Asset Value

From The Secure Arc Wiki

Jump to: navigation, search
Go to Asset DefinitionYou Are HereGo to ExposuresGo to ExposuresGo to ExposuresGo to ExposuresGo to ExposuresGo to ExposuresGo to Asset VulnerabilitiesGo to Asset ImpactGo to ThreatsGo to Deterrent ControlGo to Detective ControlGo to Preventative ControlGo to Corrective ControlGo to CountermeasuresGo to CountermeasuresGo to CountermeasuresGo to CountermeasuresGo to CountermeasuresGo to CountermeasuresGo to CountermeasuresBack up to Security Controls

As mentioned in the Asset Definition section, everything ties back to Asset Classification. If you don't know what it is that you're protecting and how valuable it is, you can't know or justify how much you should spend on Security Controls.

While there will always need to be some subjective estimates involved in valuing Information Assets, the approach taken in the Secure Arc Reference Architecture is intended to make the process as quantitative as possible.

Asset Classification is an organization specific process and the values for one may be significantly different from another.

Contents

Security Requirements

Any Vulnerability in an Infrastructure Asset will ultimately be classified as a breach of one or all of the Core Principles of Security in the CIA Triad:

Depending on which one of these any given Information Asset is exposed to, the Impact can alter considerably. For example, PCI Regulatory compliance is focussed almost solely on the Confidentiality of Credit Card data. While a breach of the other two may result in a significant impact to the organization, they are not as important to regulatory compliance.

As such one of the first tasks of Information Asset Classification is to determine what the Security Requirements are. The values that can be selected for each Security Requirement comes directly from the Environmental Score definitions of the CVSS spec.

Image:SecurityRequirements.png

Later, when a Vulnerability in an Infrastructure Asset is being assessed, the Security Requirements for the Information Assets that would be impacted by the exploitation of that Vulnerability will have a direct impact on the overall CVSS score for the vulnerability. If the Vulnerability only results in a breach of Confidentiality on Information Assets that have no or low Confidentiality requirements then the overall CVSS score will be lower.

Classification

Asset Classification is a long drawn out complicated task, which is why it is important to identify Information Asset types as opposed to walking through a classification exercise for each element on an Object graph in a Data Model. Stick with types or you'll end up with a never ending task beginning from scratch on each project.

If you can come up with the appropriate Information Assets at the beginning, you should be able to classify them once and then review them once every year or so.

Classification itself is based on a combination of Magnitude of Impact Definitions table in the NIST 800-30 standard, the ISO17799/27001 and the Collateral Damage Potential ratings from the Environmental Score definitions of the CVSS spec. More on this in the Vulnerability section.

To arrive at the values in the following tables, you need to run through a variation of the following questions for each cell.

  1. If someone who shouldn't be able to see the Information Asset are able to see 54,9993,556 of them, it may result in the highly costly loss of major tangible assets or resources. Total losses, lost revenue and damage control may exceed $53,893,685 dollars
  2. If someone who shouldn't be able to change the Information Asset are able to change 54,9993,556 of them, it may result in the highly costly loss of major tangible assets or resources. Total losses, lost revenue and damage control may exceed $53,893,685 dollars
  3. If someone who should be able to access the Information Asset are able to access 54,9993,556 of them, it may result in the highly costly loss of major tangible assets or resources. Total losses, lost revenue and damage control may exceed $53,893,685 dollars

The example above is for the Value at Risk, Critical Impact cell in the table to the right.

For the remaining cells, refer to the descriptions in the following assessment table and repeat for each Security CIA Requirement. Image:CollateralDamageDefinitions.png

The key behind this is that it is much easier to make decisions based on quantitative volumes of Information Assets than to pluck a dollar figure out of the air. Every Architect should be well aware of the volume of each type of data in the system or enterprise, especially as this was identified during the Asset Definition phase, and once we have a number we are in a much better position to determine what the dollar impact will be.

If you lose 5 million credit card numbers, that is 5 million customers that need to be contacted. It's 5 million separate people that will need their credit cards replaced with a cost likely to be passed on to your organization by their banks. It's likely to be a fixed fine or increased merchant rates with your credit card merchant. Estimating the dollar impact becomes much easier when you have a quantity to work with.

Inferred Value

The inferred Asset Unit Value isn't particularly useful on it's own, but can provide a useful comparison to the overall value of each individual Information Asset. The Inferred Asset Value, as the name implies, is derived from the classification values assigned to it. This is simply a matter of getting the average unit value for each impact level and then taking the median across each of those 4 averages.

Image:InferredAssetValueTable.png Image:InferredAssetValuesPieChart.png

If needed, the Asset Classifications can be revisited to adjust the Inferred Value relative to each other. For example, if Trade Secrets turn out to be worth far less individually than is known to be the case, the Architect can revisit the Asset Classifications to re-adjust the values to a more suitable combination.

Overall Risk Profile

The final piece of data that can be inferred from the the Asset Classification data is the overall risk profile for the organization. By taking the cumulative asset classification values across all Information Assets and then taking the median of each value, you can determine what this particular organisation considers Critical, High, Medium and Low risk from a lost revenue perspective across all of its Information Assets.

Image:OverallRiskProfile.png

As with the Inferred Values, this can be used to feed back into the asset classifications as well. This chart should represent the losses an organization is willing to accept and if it doesn't accurately reflect how the company feels about those numbers, then again, the Asset Classifications should be revisited until the overall Risk Profile fits the organization.

Next Steps

At this point, for each Information Asset in the organisation, we know what is considered a Low, Medium, High and Critical loss to the company from both a volume lost and a revenue lost perspective. The former is going to lead directly into the assessment of individual Vulnerabilities in the next section.

Navigation

Personal tools