Identifying Digital Assets
When presented with the term asset identification, most IT folks think of asset management, or asset tracking, in the literal sense of the term. Although tracking physical assets is important, rarely do organizations take the time to granularly identify or quantify the value associated with their digital assets. For example, an e-commerce delivery system might comprise a dozen Web servers, a few database servers, a merchant gateway, and various pieces of supporting infrastructure equipment. For example, let's say that a sample medium-sized e-commerce deployment runs around $400,000 in hardware. The machines and systems themselves have a book value that is easy enough to calculate. A little bit more difficult to identify might be the costs associated with a site-wide outage. One would have to calculate hourly or daily revenue losses, as well as the costs associated with expenses necessary to respond to the problem, and any other outage-based costs.
Drilling a little deeper into our example, let us also suppose that the customer records and the purchasing trend data for this e-commerce initiative are stored on a single, internal database server. Again, the financial value of the hardware is easy enough to identify and record. But what happens when that server is compromised, and its data is leaked to the public? There will then be some less tangible, but very important items at risk: consumer confidence, industry reputation, and perhaps even legal liability. So the value of the server, and the data on it, might be a lot higher then what was initially thought.
Why does this matter? Back to the concept of managing risks. In an ideal world, every server, network device, and piece of data would be sufficiently protected. Unfortunately, we don't live in that world. Reality states that we have to choose our battles wisely, as there are only a finite number of them that we can fight. By identifying key assets, and protecting those assets first, organizations can maximize the effectiveness of their risk mitigation efforts.
Readers should note that there have been entire books written on asset identification and data value classification, and how they relate to overall risk analysis. Although many of the areas of true risk analysis are outside the scope of this book, there are some basics areas to look at in the IT field that can help you get started. For example, the following areas are often classified as "high value":
- Payroll information
- Research and development data
- Source code
- Marketing strategies
- Financial systems
- Sales information
- Customer data
- Financial reports
- Miscellaneous proprietary data
Remember, certain data, and certain systems, are more critical than others. It is up to the security officers and the business to determine what systems and data are the most valuable. Remember to choose your battles wiselyif you can only wage war on a few fronts, make sure they are the fronts that really count.
Brooke Paul, one of the contributing authors of this book, wrote an introduction to Risk Assessment for Network Computing that readers might find useful. It can be found at: http://www.networkcomputing.com/1121/1121f3.html