[ computer network ] Identifying the assets,

Identifying the assets,

What am I trying to protect?

Part of a risk analysis involves identifying all things that need to be protected. Some things are obvious, like the various pieces of hardware or cardholder data. Others are apt to be overlooked, such as people who actually have access to the systems. It is essential to list all things that could be affected by a security problem or potential threat. A list of categories should include:

1. Data. Stored online, archived off-line, backups, audit logs, databases, in transit over a communication media, during execution, and during delivery (physical or otherwise) This can include cardholder data, merchant specific data, ACH files, contract information, rate information, contact information, etc.

2. Supplies. Paper, forms ribbons, magnetic media.

3. Hardware. Including CPUS, keyboards, terminals, terminal servers, routers, firewalls, disk drives, communication lines, printers, personal computers and laptops. This should include not only the hardware used for actual processing, but also the hardware used to view data and access the data. This might also include hardware systems used for access to the facilities and systems (to-kens or smart cards).



4. Software. Often includes source pro-grams, utilities, backup operating systems, communication programs, object programs, source code itself, web con-tent and e-mail systems.

5. People. Users of the systems, people needed to run systems, contract personnel for hardware and software. The U.S. Department of Commerce lists insiders as the number one threat to informa-tion.6. 6. Documentation. Documentation often is overlooked, but should include documentation of programs, hardware, systems, local and remote administrative procedures.

   After identifying all of the assets, assign a value to them according to loss of business, contract obligations and legal ramifications should the assets be compromised. Some-times it helps to assign a monetary value, however, this is not necessary for each item. Once ranked in a matrix, the next step is to identify the threats to the assets.

Identifying the threats

When examining the possible threats, a business should consider both internal and external sources. The threats should be examined with the perspective of what the potential loss might be according to the protected assets.

   A common threat is disclosing information. It is necessary to determine how valuable and sensitive the information stored on the computer systems is. This could be a pricing proposal, a technical paper or perhaps guides to future product development market initiatives. Consider placing passwords and encrypting potentially valuable information. How many computers in businesses today, using only a basic password, contain access to this sort of valuable data? Unfortunately too many businesses ignore this easy-to-implement practice.

  One of the most common threats is unauthorized access to computing facilities. Unauthorized access is the use of any computer resource or facility without prior permission to use those resources that can take place in a variety of ways. One way is by the use of another person’s account to gain access to a system, facility or application.

  Perhaps one of the greatest threats to recently emerge is the denial of service. Everyone is familiar with the recent attacks on eBay or Yahoo where repeated attacks from thousands of computers forced the sites to shut down. Another high profile example is the “I Love You” virus that affected hundreds of thousands of systems worldwide. The impact ranged from a minor inconvenience at the mail server, to absolute shut down of corporate systems. Both examples show the importance of protecting systems and businesses against these types of attacks and the potential for monetary impact. Each business has its unique needs and should determine which services are essential, and for each of the essential services, determine the effect to the service or productivity should that business portion become disabled.

if u like the post just say thank u in comment box.