What Are Critical Assets?
One of the keys to implementing an effective cybersecurity program is the concept of risk-based security controls. With a large and ever-changing threat landscape, it may be impossible to protect every information or technology asset from all possible threat scenarios. This means it’s essential to identify and protect the assets with the greatest potential impact on your organization.
Security programs are traditionally built around the principles of “CIA,” or confidentiality, integrity, and availability. Through the application of the principle of CIA, organizations can strive to identify, inventory, and protect their most critical assets.
How Do I Identify Critical Assets?
1. Identify and prioritize critical assets based on confidentiality. This would include systems, where the unauthorized disclosure of data/information would have a severe impact on the organization, such as:
Systems containing personally identifiable information of customers or employees, where unauthorized disclosure could result in risk or negative consequences to these important constituencies. Impacts could include regulatory fines, significant direct costs of remediation, and loss of organizational reputation and goodwill.
Pre-release consolidated financial information, which could lead to insider trading. Consequences could be criminal, regulatory, and reputational.
For organizations that invest heavily in research and development, there could be significant risk associated with the unauthorized disclosure of proprietary intellectual property and/or trade secrets. An organization could even stand to lose certain legal protections if it were determined that due care was not taken in the protection of trade secrets.
2. Identify and prioritize critical assets based on integrity. This would include systems where the alteration or corruption of data could have a severe impact on the organization, such as:
Financial systems, especially involving banking or electronic funds transfers, where altering data could result in financial fraud/loss.
Systems supporting regulatory processes, where loss or corruption of the data could result in significant regulatory fines or other consequences.
3. Identify and prioritize critical assets based on availability. This would include systems considered mission-critical, where the organization would be severely impacted if the systems were unavailable, such as:
Industrial automation control (IAC) systems used in manufacturing or in the operation of critical infrastructures, such as electric grid or pipelines.
Closely related to IAC are medical technology systems utilized within modern health care.
Financial/ERP systems that are essential to managing and maintaining the cash flow of the business.
Core components of IT Infrastructure that are critical to the operation of all other systems, such as active directory.
4. Engage with business leaders and enterprise risk management functions to validate and enhance the identification of critical assets. Impact on business operations is key to the identification of critical IT assets, and alignment with business leadership is essential.
5. Once the most critical IT assets have been identified and inventoried, a risk-based security program can apply additional enhanced targeted controls, which may not be economical or appropriate for all assets in the environment. These additional controls could include:
Implement multi-factor authentication (MFA) to ensure the authenticity of authorized logins to critical systems.
Carefully implement “least privilege” access to critical networks, systems, applications, and data.
Utilize encryption, obfuscation, data loss protection, or other leading-edge data protection technologies to protect sensitive data while in transit, in use, and in storage.
Ensure critical systems and data are regularly backed up, and more importantly ensure capabilities to recover critical systems and data are tested regularly.
Enhanced monitoring of critical assets to ensure that unauthorized access or use can be detected in a timely manner and procedures are in place to respond and minimize the impact of any incidents.
Identifying your critical assets is crucial for increasing security for your organization. If you’re looking for ways to increase security, it’s important to focus on cybersecurity and work with experts to make sure your information and data are as secure as possible
Learn more about security fundamentals: We’re committed to helping you learn all about security systems you can implement to improve security at your organization. Our articles are devoted to ensuring your organization is able to reduce risk in a way that is manageable and affordable.