Reviewing Critical Systems and Information
If your organization has not sufficiently identified its critical information and systems, this is the point where you're going to want to roll up your sleeves and find out what's most important. Although there are different ways to accomplish this, the best way we have discovered is to follow the methodology laid out by the National Security Agency (NSA) Information Assessment Methodology (IAM). They have developed a quick and easy way to nail down what is critical. It's a qualitative type assessment that ranks the system by confidentiality, integrity, and availability. There are two types of criticalities that we will be discussing:
- Organization Information Criticality Matrix (OICM)
- Systems Criticality Matrix (SCM)
Information Criticality Matrix
Criticality is similar to a business impact analysis (BIA); you examine the impact on the organization should the information or system be lost. For example, a business would come to a halt if all electrical power was lost but could continue to operate if the cafeteria had to close. These calculations don't replace a BIA, but they do give you and management something to work with if none of this information exists. You are just the facilitator here, so your job is to drive the process while taking input from all those in attendance at the kickoff meeting. There are three broad steps you must go through to make an effective analysis:
1. |
Identify information types
|
2. |
List impact attributes
|
3. |
Define impact levels
|
Let's start off by discussing information and its critical role to the organization. The place to perform this activity is at the kickoff meeting, where representatives from the team and members of management are present. While going through this process, you may want to have someone record notes while you list this information on a flip chart or white board.
Step 1: Identify Information Types
So, what is information? It's basically all the data that your company deals with. It can include customer phone numbers, customer names, customer locations, inventory, purchase orders, finished goods inventory, employee names, HR data, firewall configuration, and so on. If the group you are working with is highly caffeinated, you'll probably come up with a long list of different types of information and data. So, before this thing gets out of hand, you should work through the list and remove any items that have no direct impact on the organization's mission. For example, you may want to remove the data category "cafeteria menu" that the wise guy in the back of the room suggested earlier, because this has no impact on the organization's mission.
Now, you probably still have a pretty long list at this point, so you're still going to need to roll it up some more if it's going to be useful. Therefore, the next step is to roll up the information types. This means that you are going to take all the items that have been presented and roll them up into distinct categories. You'll find that over time, similar industries have very similar information types. Some common information types include the following:
- Human resource data
- Customer data
- Network data
- Management data
- Facilities and physical plant data
- Financial data
One of the biggest pitfalls you will want to avoid is that of allowing individuals to include information systems at this stage. An example of an information system is email. It can carry many types of information in the preceding list. Just remind everyone that systems will come later.
Step 2: List Impact Attributes
After you have compiled this list, you can begin to develop what is going to be used as impact attributes. Impact attributes are items or events that would affect or cause a negative impact on the organization's critical information. This is a qualitative measurement, meaning that it is not something that we place a dollar amount on, but we can rank it. The most common impact attributes are those that you are already probably familiar with:
- Confidentiality
- Integrity
- Availability
Can we add more? Sure, you could add authorizations, accountability, access control, audit, and so on, but the idea is to keep the list fairly short to keep this process manageable. Some security professionals might even make the argument that the big three (CIA) are all that are needed to perform this task.
Step 3: Define Impact Levels
Next up, the impact levels need to be defined. The impact level is the amount of discomfort, damage, or loss that the organization would experience should confidentiality, integrity, or availability of one or more of the information types be lost or degraded. For example, if payroll information is unavailable for a few hours or even a few days, the organization and its employees may not be happy, but the organization could continue to function; however, if the organization was totally based on e-commerce and the web server was down for several days, the company would take a big financial hit and a loss of customer confidence. There are several ways you can define impact levels. You might use ratings of high, medium, or low, 0 to 5, or even a more granular method and rank impact on a scale of 1 to 10. What is going to work for you will depend on the organization, its structure, and its size. To illustrate the process, we will stick with a rating of high, medium, or low. Let's set up some definitions for each so we are in agreement as to what the ranking means.
- Low These are actions that have a low impact on the organization. They can be categorized as items that cause an inconvenience to the company or cause some type of delay.
- Medium These are actions that are going to have a significant impact. This could be a large fine, the loss of customer confidence, or a strategic partner or alliance.
