Overview of security, compliance, and policies

Asset protection forms the baseline for security. Unintended disclosure and unauthorized modification or destruction of an asset can affect security.

Observe the following illustration:

• Asset requires protection
• Protection is based on the requirements of Confidentiality, Integrity and Availability (CIA) for the
• Security is ensured through Security Governance that comprises management practices and management oversight
• Security is demonstrated through compliance that could be legal or regulatory
• Compliance consists of adherence to applicable legal and regulatory requirements; applicable policies, standards, procedures and guidelines; and personnel security policies
• Compliance can be affected by security issues

Asset

Assets can be tangible, that is, perceptible by touch. An example of a tangible asset could be a desktop computer or a laptop. Assets can be intangible, that is, not have physical presence. An example of an intangible asset could be a corporate image or an intellectual property, such as patents.

Assets are used by the organization for business processes. Every asset, whether tangible or intangible, has a certain intrinsic value to the business. The value can be monetary, or of importance, or both. For example, a simple firewall that costs less than $10000 may be protecting important business applications worth millions of dollars.

If an asset is compromised, for example, stolen or modified, and the data or a secret information is disclosed, it will have an impact that could lead to monetary loss, customer dissatisfaction, or legal and regulatory non-compliance.

An asset can be hardware, software, data, process, product, or infrastructure that is of value to an organization, and hence, needs protection. The level of protection is based on the value of the asset to the business.

To assess protection requirements, assets are grouped based on the type of assets, such as tangible or intangible, physical or virtual, and computing or noncomputing. For example, a computer can be a physical asset as well as a computing asset, such as hardware.

Note

Note that equipment, such as plumbing tools, can also be called hardware in some countries. However, in the information security domain, hardware generally implies computing and computer-related equipment.

Assets are generally grouped as follows:

• Physical assets: They are tangible in nature and examples include buildings, furniture, Heating, Ventilating and Air Conditioning (HVAC) equipment, and so on.
• Hardware assets: They are related to computer and network systems. Examples include, servers, desktop computers, laptop, router, network cables and so on.
• Software assets: They are intangible assets that an organization owns a license to use. In general, organizations may not have Intellectual Property Rights (IPR) over such assets. Examples include, Operating Systems (OS), Data Base Management Systems (DBMS), office applications, web server software, and so on.
• Information assets: They are intangible in nature. They are owned by the organization. Examples include, business processes, policies and procedures, customer information, personnel information, agreements, and formulas developed in-house or purchased outright.
• Personnel assets: People associated with the organization, such as employees, contractors, and third-party consultants, are grouped under this type.

Note

Note that, in certain accounting practices, software can also be classified under Property, Plant and Equipment (PPE). However, in the information security domain, software is classified as an intangible asset. Besides, software or information may be stored in hardware or physical assets, such as on hard disk or DVD.

Asset protection

In the information security domain, asset protection involves security management practices that are subjected to business and compliance requirements. Such practices for asset protection are called security controls.

Types of security controls include:

• Physical entry controls to an office building that allow only authorized personnel
• Monitoring controls, such as CCTV, for surveillance of critical assets
• Controls, such as locks, for hardware assets for protection from theft
• Tamper proofing controls, such as hashing and encryption, for software and data asset
• Copyrights or patent for information assets to protect legal rights
• Identity management systems to protect personnel assets from identity theft

This is not a comprehensive list of security controls. This book provides hundreds of such requirements and controls in subsequent chapters. However, a requirement or a control is not determined ad-hoc. Instead, asset protection requirements are identified through a structured method of risk analysis, evaluation, and assessment. Similarly, controls are identified through risk mitigation strategies. Risk assessment and risk mitigation strategies are covered in the next chapter.

Hence, asset protection requirements are based on risk. In order to understand risk, to perform risk assessment and select controls for asset protection, the concepts of CIA have to be understood first.