A Playing Field Without Any Boundaries
Have you ever been assigned the task of asset security in an organization? At first glance, asset security seems pretty simple, almost boring. After all, what’s the big deal tracking some laptops and mobile phones. However, once you dive into the details of what an asset is, you may quickly find yourself with the feeling that the entire earth has become overtaken by quicksand. The asset security responsibilities of an information security professional can be so vast, as to leave one feeling that they have no firm footing.
Assets are anything that imparts value to an organization. Such a broad definition would place assets everywhere, both inside and outside of any company, and depending on the type of business for which you work, assets have different categories with different priorities for protecting them. Sometimes, the value of an asset is strictly monetary, and other times, the value can be much greater.
Knowing your scope
An information security professional working in a small organization will often find that the job goes beyond information technology. In a small firm, protecting the computing assets will often include protecting everything associated with acquiring, using, storing, distributing, and ultimately disposing of a computer or mobile device. A smaller organization may not have any physical security guidance, and this would also be assigned as a responsibility for the information security professional. In essence, when it comes to the many hats worn by most information security professionals, almost nothing is off-limits. The “information” in information security is only part of the security scope.
For anyone studying for the Certified Information System Security Professional (CISSP) exam, this is clear, as one of the domains covers asset security from an information technology (IT) perspective, and is expanded to include non-IT assets as well. Another domain covers not only physical access controls, but also, Heating, Ventilation and Air Conditioning (HVAC), as well as fire extinguishers. These are all assets.
Your colleagues are corporate assets. In most cases, they are the most important asset to a company. While it would be foolish for any organization to put their information security professional in charge of the physical security of the staff, it is not unreasonable to call upon the information security professional to advise about how an individual can maintain personal security. Personal protection in a traveling or remote workforce would include awareness of everything from credit card safety to hotel room safety. Most seasoned travellers will know most of the safety tips, but as an effective information security professional, this subject should be on your security radar and part of your continuing professional education. The “Security Operations Domain of the CBK covers personnel security. While these non-IT assets are not a primary responsibility of an information security professional, their inclusion in the CISSP Common Body of Knowledge (CBK) is indicative of the real-world information security profession.
The first true task of any asset security exercise is the proper classification of the assets that are to be protected. Just because everything is an asset does not mean that everything is a critical business asset. As mentioned previously, asset classification will differ not only from industry to industry, but by company size as well. Consider this simplified example: the computers may be the most important asset for a financial advisory firm, but not to a jewellery manufacturer. Similarly, credit card data may be just as important as actual merchandise to a fashion store.
These difficult choices are where an information security professional, and especially one who holds a CISSP credential can bring value to the discussion. The CISSP training offered by ISC2 includes many of the skills required to understand the asset protection lifecycle, and can work effectively with other areas of the business, such as the senior managers to assist in the classification of these assets.
All That You Cannot See
One of the greatest challenges to asset security is embodied in the invisible assets. Cloud computing has expanded information security in many great ways, but there are also many ways that the availability of cloud services can threaten your digital assets. When a person decides to place corporate data in a cloud service outside of the information security policy or process, that becomes a lost asset. This process, known as “Shadow IT”, can be controlled. Effective security awareness training can help, but there is also the need to evaluate and recommend a security product that can also prevent the shadow IT problem. These are best addressed by a trained information security professional.
Asset Management Stretches Beyond IT
Asset management is inextricably tied to Risk Management and Compliance. One cannot say that they are reasonably protecting an asset without calculating the risk of loss or damage to that asset. If that asset is something intangible, such as intellectual property, the risk calculation becomes even more intertwined with information security. For example, if your intellectual property becomes compromised through accidental alteration, or malicious intent, the impact must be assessed in relation to the proper functioning of the business. This is most evident in the growing sophistication of ransomware coupled with data theft.
From a compliance perspective, asset security becomes a demonstration of security assurance. For example, in the case of a stolen laptop, if the compliance policy is that all laptops must use full disk encryption, the information security professional must be able to furnish proof of encryption. Any proof that is offered must be recent enough to be of probative value. If a mobile device, such as a tablet or smartphone is stolen, the security professional must offer proof that the device is protected by a password, and in extreme cases, that the data can be remotely wiped from the device. These are seemingly simple compliance rules, but they must be reviewed constantly to ensure operational effectiveness.
Keeping track of it all
Perhaps the most difficult part about asset security is not so much in its technical implementation, but in its administrative upkeep. Asset security is never a “set it and forget it” proposition. The ability to keep detailed records of, as well as a constant watch over all the critical assets in an organization becomes essential in a regulated environment. An effective security professional is well-versed in accurate record-keeping and understands the need to produce the records in a way that can satisfy even the pickiest auditor. Beyond the audit requirements, accurate records provide added comfort to upper management that the assets are accounted for and protected.
Why the CISSP Credential Matters
Understanding all of the subtleties of asset management can be a daunting task. However, in the hands of a trained information security professional, it is not insurmountable. Those who hold the CISSP credential have demonstrated and verified knowledge in asset security. When an organization needs specialized security abilities, they can rely on those who hold the CISSP designation for a wide breadth of knowledge and experience in information security.
The CISSP is ideal for experienced security practitioners, managers and executives interested in proving their knowledge across a wide array of security practices and principles, including those in the following positions:
- Chief Information Security Officer
- IT Director/Manager
- Security Analyst
ISC2 was the first information security certifying body to meet the requirements of the American National Standards Institute (ANSI) ISO/IEC Standard 17024 and the CISSP certification has met Department of Defense (DoD) Directive 8570.1
To discover more about CISSP read our whitepaper,9 Traits You Need to Succeed as a Cybersecurity Leader.Read the White Paper