Now why would somebody read a confidential document during his commute to office on a public transport? Did the classification serve any purpose..? I was getting curious about this and asked him “any urgent review going on…?” He said, “No, why”..? I said, I could see the document classified “Confidential”. He has his explanation as “It is just an old document, maybe sometime in 2006”. Well why the document not re-classified if it was old…?

Urgency is one big enemy of security and so is labeling to a certain extent.

In another instance, there was an organization which has many branch offices and they have physical mail that is exchanged between these branch offices. However the recommendation for exchanging documents that was classified as “Top Secret” was to put the document into an envelope and label that as “Top Secret” and then put that envelop into another one and label it as “Personal”. The classification levels in this organization were first “Top Secret” and then “Confidential”. Now how would this serve the purpose?

The mails are exchanged through outsourced mailman (or even it would have been an internal employee) and the mailman would be curious with the label Personal itself. Once he intends to open it, he will be more curious or happy since it to be labeled “Top Secret”.

Do we need to restrict labeling for physical documents that reside within the organization premises only..?

For example: in the first instance, what if the person removed the label and printed the document. I would not even bother to look into the document that he was reading and have a conversation about this with him.

In the second instance, as far as the document is moving from one office to another, remove the label and deliver it personally (I meant only for “Top Secret” document). Once it is in the destination office, can’t it be labeled back..?

I feel that labeling of physical documents should be primarily used just for identifying the way it can be stored and protected and not while in physical transit. Let me know your views.

Now, let’s look at what is the definition of information assets. Information assets are basically data that is in transit or at rest and also that are available on papers. Having this in mind, I think it is easier to assess the C-I-A values of these assets. Let us take an example:

Contract documents is an information asset or let’s take the file server in an organization, the “data” in the file server is an information asset. How much impact the organization would have, if the information in the document is exposed to unauthorized persons..? – if the impact is less, confidentiality value is less and if the impact is high, confidentiality value is high. Similarly, this is applicable for Integrity and Availability. If the impact is high by losing the integrity or availability, it will be rated high or else low. After determining the C-I-A values the asset value is derived by either taking the highest value or with some simple calculations.

Let’s consider the C-I-A values for a hardware asset. The confidentiality value of the hardware asset is derived by the information that it holds and hence I feel that there would be duplication if we consider the confidentiality value here. We are considering the hardware asset as a whole and hence integrity of the server is not applicable here. Availability value is what we need to consider for an hardware asset.

As we have looked into the hardware asset, the same applies to software and service assets. Now let us look at the people asset.

If we are trying to consider the C-I-A values of a person, let’s say the CEO of the organization, yes he has confidential information. But how do we assess the confidentiality value? It is hard to determine the information that he is holding in his memory and it might also be varying constantly. Which means you cannot determine the “C” either as high or low at given point in time. I am not quite sure about the integrity aspect and coming down to the availability value; this definitely needs to be assessed.

Again, the availability value of people asset according to me should always be set to high, irrespective of his designation, age, gender etc. Why?

Controls are implemented based on the derived risk value. Risk value is proportionate to the asset value, which means if the asset value increases, so does the risk value. In this context, let us take an example:

Contract document (Information Asset) C-I-A = 5 * Threat = 3 * Probability = 3 = 45 (Risk Value)

IT Manager (People Asset) A = 3 * Threat = 3 * Probability = 1 = 9 (Risk Value)

In the above scenario, the information asset has a risk value higher that the people asset. If there is a fire break out in the organization, which of these assets will be well protected or rescued? People will always be considered first during a disaster and hence the asset value of people should always be rated as high. In this case you may ask, we already know that people is first, then why should be even consider listing people asset in the risk assessment exercise? Well, Your thoughts

I would even look to see why we need to consider hardware, software and service assets for the assessment, because all the values are anyway dependent on the information it holds or transmits.

Your thoughts again.

The Parkerian Hexad attributes are the following:

• Confidentiality
• Possession or Control
• Integrity
• Authenticity
• Availability
• Utility

These attributes of information are atomic in that they are not broken down into further constituents; they are non-overlapping in that they refer to unique aspects of information. Any information security breach can be described as affecting one or more of these fundamental attributes of information.

I think I don’t require to provide the explanation of C-I-A here. Let’s look at the other attributes.

Possession or Control

Suppose a thief were to steal a sealed envelope containing a bank debit card and (foolishly) its personal identification number. Even if the thief did not open that envelope, the victim of the theft would legitimately be concerned that (s)he could do so at any time without the control of the owner. That situation illustrates a loss of control or possession of information but does not involve the breach of confidentiality.

