Now, let’s look at what is the definition of information assets. Information assets are basically data that is in transit or at rest and also that are available on papers. Having this in mind, I think it is easier to assess the C-I-A values of these assets. Let us take an example:

Contract documents is an information asset or let’s take the file server in an organization, the “data” in the file server is an information asset. How much impact the organization would have, if the information in the document is exposed to unauthorized persons..? – if the impact is less, confidentiality value is less and if the impact is high, confidentiality value is high. Similarly, this is applicable for Integrity and Availability. If the impact is high by losing the integrity or availability, it will be rated high or else low. After determining the C-I-A values the asset value is derived by either taking the highest value or with some simple calculations.

Let’s consider the C-I-A values for a hardware asset. The confidentiality value of the hardware asset is derived by the information that it holds and hence I feel that there would be duplication if we consider the confidentiality value here. We are considering the hardware asset as a whole and hence integrity of the server is not applicable here. Availability value is what we need to consider for an hardware asset.

As we have looked into the hardware asset, the same applies to software and service assets. Now let us look at the people asset.

If we are trying to consider the C-I-A values of a person, let’s say the CEO of the organization, yes he has confidential information. But how do we assess the confidentiality value? It is hard to determine the information that he is holding in his memory and it might also be varying constantly. Which means you cannot determine the “C” either as high or low at given point in time. I am not quite sure about the integrity aspect and coming down to the availability value; this definitely needs to be assessed.

Again, the availability value of people asset according to me should always be set to high, irrespective of his designation, age, gender etc. Why?

Controls are implemented based on the derived risk value. Risk value is proportionate to the asset value, which means if the asset value increases, so does the risk value. In this context, let us take an example:

Contract document (Information Asset) C-I-A = 5 * Threat = 3 * Probability = 3 = 45 (Risk Value)

IT Manager (People Asset) A = 3 * Threat = 3 * Probability = 1 = 9 (Risk Value)

In the above scenario, the information asset has a risk value higher that the people asset. If there is a fire break out in the organization, which of these assets will be well protected or rescued? People will always be considered first during a disaster and hence the asset value of people should always be rated as high. In this case you may ask, we already know that people is first, then why should be even consider listing people asset in the risk assessment exercise? Well, Your thoughts

I would even look to see why we need to consider hardware, software and service assets for the assessment, because all the values are anyway dependent on the information it holds or transmits.

Your thoughts again.

Once while driving through a technology park, I was stopped by a couple of security personnel and they requested me to open the boot of my car and there was the second one running a mirror underneath my car and looking at something. Since the amount of different car models that I has come out in market, I assumed that the bottom  of every car must be different and out of curiosity, I just enquired with the security personnel, as to what is he looking for and you will be amazed with the answer. “I am not sure sir, they have asked me to check and I am checking”.

In the meantime, the one who was checking the boot of the car just opened up the spare wheel compartment and looked around and closed the boot. Assuming they might be checking for placement of some car bombs, are those the only areas where you can place a bomb..? If not, what is the purpose of this check..? Are we not just wasting time and resources..?

In a similar incident, I was attending a training which was held in one of the hotels. I have attended many training here and have never seen any security checks happening. This time as I drove through, similar to the above scenario one was checking something underneath and the other checking the boot. I had four day training and they did this to me for all the three days and on the fourth day when one of the security personnel was beginning to check, the other shouts at him, “it is fine, please let Sir pass by”. That ended the effectiveness of a security control. Since I did not question him for the three days of checking, he might have sort of built a trust in me and by-passed the control.

So if one passes through a security channel couple of times and obeys the security personnel, he/she has a high chance of been let in without passing through a security channel. This could be one reason for some of the breaches that are happening across the globe.

In a recent visit using the air transport, I was really bugged with a series of security check which made me remove my waist belt all the time and nothing else. Now I think back and try to understand, why security is so annoying to the non-security professionals.

During the trip at one of the airport during departure, I had to pass through a four metal detector at different locations and all the four times the detector would beep at my waist belt. I had to remove the same and place it on the luggage scanner and then pass through the metal detector again. I could see this happening with 90% of the passengers passing through that metal detector and every lounge you go, I could find passengers busy putting back their waist belts, including myself.

What is more annoying is that the same does not happen while I visit a shopping mall equipped with metal detectors. In fact at shopping malls, I have never heard the metal detectors beep even once, for any reason. Anything passing by the detectors, allows it to go through. So what are we trying to implement is a deterrent control using a tool that can help in preventive control.

