Exploring FAIR – What’s an Asset?

by kriggins on January 30, 2009

in Risk Management

In this post we are going to start exploring the terminology of FAIR. It makes sense to me that we explore FAIR through the use of an example scenario, much like the FAIR Introduction (link to pdf) does.

We are going to use a web site for our scenario. We will develop the scenario more and more as we go along, but the following are the initial characteristics:

  • The web server is an up-to-date version of Apache.
  • The information stored on the server is public.
  • The web server is exposed to the internet.
  • The bandwidth available is significant.

We are going to take things in a little different order than presented in the Introduction to FAIR. The first thing we are going to look at is asset. From the introduction:

Any data, device, or other component of the environment that supports information-related activities, which can be illicitly accessed, used, disclosed, altered, destroyed, and/or stolen, resulting in loss.

With this definition in mind, what asset or assets are present that we need to be worried about?

Is the information in this case an asset? No, because we've classified the information as public. Three things come to mind as assets with the information we have so far, the physical hardware Apache is running on, the Apache web server itself and the available bandwidth.

The hardware is an asset because someone might want to steal it or run their own software on it. The web server is an asset because someone might want to use it for their own purposes. The bandwidth is an asset because, again, someone may want to use that bandwidth, that we pay for, for their own purposes.

Pretty basic and straightforward. Next time we will look at "What's a threat?"

As always, the comments are open. Feel free to share your thoughts.

-Kevin

Image courtesy of tao_zyn.
Reblog this post [with Zemanta]

{ 6 comments… read them below or add one }

Chris Hayes January 30, 2009 at 4:04 pm

I would argue that the information is an asset. Just because it is being classified as public does not mean there is a value that can be assigned to it. If the public information can be changed as a result of a vulnerability being exploited on the server – there are loss forms associated with that. It may be public data but typically there are still controls to prevent the information (data) from being changed. A simple example would be an online cafeteria menu. We want everyone to see the menu, but we do not want everyone to be able to change it – for various reasons. As a matter of fact, I would rather the server be not available then contain the wrong information.

I understand that your scenario is not 100% complete. But I think it is too early to rule out public information not being considered an asset.

Reply

James Arlen January 30, 2009 at 4:05 pm

I agree with most of your points, but I’ll offer my opinion anyways…

The hardware, web server and bandwidth are the “scarce resource” in this case, and I think that’s one of the reasons that you’re focused on them.

The information is an asset for the purposes of attracting the focus of control mechanisms to ensure that they are not misused (relative to the goals of the owner organization).

It may be that the mis-appropriation or mis-use of the information (despite it’s classification as public — remember that information/data classification and ownership are likely orthogonal) may be the only risk which is appropriate for the organization to apply effort in risk reduction – that the scarce resources are not actually material to the potential size/scope of the risk.

A canonical example of this would be to take your example above and add on one simple statement: “The information is the entire discography of the Beatles and the associated web storefront offering such for purchase.” Now what matters? The hardware/server/bandwidth or the information?

Understanding the business utilizing the information technology is the “step zero” in understanding how risks may or may not be important or appropriate for examination…

J

Reply

Christian January 30, 2009 at 7:25 pm

I would agree with Chris’ comments on the information being an asset. If it’s classified as public, all that really means is that it is not impacted if it loses its confidentiality. As he points out, if it loses integrity or availability that may still impact upon the owners of that information.

As an avid FAIR fan I’m looking forward to how the rest of these posts go!

Reply

kriggins January 31, 2009 at 8:05 am

Chris, James and Christian,

You are all absolutely correct. Got so bound up in thinking about the forest that I completely missed the tree 🙂 The next post will bring out your comments and observations so I can make sure everybody knows I missed something 🙂

I really appreciate the comments.

-Kevin

Reply

Patrick Florer January 31, 2009 at 5:19 pm

Greetings, Kevin!

and Chris and other commentators.

No point in belaboring it – seems like we all agree that the information is also an asset.

I am going to advance the argument that, viewed from the business process point of view of a non-technical business process owner, there’s really just a single IT asset here – the “system” that supports the business process in question. Depending upon the complexity of the business process, this might be one of many systems/services supporting the business process, or the only one. Either scenario has important ramifications for risk analysis and risk management.

From this perspective, there is a single system with 4 components, each of which must be analyzed for risk under a large number of scenarios.

Will stop there – Kevin, I tried to send you a long email offline – used kriggins@infosecramblings.com, but the email bounced.

What email may I use?

I am also an avid FAIR fan, and FAIR certified by Jack and Alex, as well.

Patrick Florer
Dallas

Reply

kriggins January 31, 2009 at 5:39 pm

Hi Patrick,

Thanks for the feedback. I am beginning to think I am going to learn more that anybody through this exercise 🙂 Really appreciate the comments.

The email address kriggins@infosecramblings.com is the correct one. I just tested it to make sure there weren’t any issues. There may have been earlier. Who knows when Google is involved. If that address still doesn’t work, feel free to use kriggins _at_ krandj.org or kevin _at_ sourceconference.com.

Thanks again,
Kevin

Reply

Leave a Comment

Previous post:

Next post: