Exploring F.A.I.R – Assets Redux

by kriggins on February 26, 2009

in fair, Risk Management

So, to revisit the post which sparked the last few, let's talk about assets. Before we get started though, just a reminder that all the posts in this series can be found on this page.

And now, on with the show. We have described the organization for which we are performing the assessment. We have also described, to a certain extent, the architecture of the system involved.

Again, we are going to take things in a little different order than presented in the Introduction to FAIR. The first thing we are going to look at is asset. From the introduction:

Any data, device, or other component of the environment that supports information-related activities, which can be illicitly accessed, used, disclosed, altered, destroyed, and/or stolen, resulting in loss.

With this definition in mind, why don't we make a list of the assets we might be concerned about.

  • Bandwidth
  • Hardware (Servers, routers, switches, firewalls, etc.)
  • Services (Web services and database services)
  • Information (Tax code and tax rates)

The bandwidth is an asset because evil doers on the internet need a way to spread their evil. They would much prefer to use our bandwidth than pay for their own.

The hardware is an asset because someone might want to steal it or run their own software on it.

The services provided are an asset for similar reasons. The evil doers need places to put the stuff they want to spread or a place to stash the stuff they have already taken elsewhere.

The information is an asset because...well...it's why the rest of the stuff is there in the first place 🙂 Seriously, information is always an asset. As discussed in the first post on assets, it likely doesn't matter if the information is classified as public or not. The integrity and availability of that public information can be very important.

For instance, in our case, the information defines how much money a company will have to pay in taxes. If it is modified or deleted, it can have a serious effect on the revenue of the state.

Ideally, we would perform a risk analysis for each asset "class" above and incorporate all the results into our risk assessment. For our purposes though, we are going to concentrate on just one, the information.

In the next post in this series we will take a look at threats and threat agents.

As always, please let me know your thoughts in the comments.

-Kevin

Image courtesy of tao_zyn.
Reblog this post [with Zemanta]

{ 5 comments… read them below or add one }

Jack February 27, 2009 at 12:10 pm

Hi Kevin,

Just wanted to add that, although information is virtually always an asset, it also can be (at the same time) a liability. For example, the sensitive personal information that allows us to service our customers also represents potential loss through the legal and contractual obligations that come with having it. This is probably intuitively obvious to everyone who reads your stuff, but it isn’t often distinguished effectively in risk analyses. By making the distinction, it’s a bit easier to clarify and better estimate the loss potential within a scenario.

Thanks!
Jack

Reply

kriggins February 27, 2009 at 3:22 pm

Hi Jack,

Thank you for the comment and the very good point you make.

Kevin

Reply

Phil Agcaoili March 7, 2009 at 3:41 am

You started with a network diagram.

I suggest that you create a data flow diagram (DFD) and then map out how the data flows.

You’re headed one step away from Threat Modeling, so you might as well take the leap. This may shed some different light on your current effort. Reach out to Michael Howard for the most recent and refined approach.

I’m interested in where this is headed. I judged an Information Security award a couple years back, read Jack’s information about FAIR and it sparked my curiosity then, and our industry is headed towards objectively quantifying our spend in order to protect our companies and I’ve not see concrete analysis anywhere in the Infosec space for how to accomplish this. ROSI does not work and TCO is just counting up the spend, and CFOs want to know ROI.

Thanks,
Phil Agcaoili

Reply

kriggins March 8, 2009 at 3:43 pm

Hi Phil,

Thank you for the comment and the suggestion of creating a data flow diagram. While not a new concept to me, the formal representation of data flows is something that I have not spent a great deal of time exploring. I now consider that a deficiency in my skill set. Thanks for giving me more to study and a great idea for another blog post, if not series.

That being said, you are correct that in a real world scenario we would be headed straight for a nice threat modeling session. For this particular series though, my main goal is to explore the terminology and methods provided by FAIR for analyzing risk. To that end, I have a particular set of threats that we will be looking at that will let us put FAIR to work. We will be looking at data flows, but in a very informal method. This maybe not the best choice, but I believe we can get where we want to go.

That being said, I appreciate your thoughts and suggestions. I particularly agree with the thought you express regarding objectively quantifying our spend.

-Kevin

Reply

domdingelom July 28, 2009 at 8:28 am

Kevin,

while reading through this … I kinda disagree with the reasons why the assets are assets. Does it make sense ?

An example: to me, the bandwidth is not an asset because some evildoer might want to use it but because it supports the delivery of the information to our users. Any impact on this will lower our capability to deliver the intended service at the intended quality level.

Just my 2 cents … I might as well correct myself when I totally grasp F.A.I.R !

Reply

Leave a Comment

Previous post:

Next post: