integrity, and the evaluation criteria are as follows:

Table 1 personnel evaluation criteria

Table 2 hardware evaluation criteria

Table 3 Software evaluation criteria

Table 4 Evaluation criteria for electronic data and written documents

The value of each asset is the maximum value of the confidentiality, integrity and availability of the asset, such as the following formula:

Asset value = confidentiality evaluation + integrity evaluation + availability evaluation.

Each asset is classified according to the value of the asset, as detailed in the rating table of asset value.

Table 5 ranking of asset values

3. Marking and processing of information assets

It is appropriate to develop and implement a set of appropriate information marking and disposal procedures in accordance with the classification method adopted by the organization. Asset mark

The indication must be clear. The asset is marked with the asset risk level and distinguished by the color volume label. Hardware assets are marked according to their value levels and are distinguished by color volume labels.

High asset value: refers to the highest value of the asset, affixed with a red label.

Medium asset value: means that the asset has a medium value and is labeled with × ×.

Low asset value: means that the asset has the lowest value and is not labelled.

In the process of preservation, assets shall be properly preserved in accordance with appropriate procedures. The life cycle of assets includes generation, use, maintenance and destruction. Throughout the life cycle, the head of the Ministry of Information Technology appoints an asset manager for each asset. The asset manager must make good use of and preserve the asset. Other colleagues must be authorized by the manager to use the asset before they can use the asset. Its use process shall be recorded in the record of the use of the asset. The private information of the asset shall be maintained by the manager and shall be based on the principle of only knowledge (Need-To-Know). When it is authorized to be used by other colleagues, it shall be provided to the user with the minimum amount of information. In order to grasp the status of information equipment, the addition, transfer and scrapping of valuable information equipment for the information room shall be registered. Asset borrowing should be registered to control the status of assets. Assets shall be scrapped by the relevant scrapping procedures when they are scrapped.

Identify risk weaknesses and threats

Vulnerability, also known as weakness. Vulnerability is the weakness or loophole of organizational information security. Basically, vulnerability itself doesn't.

Cause harm, but threaten to use these vulnerabilities to harm the system. For each asset category to be identified, find all the corresponding weaknesses in order as follows:

Personnel: including lack of norms related to information security for external groups, lack of security control and management of general office environment, lack of security management of personnel, lack of advocacy and education and training for personnel awareness, lack of power and responsibility division of work and personnel agency mechanism, lack of information security incident notification and handling procedures.

Hardware: lack of norms related to information security for external groups. Lack of security control of general office environment, lack of written operation procedures, lack of network security management, lack of security management of data exchange,

Lack of safety control of storage media, lack of system monitoring, recording and related system audit tracks, lack of

Lack of protection and management of physical assets, lack of planning and acceptance procedures for access to information systems, and lack of access.

Security control of services, lack of security management of controlled areas, lack of information security incident notification and management

Management procedures, lack of safety control over off-site work.

Software: lack of norms related to information security for external groups, lack of security control of general office environment, lack of control of written operating procedures, lack of network security management, lack of security management for data exchange, lack of system monitoring, recording and related system audit tracks, lack of data security management, lack of access to information systems planning and acceptance procedures, lack of security management for access to information systems, Lack of security management for system online, lack of security management for information system development, lack of security control for access to services, lack of information system security protection mechanism, lack of information security incident notification and handling procedures, lack of security control for e-commerce, lack of security control for off-site work.

Electronic data: lack of norms related to information security of external groups, lack of security control of general office environment, lack of control of written operating procedures, lack of network security management, lack of security management of data exchange, lack of system monitoring, recording and related system audit tracks, lack of data security management. Lack of protection and management of physical assets, lack of planning and acceptance procedures for access to information systems, lack of security management for access to information systems, lack of security management for information system development, lack of security control for access to services, lack of information security incident notification and handling procedures, lack of security control for e-commerce.

Written documents: lack of norms related to information security for external groups, lack of security control of general office environment, lack of control of written operating procedures, lack of security management of data exchange, lack of system monitoring, recording and related system audit tracks, lack of data security management. Lack of protection and management of physical assets, lack of security control of access to services, lack of security management of controlled areas, lack of information security incident notification and handling procedures.

The identification of threats refers to the injury or loss to the intention of the organization, whether accidental or intentional, man-made or natural

Disaster. Assets are vulnerable to many threats, which come from exploiting vulnerabilities. Threats can be divided into natural disasters, man-made threats and non-man-made threats; the identification of threats should list possible threats for each asset. For each asset category to be identified, find all the corresponding threats in order as follows:

Personnel: ignorance, greed, coercion, inertia, lack of manpower, thoughtfulness, negligence, infectious diseases.

Hardware: damage, theft, disaster, failure, damage.

Software: illegal use, error, tampering, delay, invalidation, damage, forgery.

Electronic data: theft, leakage, error, tampering, damage, forgery.

Written documents: leakage, theft, tampering, forgery, loss, damage.

Calculate the risk weight of information assets

Comprehensive information asset value (such as table 5 asset value rating table), weaknesses (such as table 6 electronic data type weak point value determination

Table), threats and other factors (such as Table 7 threat value judgment Table), through the risk assessment of the information asset, we can know the degree of risk faced by the information asset and quantify it, which can be used as the basis for selecting control measures. The formula for calculating the risk weight is:

Risk weight of information asset = value of information asset × weakness weight × threat weight

According to this calculation model, the minimum risk weight is 1 and the highest is 27.

Table 6 determination table of weakness values such as electronic data

Table 7 threat value decision table

Taking into account the existing control mechanisms and asset characteristics, the following definitions are made:

Assessment of asset risk management

After the results of the risk assessment have been compiled, a management review meeting shall be held to discuss and decide on the acceptable risk.

It's worth the risk. Assets below this value at risk are regarded as low risk, that is, acceptable risk. Risk treatment shall be adopted for information assets whose risk value is higher than acceptable risk. Risk management methods are mainly divided into the following four types:

Risk reduction: set up effective internal control measures for different areas of control, in order to achieve the purpose of reducing the value of risk.

Transfer risk: reduce risk by passing on, such as buying insurance to compensate for it.

Risk avoidance: the risk of using an alternative or other asset to replace this asset, but if this approach is adopted, the feasibility of the alternative and the value at risk will need to be reassessed. The premise is that the alternative brings lower risk.

Accept the risk: when none of the above three methods can be used, management can decide to accept the risk, that is, to accept the risk.

Corresponding related table

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.