Now, let’s look at what is the definition of information assets. Information assets are basically data that is in transit or at rest and also that are available on papers. Having this in mind, I think it is easier to assess the C-I-A values of these assets. Let us take an example:

Contract documents is an information asset or let’s take the file server in an organization, the “data” in the file server is an information asset. How much impact the organization would have, if the information in the document is exposed to unauthorized persons..? – if the impact is less, confidentiality value is less and if the impact is high, confidentiality value is high. Similarly, this is applicable for Integrity and Availability. If the impact is high by losing the integrity or availability, it will be rated high or else low. After determining the C-I-A values the asset value is derived by either taking the highest value or with some simple calculations.

Let’s consider the C-I-A values for a hardware asset. The confidentiality value of the hardware asset is derived by the information that it holds and hence I feel that there would be duplication if we consider the confidentiality value here. We are considering the hardware asset as a whole and hence integrity of the server is not applicable here. Availability value is what we need to consider for an hardware asset.

As we have looked into the hardware asset, the same applies to software and service assets. Now let us look at the people asset.

If we are trying to consider the C-I-A values of a person, let’s say the CEO of the organization, yes he has confidential information. But how do we assess the confidentiality value? It is hard to determine the information that he is holding in his memory and it might also be varying constantly. Which means you cannot determine the “C” either as high or low at given point in time. I am not quite sure about the integrity aspect and coming down to the availability value; this definitely needs to be assessed.

Again, the availability value of people asset according to me should always be set to high, irrespective of his designation, age, gender etc. Why?

Controls are implemented based on the derived risk value. Risk value is proportionate to the asset value, which means if the asset value increases, so does the risk value. In this context, let us take an example:

Contract document (Information Asset) C-I-A = 5 * Threat = 3 * Probability = 3 = 45 (Risk Value)

IT Manager (People Asset) A = 3 * Threat = 3 * Probability = 1 = 9 (Risk Value)

In the above scenario, the information asset has a risk value higher that the people asset. If there is a fire break out in the organization, which of these assets will be well protected or rescued? People will always be considered first during a disaster and hence the asset value of people should always be rated as high. In this case you may ask, we already know that people is first, then why should be even consider listing people asset in the risk assessment exercise? Well, Your thoughts

I would even look to see why we need to consider hardware, software and service assets for the assessment, because all the values are anyway dependent on the information it holds or transmits.

Your thoughts again.

It is important for every organization to constantly carry out risk assessment in their organizations to ensure that they are protected from new threats. Today terrorism has become a major threat for organizations as well and hence it is definitely required for organizations to include terrorism as a threat in their risk assessment exercise.

A constant risk assessment exercise does not only help in identifying and protecting against the latest threats, but also looks into the processes and controls that was defined and implemented years ago. Though the processes and controls might be working well, it might not include the risks due to the latest threats and if risk assessments are not conducted on a regular basis, these new threats might go unnoticed.

Hence organization are encouraged to have the risk assessment exercise as an annual activity and also when there is a major change within the organization. It is also important to keep a tab on the new threats that need to be included in their risk assessment exercise.

Now the next arising question is, what are the risks of having these armed CISF securities in the campus?

Up until now some of the aspects that we look into while implementing a control is as mentioned below; 

1. Is the control implementation cost less than or equal to loss of the damage a threat could cause to an organization?
2. Does the control implementation enable process improvements?
3. Is the control implementation required as a part of legal, regulator or contractual requirements?

The effectiveness of each control that we implement should ensure that the risk is mitigated and for those risks where a control is not available or cannot be implemented (due to various reasons) is considered to be a residual risk. How does an organization determine the depth of a control implementation?

Let me give you an example from the recent discussion. One of the organizations was planning to have their tele-working process rolled-out and hence wanted to know the security controls that can be implemented. After a long discussion all of them agreed for controls such as encryption of the disks and that users should store their data on a particular folder which would automatically get backed-up while they connect to the organization network, bio-metric authentication is in the pipe line and that closed the discussion.

The trigger for a debate came up when one of the stakeholders raised the point of having a physical lock to the laptop which would ensure that the laptop is cannot be stolen or causes a delay or deters the malicious intended person in steeling the laptop. The other members mentioned that the physical lock was not required and that the laptop user should take care of his/her laptop.

Here comes to what depth that control should have been implemented. I look at the following points which say why we should implement the physical lock to the computer. 

1. The location of storing the data in the laptop is up to the user. He/She can store it either on the folder that gets backed-up automatically or elsewhere which will not get backed-up. This is user driven.
2.  The data stored in other locations could be critical to the organization and the storage cannot be monitored all the time.
3. The drive is encrypted and so the data cannot get exposed. But the intent of certain malicious persons are not only data theft, it is destruction of data or destruction of service.
4. So if the laptop is stolen what is the amount of time required for the user to get back to his/her normal work with all of the data been restored.
5. Will all the data be restored?
6. Of course the cost of the laptop needs to be considered.

“I would recommend that a dependency on a user to ensure security” should only be done in the following two cases: 

1. If the cost of the control is more than the loss that a damage by a threat could cause.
2. If there are no possible controls that can be implemented after that particular point.

The first point is clear as all is aware of the same. Let us relate the second point to the example above. As you look at the physical lock to be implemented, we are not transferring the responsibility of securing the laptop from theft to the user. We have implemented a control to take care of that. But it is still the choice of the user to either lock the laptop or leave open.  Now we can transfer the responsibility to the user, because I cannot see any other control that can be implemented after the physical lock.

Looking forward for your responses.