In looking at both the scenarios of over or under implementation of controls, it is necessary that the authorized personnel take adequate steps to calibrate the equipments on a timely basis and cause minimum impact on the public. It should not reach a situation where human beings are sent through the luggage scanner just because the metal detectors beeps even after complete striping.

The Parkerian Hexad attributes are the following:

• Confidentiality
• Possession or Control
• Integrity
• Authenticity
• Availability
• Utility

These attributes of information are atomic in that they are not broken down into further constituents; they are non-overlapping in that they refer to unique aspects of information. Any information security breach can be described as affecting one or more of these fundamental attributes of information.

I think I don’t require to provide the explanation of C-I-A here. Let’s look at the other attributes.

Possession or Control

Suppose a thief were to steal a sealed envelope containing a bank debit card and (foolishly) its personal identification number. Even if the thief did not open that envelope, the victim of the theft would legitimately be concerned that (s)he could do so at any time without the control of the owner. That situation illustrates a loss of control or possession of information but does not involve the breach of confidentiality.

Authenticity

Authenticity refers to correct labeling or attribution of information. For example, if a criminal forges e-mail headers to make it look as if an innocent person is sending threatening e-mail messages, there has been no breach of confidentiality (the thief uses his or her own e-mail account), possession (no information has been taken out of the control of the victim), or integrity (the e-mail messages are exactly as intended by the criminal).

What is breached is authenticity: the e-mail is incorrectly attributed to someone else. Similarly, misusing a field in a database to store information that is incorrectly labeled is a breach of authenticity; e.g., storing a merchant’s tax code in a field labeled as the merchant’s ZIP code would violate the authenticity of the information.

Utility

Utility means usefulness. For example, suppose someone encrypted data on disk to prevent unauthorized access or undetected modifications – and then lost the decryption key: that would be a breach of utility. The data would be confidential, controlled, integral, authentic, and available – they just wouldn’t be useful in that form.

Similarly, conversion of salary data from one currency into an inappropriate currency would be a breach of utility, as would the storage of data in a format inappropriate for a specific computer architecture; e.g., EBCDIC instead of ASCII or 9-track magnetic tape instead of DVD-ROM. A tabular representation of data substituted for a graph could be described as a breach of utility if the substitution made it more difficult to interpret the data. Utility is often confused with availability because breaches such as those described in these examples may also require time to work around the change in data format or presentation. However, the concept of usefulness is distinct from that of availability.

Source: www.wikipedia.org

Having said this, I would like to discuss the possible controls that can be implemented to mitigate risks for the above 3 attributes.

It is important for every organization to constantly carry out risk assessment in their organizations to ensure that they are protected from new threats. Today terrorism has become a major threat for organizations as well and hence it is definitely required for organizations to include terrorism as a threat in their risk assessment exercise.

A constant risk assessment exercise does not only help in identifying and protecting against the latest threats, but also looks into the processes and controls that was defined and implemented years ago. Though the processes and controls might be working well, it might not include the risks due to the latest threats and if risk assessments are not conducted on a regular basis, these new threats might go unnoticed.

Hence organization are encouraged to have the risk assessment exercise as an annual activity and also when there is a major change within the organization. It is also important to keep a tab on the new threats that need to be included in their risk assessment exercise.

Now the next arising question is, what are the risks of having these armed CISF securities in the campus?

Now does that apology mean that Continental Airlines will not frisk any VIP’s in future while they board the flight..? I see a security concern here.

Not having the VIP’s frisked before boarding the flight is a security hole, nevertheless these people are always surrounded with guards and they move with apt protection. But these people (if found an opportunity) could be utilized in carrying materials (those prohibited in flight) to be taken very easily, which will pass them through all sorts of check without any objection.

The materials can be put into the VIP’s pockets or hand baggage without his/her notice or he/she could be threatened to carry some stuff, which he/she might not be able to disclose. This can be done since this is a known security hole.

Now the next concern is the rule that says

“Indian laws exempt dignitaries like former presidents, ex-PMs, Chief Justice of India and even Robert Vadra from being frisked at airports.” – quote TimeofIndia.

Suppose, lets say the law of the country where the airline is flying too (destination) is stringent and has ordered the airline to frisk all passengers boarding that flight. Now if there would have been an incident mid-air, who would take up the responsibility..?

In this scenario, does the airline follow the rule of the country currently landed at OR the rule to which the airline will be flying?

Your thoughts.