Identifying and valuing information assets-Describe security, compliance, privacy, and trust in Microsoft 365

Companies often generate vast amounts of data with varying levels of sensitivity. It is usually not practical for an organization to implement the ultimate level of security over its data, so it is necessary to classify the information according to its function and value. Therefore, the risk management process should begin with an inventory of the organization’s information assets and a determination of each asset’s value to the company, considering its need for confidentiality, integrity, and availability. The factors to consider when compiling such an inventory are shown in Table 3-5.

TABLE 3-5 Risk factors for asset inventory

Risk factorDescriptionExample
ConfidentialityAccess and disclosure of sensitive information by unauthorized personsWhat if users’ passwords or Social Security numbers were stolen?
IntegrityModification or damage of sensitive information by unauthorized personsWhat if the company’s payroll information or product designs were changed?
AvailabilityPrevention of access to sensitive information by authorized usersWhat if the company’s client list or website was rendered inaccessible?

The definitions used for information types will be specific to the nature of the business and their value to the business. For example, an attack that renders the site unavailable for several days would be inconvenient for a company that uses its website to provide customer support information. For a company that sells its products exclusively on the web, however, the unavailability of its e-commerce website for several days could be economically disastrous.

For a large enterprise, this type of asset inventory is typically not the exclusive province of the IT department. It will likely require the involvement of personnel from various departments and at various levels of the organization, including management, legal, accounting, and even clients and partners outside the company.

The value of an information resource might not necessarily be expressed in monetary terms. A data threat might result in lost productivity, the creation of additional work to restore or re-create the data, fines or penalties to the government or regulating agencies, or even more intangible effects, such as bad public relations or lost customer confidence.

The best practice to quantify the inventoried assets is to create a graduated scale considering all the risk factors particular to the business. A general numerical scale from 1 to 3 or a risk gradation of low, medium, or high would work, with a larger number of grades if the security measures the administrators choose to implement warrant it.

The value or sensitivity of a data asset will determine the nature of the security mechanisms administrators use to protect it. Some data types might be subject to legal or contractual compliance specifications, which impose strict limits on where and how they are stored and who can access them. The security requirements for this most sensitive data might define the highest value on the risk scale, which can call for extreme security measures such as on-premises storage in a secured datacenter, data encryption and redundancy, and highly restrictive access permissions.

Other types of sensitive data might not even be subject to broadly categorical security mechanisms, such as those applied to file folders or specific file types. Microsoft 365 includes the Azure Information Protection (AIP) tool that can apply labels to documents containing sensitive information. Administrators can configure the labels to trigger various types of security, such as watermarks, encryption, and limited access. While users and administrators can manually apply the labels to documents, AIP can also detect sensitive information in documents and automatically apply labels to them. For example, when a user creates a Word document, administrators can configure AIP to detect values that appear to be credit card numbers, as shown in Figure 3-60, and apply a label to the file that calls for a specified degree of protection.

FIGURE 3-60 AIP configuration

Data that does not greatly threaten confidentiality, integrity, and availability is at the low end of the risk scale. This data will require some protection, but the security at the low end of the scale might be limited just to file system access permissions.

Leave a Reply

Your email address will not be published. Required fields are marked *

Search

Popular Posts

  • Summary-Describe security, compliance, privacy, and trust in Microsoft 365
    Summary-Describe security, compliance, privacy, and trust in Microsoft 365

    Thought experiment In this thought experiment, demonstrate your skills and knowledge of the topics covered in this chapter. You can find the answers to this thought experiment in the next section. Ralph is the Director of the Brooklyn datacenter at Contoso Corp. The company currently has three office buildings in the New York area with…

  • Anticipating threats-Describe security, compliance, privacy, and trust in Microsoft 365
    Anticipating threats-Describe security, compliance, privacy, and trust in Microsoft 365

    Arguably, the most difficult part of the risk management planning process is trying to anticipate all the possible threats that could afflict the company’s data in the future. The three basic risk factors for the data—confidentiality, integrity, and availability—can be exploited in any number of specific ways, but the general threat categories are listed in…

  • Classifying users-Describe security, compliance, privacy, and trust in Microsoft 365
    Classifying users-Describe security, compliance, privacy, and trust in Microsoft 365

    The third element of the digital estate that must be considered when creating a risk management plan is the people who actually access the data. Whether deliberately or inadvertently, users are a constant vulnerability—if not an actual threat—to the organization’s data. After quantifying the organization’s information assets and their value and inventorying the hardware used…

Tags

There’s no content to show here yet.