CHAPTER 5 Asset Identification and Characterization

Overview

We have seen that information security is associated with identified assets. All activities related to information security – security controls, disaster recovery and business continuity programs, and risk assessments, should revolve around protecting the confidentiality, integrity, and availability of the assets of the organization. Unsatisfactory asset identification can leave valuable assets unprotected while the organization spends time on protecting low value resources. Identifying and classifying assets is therefore the foundation of an information security program.

This chapter will describe the important assets in organizations. We will then examine how these assets can be identified and classified. Later chapters will discuss how these assets can be protected. At the end of the chapter you will:

• Be familiar with some of the issues involved in maintaining IT assets
• Have a basic understanding of the mission of the organization
• Know how to classify assets based on their alignment to the organization's mission
• Be aware of asset management issues including life cycle and ownership

Assets overview

The goal of asset identification and classification is to proactively gather all necessary information about an organization's assets that can be useful in responding to a threat affecting that asset. Asset identification should lead to the deployment of required monitoring mechanisms so that the organization can become ...