You can’t protect your data if you don’t know it’s there. Asset management is an essential element of your organisation’s cybersecurity posture; get it right, and you’ll be able to protect your data throughout the information lifecycle.
At Six Degrees we work with regulated firms throughout the finance sector to help them improve their cybersecurity postures. We’re operating in a commercial climate where cybersecurity is becoming an important decision making factor, as organisations don’t want to engage with third parties that have the potential to introduce risk. Robust cybersecurity makes sound business sense – to fail to address your organisation’s cybersecurity posture is to risk significant commercial disadvantage.
The FCA recently published an industry insights document that aims to improve cybersecurity practices amongst regulated firms. In our previous blog we expanded upon the FCA’s guidance on how to implement cybersecurity governance best practices. For this next blog in the series, we delve into the FCA’s guidance around identifying what you need to protect: consider what you need to know. This means talking about asset management – an essential element of you organisation’s cybersecurity posture.
What is an Information Asset?
An information asset is essentially any form of data that an organisation owns. This is not only written information that is stored on a file server or written on a piece of paper; it can also be the content of meetings, conversations, voicemails, messages or social media posts. As information comes in so many forms, it is important that information assets are handled with care.
Not all information should be treated equally. This could result either in data getting into the wrong hands, or your organisation not working as efficiently as it could. All data needs to be categorised, in order to ensure that information assets are handled in an appropriate manner. To illustrate this, consider the following two examples:
- News about a charity project that a company is starting can and should be made available to the public. It doesn’t need high security measures.
- On the other hand, information about a new product that a company is launching next year should not be allowed outside the organisation. Security measures are needed to make sure that this information is kept hidden from the public and from competitors.
In order to maintain a robust cybersecurity posture, all data needs to be handled in an appropriate manner that minimises the threat of accidental or malicious breach.
Threats to Information Assets
All information assets are classified in terms of their confidentiality, integrity and availability:
- Confidentiality is the privacy of an information asset, and who is authorised to access it. At Six Degrees we categorise information assets as public, client confidential, internal use only, confidential or highly confidential.
- Integrity is the consistency and accuracy of an information asset. One way to ensure the integrity of an information asset is to maintain a change control log, so you can easily see who has updated the information asset, when, and for what reason.
- Availability is the ability for the appropriate audience to access the information asset. If the information asset is held on a file server, the uptime and accessibility of the host server influences the information asset’s availability.
A threat is a potential cause of an unwanted incident, which may result in harm to a system or organisation. Threats to information assets are based on three areas:
- Severity: how serious is the threat?
- Probability: how likely is the threat to occur?
- Consequence: if the threat was successful, what would the implications be from a financial, operational and reputational perspective?
The Importance of Asset Management
All of your information assets need to be owned by individuals within your organisation. The asset owner will take responsibility throughout the information lifecycle: asset creation, processing, storage, transmission and destruction.
An organisation’s asset management approach is defined by its Information Asset Register (IAR). Information assets should be divided into different groups of classification. These groups estimate potential risks, and verify which individuals will have access to the information assets.
IARs keep track of an organisation’s information assets, along with what level of security is needed for individual assets. In an IAR, an owner is determined for each individual asset. This owner will ensure that the asset is secured. The information asset owner should understand the asset’s value within the organisation. If an IAR is kept up-to-date, it will greatly increase the security of an organisation’s information.
Asset management is a key aspect of any organisation’s cybersecurity preparedness, but the truth is that staying safe from cyber-threats is a constant challenge. If you’re keen to benchmark your firm’s cybersecurity preparedness, take our cybersecurity quiz. It only takes five minutes, and will give you a snapshot of where you are and what steps you can take to improve your cybersecurity posture.