Identify>Asset Management>ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value  

Knowing what is important is better than knowing what you have. 

ID.AM-5: Resources are prioritized based on their classification, criticality, and business value: Defined. 

You know that when there are six examples just in the title that this’ll be an important one.  Like, somebody wanted to make sure that nothing was missed.   All of those “e.g.’s” (fancy latin Latin meaning “for example”) just sort of spider out, don’t they?   Apparently, somebody thinks that iInformation sSecurity isn’t just about hardware and software.    

And they’d be right.   Just about everything is connected to everything else and it gets complicated fast.   NIST gives us three buckets to separate things into:  

  1. Classification; 
  1. Criticality; and  
  1. Business vValue. 

Classification pertains to the type (and seriousness) of the data that is being processed.   The most serious data generally pertains to national security information.   In commercial contexts you won’t see that very often, but you’ll still see critical data.   Payment data and health information aren’t as sensitive as national security data, but they’re still plenty serious.   Below that is personally identifiable information (data used to identify an individual), which is usually protected by pPrivacy regimes.   Less serious (but still controlled) is proprietary information, and finally comes public information. 

Criticality is a quality of an asset that describes indicates its importance to the rest of the system.   One drive in a RAID array isn’t likely to be critical because it’s designed to sustain the loss of a drive.   The oneA single drive that is being used to store the customer list is the exact opposite, i.e., it is highly critical because without customers, the organization fails.   This is a much more valuable idea than it appears at first.   Approximately 65% of companies do not re-open after a disaster.   Understanding what is critical and what is not is a core business problem. 

Business vValue relates to the extent that the organization’s business is enabled by a given asset.   Though everything has some business value, there are differences.   Generally, customer-facing systems have more business value than internal systems.   Operations systems are more valuable than administrative systems.   Your organization might also have systems that serve your company’s “secret sauce.”.   These systems enable your competitive advantage and will have high bBusiness vValue, especially when compared to your company’s vendor-provided instance of SAP or other common business systems. 

The bottom line is that NIST thinks that we should have a list of IT (and related) items, and be able to describe what the items on itnformation is stored on it, and indicate the importance and value ofhow important the each asset is, and how valuable it is:.   aA tall order, but also a useful exercise. 

ID.AM-5: Resources are prioritized based on their classification, criticality, and business value: In the news. 

Classification of information used to be something that only governments worried about.   However, it has since become much more common, especially in regulated industries.   One reason is that seemingly banal decisions, like selling your copy machine, could have huge implications.    

Copy machines usually touch all the information in the office.   What isn’t commonly understood is that they all contain hard drives, which.  Hard drives that  often store images of the copied documents indefinitely.   Buying used copy machines became a lucrative side hustle for hackers, who could turn a $300 investment in used copy machines into six-figures’- worth of health information and social security numbers.    

You might not have noticed how awesome life is.   That’s because we’ve had an unbelievable run of good luck and progress globally.   But we often forget that we’ve built everything on top of endless levels of technology.   And it is everywhere. 

Ecommerce sites are canonical examples of “business value”.   The website portion of the business is hugely pivotal in generating revenue.   Every minute of downtime can cost thousands of dollars.   A single outage in 2019 cost Facebook $90M. 

ID.AM-5: Resources are prioritized based on their classification, criticality, and business value: Failed…what am I going to see?  

This is another foundational control.   When these controls fail, it can be difficult to see that these controlsy are the cause.   Look for overly uniform security, misclassification of data, or part-time security types. 

You decided to apply a thin drippy paste of security on everything. 

There’s a saying that is relevant to this idea: “a A friend of everybody is a friend to nobody.”   While that’s debatable in a social context, it isn’t when it comes to security.   Information Security security is a cost, and nobody has infinite resources. 

If all your IT assets receive the same security treatment, you’re almost guaranteed to be over-protecting some assets and under-protecting others.   That implies inefficient resource usage on the low-end and ineffective security (which is the worst-case scenario btw) on high- value assets. A security program that treats everything the same isn’t “consistent” or “scalable.”.   It is guaranteed to fail.    

So, ask around.   Does the InfoSec group know which assets are important and which are just nice to have?   If not (and it is understandable if they don’t), is it possible to provide a nuanced security posture? 

Crazy Tina’s party- planning spreadsheet is just as secure as the CEO’s PHI. 

Even if there is some ambiguity about what your company thinks is (or isn’t) critical, there are some categories of information that must be protected.   Everybody has a SharePoint site or a network drive that becomes the default shared file environment.   Be careful what you put there. 

If you haven’t been observing ID.AM-5, you’re likely to be putting everything in the same place.   Commingling personal health information (PHI) with Angela’s party planning committee materials is sure to be a problem.   Make sure that you provide for a designated and secure location for things like: 

  1. Personally iIdentifiable iInformation,  
  1. Payment cCard iInformation, 
  1. Personal hHealth iInformation,  
  1. Hhuman resource-related information, and 
  1. Wwhatever else might cause a ruckus if you lose control of it. 

Very often, regulations give rise to recognition of these types of information.   But that doesn’t mean that you should rely solely on regulators to classify your data. 

Your developers’ downtime is used to manage BCDR. 

When people’s roles blend together, that can be something of a red flag.   We aren’t necessarily talking about issues arising from segregation of duties violations.   We’re talking more about resourcing. 

It can be expensive.   It also can’t be picked up and put down as one person’s day job allows.   If you see someone who has a secondary responsibility surrounding IinfoSsec, you might want to wonder if the organization actually has a handle on which the resources that are (or are not) important. 

