Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Identifying what data and systems require prioritized protection in your organization is critical to building a successful cyber-risk management program. It starts with understanding where data resides across the enterprise, as well as its business and
cyber-risk implications, ownership, and stakeholder reporting requirements.
This piece provides a strategic framework for establishing a data and systems classification strategy, including identifying assets that must be reported on to key stakeholders, such as the board of directors.
In a world of complex systems and systems-of-systems integral to functioning enterprises, it is increasingly important to be able to understand and manage the risks these systems present to the missions they support. Given finite resources, it is not
possible to apply equal protection to all systems. Organizations must take a risk-based approach, using processes, methods and techniques to prioritize systems for a detailed risk analysis
and for applying information security and privacy controls.
The first step in the journey is to define which systems are critical. Performing a system criticality analysis helps security teams identify and better understand the systems, subsystems, components and subcomponents most essential to an organization’s
operations and the environment in which it operates. That understanding facilitates better decision-making related to the management of an organization’s assets across information security and privacy risk management, project management, acquisition, maintenance and system upgrades.
READ: 4 Steps to Customize a Risk Framework
When formulating the criteria to establish information system criticality, it’s important to involve multiple stakeholders in the decision, including legal, compliance, asset owners and disaster recovery/business continuity groups (which may have
already completed a similar exercise), as well as top management and the board. For example, most boards will expect the decision to factor in questions like:
It’s also important to take a 360-degree view and consider multiple factors. This is done by analyzing the expected confidentiality, integrity and availability (CIA) of each asset and then assigning a score using a simple scoring system (e.g., 1–10,
where 10 is most critical). Criticality, aka impact, is the average of those CIA scores.
The score for confidentiality is derived by defining the types of records that exist within the asset, including any type being stored, processed or transferred by the asset. The weight of each record, on a 10-point scale, should be defined by operator
input or historical and cybersecurity intelligence data. As a very simple example, intellectual property records worth 100% of revenue would equate to a 10 on the 10-point scale.
Volume should also be defined and considered. For example, an asset with 1,000 personally identifiable information records would not carry the same confidentiality score as an asset with 10 million PII records. This analysis should be repeated for each
asset or asset group.
The score for integrity is derived by maxing an asset’s confidentiality and availability scores (i.e., setting those scores at 10) and adding an additional adjuster for asset behavior or data alteration. The alteration value is based on an estimate
of impact if someone or something altered the behavior of an asset or altered the data within the asset.
As a very simple example, the manipulation of personal health information records to change a patients’ blood type could lead to catastrophic human casualty or death, which means the integrity value of the asset storing these records would be a
10 on a 10-point scale. The integrity score, then, is the maximum value of confidentiality, availability and the integrity adjuster. This analysis should also be repeated for each asset or asset group.
READ: Best Practices for Solid Cybersecurity Asset Management
The score for availability is derived by defining the necessary availability requirement of the asset and how much the asset impacts revenue. Multiplying those scores creates a score on a 10-point scale.
As a very simple example, an asset that requires a 99.9% uptime and is related to 50% of revenue would have an availability score of 9.99 x 0.5 = 4.995. As with confidentiality and integrity, this analysis should be repeated for each asset or asset group.
A data asset’s total criticality score (or impact score) is derived by calculating the average of its CIA scores. Ransomware is a good example of how the three factors work together, because
it is an integrity issue (encrypts the system) that becomes an availability issue (business interruption) with a potential for a confidentiality issue (data breach).
There are no rules for how many assets within an organization are critical versus noncritical. The percent of assets deemed highly critical is specific to the profile of the enterprise.
To ensure your analysis of data/asset criticality is sound, it’s important to:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 26, 2023
By IANS Faculty
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Budget Benchmark Report. Gain valuable insights on security budget increases and the drivers behind them.
September 21, 2023
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.