- High These are actions that would have a dramatic impact on the organization. This could be the loss of its most valuable customers, huge legal costs, loss of life, or the exodus of the organization's key employees.
Keep in mind that these rankings are not set in stone. It will be up to your organization to determine how these levels fit. In the end, you can make as many changes as needed to the OICM. But remember, by keeping it as simple as possible, it is much more easily understood and analyzed.
Putting It All Together
Now that you have all the pieces, let's see what the final product will look like. It is shown in Figure 5.3.
Figure 5.3. Sample blank matrix.
Let's step through an example so that you can get a better feel of how this is actually used. We will use Security Evolutions for the example. Security Evolutions is a security consulting firm that does security training and consulting. Working with management, you have been able to come up with four broad categories of information, which include the following:
- Training information Includes training schedules, classes, course materials, labs, and the like.
- Client information Information about Security Evolutions' clients, such as names, billing addresses, locations, and number of employees.
- Sales information Includes the information the sales group uses to get and maintain clients such as project quotes, profit margin, total sales, and so on.
- HR Information Information relating to employees such as start date, pay scale, dental plan, vacation days, and so on.
These information types are now added down the side of the matrix, as shown in Figure 5.4.
Figure 5.4. Matrix with information types added.
With the OICM starting to take some shape, you will want to continue your role as facilitator in helping our sample company fill out the matrix. It's up to each company to determine whether an impact level is high, medium, or low. We will start by looking at the loss of confidentiality of training information. It certainly doesn't seem that this kind of loss would cost a loss of life or even critically jeopardize the organization, so this attribute has been rated as low. Losing the integrity of the training information would be an inconvenience, but again, would be only a minor inconvenience. Losing availability of training material would not be fun, but again, not a show stopper. I taught a class once in Canada where customs held up the courseware by four days. Although it wasn't any fun, the class did continue. The results of our initial analysis can be seen in Figure 5.5.
Figure 5.5. Matrix with initial attributes added.
What sometimes happens at this point is that you start to encounter resistance from some individual owners of some information types, because they believe that the items they are in charge of are not being given a high enough level of importance. The truth is that not everything is of critical importance. The objective here is to get a very high-level overview of what types of information the organization most needs to protect. This is not the depth of asset evaluation that was discussed in Chapter 4, "Risk Assessment Methodologies." It is meant to be a high-level evaluation only.
Proceeding with our example, we will continue to fill in the OICM. The final product is shown in Figure 5.6. If you take a minute to look over the results, you can see that the information categories that received the highest ratings were sales confidentiality and integrity. Security Evolutions believes that this is where they should be most concerned and focus their protection mechanisms. If they are bidding on a project and a competitor can access that data or change it, the results could be disastrous for them. You will also notice below the OICM that there is a high-water mark. This is used to roll up the most critical impact attributes. These attributes are calculated by taking the highest impact rating in each category and carrying it down. These should give the organization some idea of what attributes are considered most important.
Figure 5.6. The completed informational matrix.
Systems Criticality Matrix
Defining the critical information is only half the work. To finish up this phase of the scope, critical systems will also need to be identified. If these systems have not already been identified, they should be immediately because these are the systems that will need the most thorough investigation. These systems are used to store, process, or transmit the organization's information.
The hardest part of this phase of the assessment is that it is sometimes debatable where one system ends and another begins. So, we will begin our discussion of critical systems by listing some common system types:
- Financial systems
- Research and development systems
- Human resource systems
- Client database systems
- Security monitoring systems
- Sales systems
- Automation control systems
- Order processing systems
The steps to determining critical systems are the same as those used to determine critical information. To keep things simple, we will continue to use the example discussed previously. We can see the final result shown in Figure 5.7. It shows that Security Evolutions has identified four types of systems at its organization. The Internet systems are rated the lowest. No sales are done through these systems and their outage or loss of availability, although inconvenient, wouldn't prevent the organization from continuing business. The sales system, like the sales information previously, is rated as the most critical. Management has determined that the inability to quickly bid on government projects or the loss of integrity to the sales system could seriously damage this growing organization. The high watermark for the company's systems indicates that confidentiality and integrity are the most important attributes.
Figure 5.7. The completed informational matrix.