While we are on the topic of BCDR, criticality analysis is part of the process of identifying systems that support essential mission and business functions, as well as and determining recovery objectives and restoration priorities in contingency planning.   If there is one RTO for all systems, this is another red flag indicating that all IT assets are receiving the same treatment.   In the event of a large-scale outage impacting multiple systems, prioritization of recovery efforts can significantly impact customer experience and operational effectiveness.  

ID.AM-5: Resources are prioritized based on their classification, criticality, and business value:   Is stellar. . .what does it look like? 

If you can see some evidence of the ability to concentrate on security effort, you’re in the clear!   Try to understand what the organization thinks is most important.   Look for crown jewels, risky data, and focused incident response. Crown jJewels are the mission-critical information assets of greatest value that if compromised would cause major business impact.   These are high-value targets for cybercriminals. 

You have a top- 10 list of assets. 

We know, we know.   Every asset is special.   You just can’t provide the highest protection for every asset.   Either you can’t afford it or you’d end up nerfing something through restrictive controls. 

If you have a list of the top 10 most important assets, a list of “crown jewels”, you have something that does a great job of evidencing a prioritization of assets by classification, criticality, and business value.   The existence of the list implies that some assets didn’t make the cut.   The list also allows you to infer what is important to your organization.   It might not be complete and isn’t automatically accurate, but it is a great start.   Bonus points if the list is dated and regularly reviewed. 

Some of your data is straight-up radioactive, and you know it. 

Some data is just toxic.   We’re talking about the kind of data that ruins someone’s day if it gets released:, social security numbers, credit card numbers, or, ahem, . . .dating info.   Since no amount of effort can 100% ensure that data stays secure, thea best practice is to  only collect only the data that you need. 

But even iIf you only collect only data that you need and you still have risky data, at least acknowledge it.   If you know what all risky data you have and where it is, you are one step ahead. Keep in mind:, Tthis is a data-centric analysis.   A system that you use to collect timesheets isn’t problematic.   But when you consider that it also caches wage data, it is.   It is the data that matters, not the system. 

High priority resources have custom incident response plans. 

If you take your boat out to the lake once a year, you can count on messing it up.   There are probably a dozen little sticking points that apply, but that you aren’t likely to remember.   Things like the cap on the hitch or the leaky passenger-side tire will pop up in an unwelcome way. 

So while your organization might have a generic incident response plan that applies to everything, which is fine as far as it goes, some assets might have their own subsidiary incident response plans.   If your most important assets have detailed incident response resources, like reboot SOPs or rollover tutorials, that’s great!   That demonstrates an awareness of priority assets and should help you feel comfortable that the organization understands where the important assets are. 

Remediating or Implementing ID.AM-5: Resources are prioritized based on their classification, criticality, and business value. 

Prioritizing your assets is a big job.   It isn’t complicated though.   Focus on these three steps and you’ll be up and running in no time. 

Frist, identify your assets. 

Hardware and software inventories are the best tools to getting everything up and running.   They are fundamental control activities and required for prioritization.   If you don’t have viable inventories, go back to ID.AM-1. 

But if you do have an asset inventory, you just need to add the three attributes outlined in ID.AM-5: classification, criticality, and business value.   Keep in mind though, hardware and software aren’t enough.   Data, intellectual property, and critical personnel are all important parts of this activity. 

Second, assess your assets. 

Don’t get distracted by the volume of the items on the list.   You’d be right to intuit that there are patterns in the data.   For example, you might notice that there are a lot of corporate PCs and they “belonged” to the same support group.   That might be a piece of information that you can use to segment the list, but for now, just focus on one record at a time.    

After you’ve completed some percentage of the list (say 5%), skate your assessment to some colleagues and collect feedback.   You’ll probably see some adjustments, but every time that someone makes a “correction” they’re also being folded into the process, and you’ll have a ready list of friends to support your conclusions.   Once you’ve built some consensus, begin soliciting the broader organization to certify (or assess themselves) your prioritization. 

Then do it again! 

The last thing to do is to think about how you’re going to maintain the data that you’re you’ve created.   There are a couple of aspects to that

  1. Processing additions and deletions to the list and 
  1. Making sure that the entries are still accurate. 

These are the reasons why you really need to have an asset inventory in place to make this activity work.   While your asset inventory might not be complete, you can still begin categorization by starting with what you have, especially identifying the crown jewels.   Whenever you have data that is subject to rapid change, like inventory records that must reflect an influx of new servers, you want to be able to refer to a “single source of truth.”.   If you can get there, you can rely on that source’s update features rather than inventing your own. 

ID.AM-5: Resources are prioritized based on their classification, criticality, and business value: Other sources of authority. 

COBIT5 APO03.03, APO03.04, APO12.01, BAI04.02, and BAI09.02 

ISO27001:2013 A.8.2.1 

NIST 800-53 Rev 4: CP-2, RA-2, SA-14, and SC-6 

CIS 13 and 14 

Chatting about ID.AM-5: Resources are prioritized based on their classification, criticality, and business value. 

Jamie talks to xyz: [Link1] 

ID.AM-5: Resources are prioritized based on their classification, criticality, and business value:   Resources for the journey. 

Risk-Based Asset Criticality Assessment Handbook by Greeman 

“Effective Reporting to the BoD on Critical Assets. . .” by Putrus 

ACAP ACTOR by Aladon  


Comments are closed