Identifying what data and systems require prioritized protection in your organization is critical to building a successful cyber-risk management program. It starts with understanding where data resides across the enterprise, as well as its business and
cyber-risk implications, ownership, and stakeholder reporting requirements.
This piece provides a strategic framework for establishing a data and systems classification strategy, including identifying assets that must be reported on to key stakeholders, such as the board of directors.
Understanding Information Systems Risks
In a world of complex systems and systems-of-systems integral to functioning enterprises, it is increasingly important to be able to understand and manage the risks these systems present to the missions they support. Given finite resources, it is not
possible to apply equal protection to all systems. Organizations must take a risk-based approach, using processes, methods and techniques to prioritize systems for a detailed risk analysis
and for applying information security and privacy controls.
The first step in the journey is to define which systems are critical. Performing a system criticality analysis helps security teams identify and better understand the systems, subsystems, components and subcomponents most essential to an organization’s
operations and the environment in which it operates. That understanding facilitates better decision-making related to the management of an organization’s assets across information security and privacy risk management, project management, acquisition, maintenance and system upgrades.
READ: 4 Steps to Customize a Risk Framework
Key System Criticality Criteria
When formulating the criteria to establish information system criticality, it’s important to involve multiple stakeholders in the decision, including legal, compliance, asset owners and disaster recovery/business continuity groups (which may have
already completed a similar exercise), as well as top management and the board. For example, most boards will expect the decision to factor in questions like:
- What is our financial exposure to cyber threats?
- What cyber threats are most likely to have a major financial impact on our business?
- How much financial exposure are we willing to accept across our enterprise and digital supplier ecosystem?
- How can we align our budget, implement controls and optimize risk transfers to address our cyber-risk exposure?
- Are our digital initiatives being developed in a cyber-resilient way?
It’s also important to take a 360-degree view and consider multiple factors. This is done by analyzing the expected confidentiality, integrity and availability (CIA) of each asset and then assigning a score using a simple scoring system (e.g., 1–10,
where 10 is most critical). Criticality, aka impact, is the average of those CIA scores.
Formulating Asset Confidentiality
The score for confidentiality is derived by defining the types of records that exist within the asset, including any type being stored, processed or transferred by the asset. The weight of each record, on a 10-point scale, should be defined by operator
input or historical and cybersecurity intelligence data. As a very simple example, intellectual property records worth 100% of revenue would equate to a 10 on the 10-point scale.
Volume should also be defined and considered. For example, an asset with 1,000 personally identifiable information records would not carry the same confidentiality score as an asset with 10 million PII records. This analysis should be repeated for each
asset or asset group.
Formulating Asset Integrity
The score for integrity is derived by maxing an asset’s confidentiality and availability scores (i.e., setting those scores at 10) and adding an additional adjuster for asset behavior or data alteration. The alteration value is based on an estimate
of impact if someone or something altered the behavior of an asset or altered the data within the asset.
As a very simple example, the manipulation of personal health information records to change a patients’ blood type could lead to catastrophic human casualty or death, which means the integrity value of the asset storing these records would be a
10 on a 10-point scale. The integrity score, then, is the maximum value of confidentiality, availability and the integrity adjuster. This analysis should also be repeated for each asset or asset group.
READ: Best Practices for Solid Cybersecurity Asset Management
Formulating Asset Availability
The score for availability is derived by defining the necessary availability requirement of the asset and how much the asset impacts revenue. Multiplying those scores creates a score on a 10-point scale.
As a very simple example, an asset that requires a 99.9% uptime and is related to 50% of revenue would have an availability score of 9.99 x 0.5 = 4.995. As with confidentiality and integrity, this analysis should be repeated for each asset or asset group.
Determining Data Asset Criticality
A data asset’s total criticality score (or impact score) is derived by calculating the average of its CIA scores. Ransomware is a good example of how the three factors work together, because
it is an integrity issue (encrypts the system) that becomes an availability issue (business interruption) with a potential for a confidentiality issue (data breach).
There are no rules for how many assets within an organization are critical versus noncritical. The percent of assets deemed highly critical is specific to the profile of the enterprise.
To ensure your analysis of data/asset criticality is sound, it’s important to:
- Relate all scores to a definition: The scores cannot be arbitrary. If they are, they will not matter to anyone outside of the security team.
- Explain the analysis and methodology clearly to all stakeholders: You must be able to explain both how each score is derived and why one asset is considered noncritical, while another is considered critical. This will ensure clarity and stakeholder
buy-in across the organization.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.