MCSE Boot Camp

High Business Impact

Impact on the confidentiality, integrity, or availability of these assets causes severe or catastrophic loss to the organization. Impact may be expressed in raw financial terms or may reflect indirect loss or theft of financial instruments, organization productivity, damage to reputation, or significant legal and regulatory liability. The following list offers a few examples within the HBI class:

• Authentication credentials — Such as passwords, private cryptographic keys, and hardware tokens.
• Highly sensitive business material — Such as financial data and intellectual property.
• Assets subjected to specific regulatory requirements — Such as GLBA, HIPAA, CA SB1386, and EU Data Protection Directive.
• Personally identifiable information (PII) — Any information that would allow an attacker to identify your customers or employees or know any of their personal characteristics.
• Financial transaction authorization data — Such as credit card numbers and expiration dates.
• Financial profiles — Such as consumer credit reports or personal income statements.
• Medical profiles — Such as medical record numbers or biometric identifiers.

To protect the confidentiality of assets in this class, access is intended strictly for limited organizational use on a need-to-know basis. The number of people with access to this data should be explicitly managed by the asset owner. Equitable consideration should be given to the integrity and availability of assets in this class.

Moderate Business Impact

Impact on the confidentiality, integrity, or availability of these assets causes moderate loss to the organization. Moderate loss does not constitute a severe or catastrophic impact but does disrupt normal organizational functions to the degree that proactive controls are necessary to minimize impact within this asset class.

Moderate loss may be expressed in raw financial terms or include indirect loss or theft of financial instruments, business productivity, damage to reputation, or significant legal and regulatory liability. These assets are intended for use for specified groups of employees and/or approved non-employees with a legitimate business need. The following represent examples within the MBI class:

• Internal business information — Employee directory, purchase order data, network infrastructure designs, information on internal Web sites, and data on internal file shares for internal business use only.

Low Business Impact

Assets not falling into either the HBI or MBI are classified as LBI and have no formal protection requirements or additional controls beyond standard best practices for securing infrastructure. These assets are typically intended to be widely published information where unauthorized disclosure would not result in any significant financial loss, legal or regulatory problems, operational disruptions, or competitive business disadvantage.

Some examples of LBI assets include but are not limited to:

• High-level organization structure.
• Basic information about the IT operating platform.
• Read access to publicly accessible Web pages.
• Public cryptographic keys.
• Published press releases, product brochures, white papers, and documents included with released products.
• Obsolete business information or tangible assets.

Organizing Risk Information

Risk involves many components across assets, threats, vulnerabilities, and controls. The Risk Assessment Facilitator must be able to determine which risk component is being discussed without interfering with the flow of the conversation. To help organize the discussion, use the risk discussion template (SRMGTool1-Data Gathering Tool.doc) included in the Tools section to help attendees understand the components within risk. The template also assists the Risk Assessment Note Taker in capturing risk information consistently across meetings.

The template can be populated in any sequence. However, experience shows that observing sequence in terms of the following questions helps discussion participants understand the components of risk and uncover more information:

• What asset are you protecting?
• How valuable is the asset to the organization?
• What are you trying to avoid happening to the asset (both known threats and potential threats)?
• How might loss or exposures occur?
• What is the extent of potential exposure to the asset?
• What are you doing today to reduce the probability or the extent of damage to the asset?
• What are some actions that we can take to reduce the probability in the future?

To the information security professional, the previous questions translate into specific risk assessment terminology and categories used to prioritize risk. However, the stakeholder may not be fluent with such terms and is not responsible for prioritizing risk. Experience shows that avoiding information security terminology such as threats, vulnerabilities, and countermeasures improves the quality of discussion and helps non – technical participants not to feel intimidated. Another benefit of using functional terms to discuss risk is to reduce the possibility of other technologists debating subtleties of specific terms. At this point in the process, it is much more important to understand the larger risk areas than to debate competing definitions of threat and vulnerability. The Risk Assessment Facilitator should wait until the end of the discussion to resolve questions around risk definitions and terminology.

Organizing by Defense-in-Depth Layers

The Risk Assessment Note Taker and Facilitator will collect large amounts of information. Use the defense–in-depth model to help organize discussions pertaining to all elements of risk. This organization helps provide structure and assists the Security Risk Management Team in gathering risk information across the organization. An example of defense-in-depth layers is included in the risk discussion template and illustrated in Figure 4.2 below. The section titled "Organizing Control Solutions" in Chapter 6, "Implementing Controls and Measuring Program Effectiveness," includes a more detailed description of the defense-in-depth model.