Practical Connection Assignment
Colin Horn
risk_ppt15_l07.pptxManaging Risk in Information Systems
Lesson 7
Identifying Assets and Activities
to be Protected
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objective and Key Concepts
Learning Objectives
Identify assets and activities to protect within an organization.
Key Concepts
Identification of key activities
Identification of key assets
Recognize value of data
Basic planning steps of a BIA
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
System Access and Availability
Goal: 99.999 percent up time
Failover cluster
RAID
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3
System Functions: Manual and Automated
Manual
Written records
Knowledge of process
Automated
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
4
Hardware Assets
Computers: Servers, desktop PCs
Networking devices: Routers, switches
Network appliances: Firewalls, spam appliances
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5
Hardware Assets (Cont.)
Information you need to know:
Location
Manufacturer
Model number
Hardware components, such as processor and random access memory (RAM)
Hardware peripherals, such as add-on network interface cards (NICs)
Basic Input/Output System (BIOS) version
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
6
Software Assets
Operating system and applications
OS specifics should include:
Hardware system where it’s installed
Name of the operating system
Latest service pack installed
Application specifics should include:
Name of the application
Version number
Service pack or update information if available
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7
Personnel Assets
The people working for you
When any function or process depends on a single person, he/she becomes a single point of failure
Reduce risk by:
Hiring additional personnel
Cross-training
Rotating jobs
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8
Data and Information Assets
Data protected by:
Access controls
Backups
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
9
Data Classifications
Organization Classifications
Proprietary
Private
Public
Freely available
Protected Internally
Highest Level of Protection
Government
Top Secret
Secret
Confidential
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
10
Data and Information Asset Categories
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
11
Organization
Customer
Intellectual property
Data warehousing
Data mining
Asset and Inventory Management Within the Seven Domains of a Typical IT Infrastructure
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
12
Inventory management
Used to manage hardware inventories
Asset management
Used to manage all types of assets; much more detailed data than an inventory management system
Seven Domains of a Typical IT Infrastructure
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
13
Figure 4-1: The seven domains of a typical IT infrastructure.
User domain
Includes usernames, passwords, biometric or other authentication, and social engineering.
Workstation Domain
Includes end user systems, laptops, desk tops, and cells phones.
LAN Domain
Includes equipment required to create an internal LAN, such as hubs, switches, and media.
LAN-WAN Domain
Includes the transition area between the LAN and the WAN, including the router and firewall.
WAN Domain
Includes routers and circuits connecting the wide area network.
System/Application Domain
Includes applications you run on your network, such as e-mail, database and Web applications.
Remote Access Domain
How remote or traveling users use your network, as in a Virtual Private Network (VPN).
Identifying Facilities and Supplies Needed to Maintain Business Operations
Identifying mission-critical systems and applications
Business impact analysis planning
Business continuity planning
Disaster recovery planning
Business liability insurance planning
Asset replacement insurance planning
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
14
BIA Planning Introduction
Identifies impact of sudden loss
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
15
Define the scope
Identify objectives
Identify mission-critical functions and processes
Map functions and processes to IT systems
Identify Assets
First step in risk management
You can’t plan the protection if you don’t know what you’re protecting
When do you want to identify a single point of failure?
Before it fails?
Or after if fails?
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
16
Identify Valuable Assets
Ask a system owner
How much downtime can you accept?
Answer: “None”
How much data loss can you accept?
Answer: “None”
Then ask
“How much money are you willing to spend?”
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
17
Summary
Identification of key activities
Identification of key assets
Recognize value of data
Basic planning steps of a BIA
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
OPTIONAL SLIDES
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/16/2014
19
Activities
System Access
System Availability
System Functions: Manual and Automated
Identifying Activities
Eliminate single points of failure (SPOF)
Part of a system that can cause entire system to fail
If SPOF fails, entire system fails
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Identifying Assets
People can also be single points of failure
Hire additional personnel
Cross-train
Job rotation
Assets
Hardware Assets
Software Assets
Personnel Assets
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Identifying Data Assets
Protect data
Ensure methods are available to retrieve data
Data warehousing
Data mining
Data and Information
Customer
Intellectual Property
Data bases
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Role of Data in Organization
Value of data often overlooked
Classifying important step
Without classifications
Users may not recognize the value
Users may not protect
IT may not backup as often as needed
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
23