Authenticity

Authenticity refers to correct labeling or attribution of information. For example, if a criminal forges e-mail headers to make it look as if an innocent person is sending threatening e-mail messages, there has been no breach of confidentiality (the thief uses his or her own e-mail account), possession (no information has been taken out of the control of the victim), or integrity (the e-mail messages are exactly as intended by the criminal).

What is breached is authenticity: the e-mail is incorrectly attributed to someone else. Similarly, misusing a field in a database to store information that is incorrectly labeled is a breach of authenticity; e.g., storing a merchant’s tax code in a field labeled as the merchant’s ZIP code would violate the authenticity of the information.

Utility

Utility means usefulness. For example, suppose someone encrypted data on disk to prevent unauthorized access or undetected modifications – and then lost the decryption key: that would be a breach of utility. The data would be confidential, controlled, integral, authentic, and available – they just wouldn’t be useful in that form.

Similarly, conversion of salary data from one currency into an inappropriate currency would be a breach of utility, as would the storage of data in a format inappropriate for a specific computer architecture; e.g., EBCDIC instead of ASCII or 9-track magnetic tape instead of DVD-ROM. A tabular representation of data substituted for a graph could be described as a breach of utility if the substitution made it more difficult to interpret the data. Utility is often confused with availability because breaches such as those described in these examples may also require time to work around the change in data format or presentation. However, the concept of usefulness is distinct from that of availability.

Source: www.wikipedia.org

Having said this, I would like to discuss the possible controls that can be implemented to mitigate risks for the above 3 attributes.

It is important for every organization to constantly carry out risk assessment in their organizations to ensure that they are protected from new threats. Today terrorism has become a major threat for organizations as well and hence it is definitely required for organizations to include terrorism as a threat in their risk assessment exercise.

A constant risk assessment exercise does not only help in identifying and protecting against the latest threats, but also looks into the processes and controls that was defined and implemented years ago. Though the processes and controls might be working well, it might not include the risks due to the latest threats and if risk assessments are not conducted on a regular basis, these new threats might go unnoticed.

Hence organization are encouraged to have the risk assessment exercise as an annual activity and also when there is a major change within the organization. It is also important to keep a tab on the new threats that need to be included in their risk assessment exercise.

Now the next arising question is, what are the risks of having these armed CISF securities in the campus?

In a normal scenario, everyone uses a template that captures assests under different cateogories, viz

• Information Asset – deals with electronic and paper based data
• Hardware Asset – includes all your hardware, cupboards, safe, etc
• Software Asset – includes all software’s used or implemented in the organization.
• Service Asset – services that a department avails from the organization
• People Asset – talks about people / employees

 Now the discussion went like this:

 We capture service assets and also get the availability value of that asset from each department to determine the asset value. Now, a disruption in service is caused to one or more of the following:

• A failure of hardware
• A failure of software
• A failure of people

One or more of the above failures will cause a service disruption and we are already capturing the availability values of these parameters under hardware asset, software asset and people asset respectively.

The question arise was is it not a duplication of effort and capturing of availability value in the above case. If yes, why do we do this?

Now in security perspective:

1. Hardware is identified / recorded only if the end user has a direct interaction wit that server. For example: File Server
2. If it is a service availed by the end user, he/she is unaware of hardware that is used for providing that service. Hence he will only term that as an service and will not be captured as a part of hardware asset.
3. When it comes to the IT department, they will identify all the hardware that is available under their control. Now they will identify the hardware, but will be unable to determine the availability parameter of the service provided through that hardware from a business perspective.

Hence it is required to capture the service assets from various departments while we carry out a function based risk assessment exercise.

Further, it is not only about failures that are looked into while capturing the service assets. As a part of the control recommendations, based on the inputs from various user departments, it could also be possible that the recommendation will be to provide the service on a fail over module or utilize and load balancer etc.

Now, looking at the other aspect of capturing service assets would be to understand the services availed from the organization, where, the organization has procured it from a third party. For example: An internet connection from the ISP.

We will not be capturing the hardware, software or people asset outside our organization, but still will be using a particular service. There might be one piece of asset that is connecting between the organization and the ISP, but after that we have no controls. Hence we will require to capture the service assets which will help in defining SLA’s with the vendors and procure adequate service.

 Looking forward for your thoughts.