You may recall from our previous post that a solid understanding of security-relevant assets plays a fundamental role in facilitating the reconciliation process between rapid digital transformation with IT security and compliance. Let's assume this step has been completed to our complete satisfaction. Where do we go from here?
Determine the criticality of assets requiring protection
Since not all of your assets have the same security requirements, the protection needs of each of your assets must be determined. After all, the principle is that assets with high-security needs must be prioritized over others with low requirements.
However, due to a high number of assets, scalability in the assessment of protection needs is an important aspect to consider. The upstream process of structural analysis now kicks in. Interrelationships between business processes, information segments and IT systems form the starting point for evaluating the criticality of primary and secondary assets. Primary values generally represent processes and information, while secondary values include hardware, software elements, network, personnel, and buildings. Note that primary values cannot be adequately protected without protecting secondary values. After all, hardware and software are used to process information in business processes as efficiently and securely as possible. However, if the software or hardware is insecure, this has a direct impact on the availability of business processes or the confidentiality of information, among other things. With the help of the so-called protection needs analysis, relevant data that is worth to be protected can be identified. As part of the protection needs assessment, the protection needs for integrity, confidentiality, and authenticity for data, documents, and IT applications are determined. The determined protection requirement for the information assets is inherited by the IT applications to the IT systems, networks, and components. The basis for the inheritance is the structural analysis of the IT architecture with the identification and grouping of the IT information assets. The protection needs analysis is oftentimes conducted by the information security management and the underlying departments relying on (Excel) templates that are not very scalable. The use of software-supported ISMS tools is preferable to these solutions.
For this purpose, our consultants develop individual, scalable and automated digital evaluation procedures, which use inheritance concepts of assets according to top-down, bottom-up strategies, or a mixture of both.
These solutions generate dashboards that allow you to track security-related vulnerabilities along with the asset network in real-time. Learn from our page here more about how to simplify and automate the process of protection needs analysis.
