In this sample chapter, IT security expert Donald Pipkin addresses the resource inventory aspect of information security.
Forty-three percent of companies surveyed don't take the basic step of classifying their data into security categories.2
A resource is something that has value to the organization, which if lost or damaged, would cause a loss to the organization as a whole. Resources are more than just assets; they include employees, infrastructure, relationships with customers or partners, and corporate reputation.
All of these resources have security requirements that vary depending upon the importance of the particular resource. However, before proper security measures can be applied, the company's resources must be identified and their value and cost to the company should they be disclosed or destroyed, must be assigned. A complete inventory of company resources is required to know what the company needs to protect. All major information resources must be accounted for and have a designated owner and security classification.
A comprehensive documentation of resources is required to appropriately evaluate the level of security necessary to protect the organization.
The first step is to identify the organization's information resources. This will determine the scope of the security evaluation. In theory, all of the organization's information resources would be considered. However, constraints of time, money, and area of responsibility often limit the evaluation.
The various assets and security processes associated with each individual system should be identified and clearly defined. The responsible individual for each information asset and for each specific security process should be agreed upon and the responsibility documented; authorization or approval levels for any changes should also be defined and documented.
Every asset should be clearly defined. These include information and processes as well as physical assets. Often these assets can be put into logical groupings of closely associated information and processes. These asset groups can then be managed as a single asset.
Defining information resources at the appropriate level is a task that requires experience with the information. Data items that are always used together as a unit of information can be considered a single information resource. It is safest to evaluate the information at the data element level. After the information is evaluated, it can be aggregated together to simplify administration. These aggregates must be clearly defined and equivalent to the sum of their parts.
Many organizations have proprietary processes and information contained in the algorithms and software which they have created that need to be adequately protected. In many of the process industries, it is the process more than the data that is unique and has value to the company. They first need to be identified and inventoried.
Purchased software is a significant investment for most organizations. It needs to be accounted for so that if it is stolen an appropriate value can be determined. Adequate software inventories are also necessary to demonstrate that the organization is following its contractual requirements as described in the license agreement for each software package.
Physical assets are usually already inventoried and the value and owner for them defined. Be sure to utilize this existing information when it is available. However, information system equipment needs to be evaluated for costs associated with unavailability to be able to create appropriate risk reduction plans.
2 PricewaterhouseCooper, " Global Security Survey," Information Week, 1998.