In the first post of this series, I talked about what exactly a threat is. It’s more interesting to delve in and look at what kinds of assets you actually have that you might want to protect. Of course, this is really situation-specific, and there are two major types of protection: protection from theft and protection from destruction.
Information assets, such as customer lists, credit card numbers, and the like, aren’t “stolen” so much as they are “copied without authorization”. Keep in mind that it’s easy to tell when your car has been stolen, but it may be very difficult to know if your social security number has been leaked.
There is a third consideration, which you might call integrity: that is, you want to make sure that something is genuine or hasn’t been modified. This is important mostly for paperwork and records: it would probably be bad, for example, to have someone alter your car title without you knowing it.
Here are some example assets that you’d want to protect from destruction:
- Family photos
- Car, House
- your person and health
And you’d want to protect these from theft/unauthorized copying:
- Social Security number
- Money, securities, etc.
- Driver’s license, both the card itself and the identity indicated against identity theft
Note that some assets, such as the car, are listed in both categories above. You hold insurance to protect your car from destruction (e.g., in a collision), and you use keys and a car alarm in order to make it harder to steal.
My stance on family photos may be somewhat controversial, but I think most people would much rather have their family photos copied over the internet than losing them completely.
The same approach as above applies, but keep in mind that there is a fair bit of regulation. If you’re in healthcare or associated with healthcare, for example, HIPAA/HITECH may apply. There are regulations for finance, insurance, law firms- the list goes on and on, so you should do some research and get familiar with your field. There is also a whole set of regulations for credit card handlers called PCI.
Generally, the government requirements revolve around “PII” (Personally Identifiable Information). In healthcare, it’s called “PHI” (Protected Health Information). These concepts tend to be high-level, and identifying exactly what you should do and how you should handle information can be complicated.
Before you can really get started thinking about security, identify the things you want to protect and why. For example, I’ve seen businesses bring their computing services all in-house while not doing any audits on the custom software they’re developing. They haven’t identified what it is they actually want to protect (presumably, customer data and their own control systems), and taken measures to protect those things.