ASSETS

What Why and How of Asset Security

• Practice is Key

  • Just like painting, basketball, or playing guitar, security requires continuous practice.

  • Planning for the future is a core skill in security.

• Managing Uncertainty

  • We naturally plan ahead to avoid problems (e.g., packing for a trip).

  • Businesses do the same by analyzing risks to prepare for potential threats.

• Security Teams & Risk Management

  • Security focuses on risk: anything that affects Confidentiality, Integrity, and Availability (CIA triad).

  • Each company has a unique security plan based on its risks.

• Three Elements of Security Risk Analysis

  1. Assets (What needs protection?)

     • Anything valuable: buildings, data, equipment, people.

     • Example: A home has assets like walls, doors, and personal belongings.

     • Prioritization is key—front doors have locks because they’re more likely entry points than walls.

  2. Threats (What could cause harm?)

     • Events or circumstances that can negatively impact assets.

     • Example: A burglar, strong winds, or accidental damage can all be threats to a home.

     • Recognizing threats helps prioritize security measures.

  3. Vulnerabilities (What weaknesses exist?)

     • Flaws in assets that threats can exploit.

     • Example: A weak door lock makes it easier for a burglar to break in.

     • Security teams analyze vulnerabilities to strengthen defenses.

• Security Planning in Action

  • Security teams assess assets, threats, and vulnerabilities to plan effectively.

  • Understanding these basics is the first step toward strong security.

Asset Management & Security Planning

• Fundamental Truth of Security

  • "You can only protect what you account for."

  • Asset management is key to tracking assets and assessing risks.

  • Security plans revolve around keeping track of valuable assets.

• Asset Inventory (Like a Shepherd Counting Sheep)

  • A record of all assets that need protection.

  • Helps allocate resources effectively.

  • Alerts organizations if an asset is missing.

• Asset Classification (Prioritizing Importance)

  • Similar to ranking personal items (e.g., wallet vs. shoes).

  • Helps organizations determine protection levels.

  • Basic classification levels:

    • Public – Can be shared freely.

    • Internal-Only – For employees, not the public.

    • Confidential – Limited to specific project teams.

    • Restricted – Highly sensitive, need-to-know basis.

  • Example: A company might classify emails about a new product as confidential, while office doors might have restricted access.

• Ongoing Asset Management

  • Classification determines whether an asset can be disclosed, altered, or destroyed.

  • Continuous process that identifies security gaps and potential risks.

  • Keeping track of assets is essential for strong security planning.

Assets in a Digital World

• Data as a Valuable Asset

  • In today’s world, information is one of the most valuable assets.

  • Most information exists as digital data—processed, stored, or transferred by computers.

  • Billions of devices are constantly exchanging data over the internet.

• Three States of Data & Their Security Considerations

  1. Data in Use – Actively being accessed or modified.

     • Example: Checking emails on a laptop at a park.

  2. Data in Transit – Moving from one place to another.

     • Example: Sending an email reply.

  3. Data at Rest – Stored and not actively accessed.

     • Example: Closing a laptop and walking to a café.

• Information Security (InfoSec) & Its Importance

  • InfoSec protects data in all states from unauthorized access.

  • Weak security can lead to identity theft, financial loss, and reputational damage.

  • A breach can affect organizations, partners, and customers.

• Evolving Digital World & New Risks

  • Cloud storage challenges the traditional idea of data at rest.

  • Example: A phone on a table may still be syncing data with the cloud.

  • Security analysts must stay aware of new vulnerabilities as technology advances.

• Connecting Data Security to Asset Management

  • Protecting data depends on where it is and what it’s doing.

  • Security teams analyze risk based on data states to develop strong asset management plans.

Elements of a Security Plan

• Security is About People, Processes, & Technology

  • It's not just an IT responsibility—security is a culture shared across the organization.

  • Everyone, from employees to vendors to customers, plays a role in protecting assets.

• The Role of Security Plans

  • Purpose: To prepare for risks before they happen.

  • People-focused security plans are the most effective.

  • Risks impact Confidentiality, Integrity, and Availability (CIA triad).

  • Risks are categorized based on factors like:

    • Damage, disclosure, or loss of information

    • Physical malfunctions, cyberattacks, and human error

• Common Security Risk Example

  • A new teacher's contract may include policies about not using personal email for sensitive information.

  • Helps spread security awareness across the organization.

• The Three Elements of Security Plans

  1. Policies – The foundation (strategic rules that reduce risk).

     • Answers: What are we protecting and why?

     • Example: Acceptable Use Policy (AUP) defines how employees access company systems securely.

  2. Standards – The tactical guide (how to implement policies).

     • Creates a point of reference for security practices.

     • Example: Many companies follow NIST password standards (e.g., minimum 8-character passwords).

  3. Procedures – Step-by-step instructions for security tasks.

     • Ensures accountability, consistency, and efficiency.

     • Example: Instructions on choosing secure passwords or resetting a locked account securely.

• Customization & Importance of Security Plans

  • Policies, standards, and procedures vary by organization but follow the same structure.

  • Understanding these elements is key to making security a true team effort.

NIST Framework

• Compliance: Ensuring Security Plans Are Followed

  • Having a security plan is not enough—compliance ensures it’s being followed.

  • Compliance means adhering to internal standards & external regulations.

  • Critical for trust, reputation, safety, and data integrity.

  • Non-compliance can lead to fines, penalties, lawsuits, and reputational damage, especially in regulated industries (healthcare, finance, energy).

• Regulations & the Role of NIST Cybersecurity Framework (CSF)

  • Regulations are government-imposed rules to protect people and data.

  • NIST Cybersecurity Framework (CSF) provides security guidelines & best practices.

  • CSF is voluntary but widely used to manage cybersecurity risks.

  • CSF consists of three main components:

    1. Core – Defines five key security functions.

    2. Tiers – Measures security performance across functions.

    3. Profiles – Captures the security state over time.

• CSF Core: The Five Key Security Functions

  • Identify – Understand assets & risks (linked to asset management & risk assessment).

  • Protect – Implement security measures (upcoming discussion).

  • Detect – Identify security incidents.

  • Respond – Take action against security events.

  • Recover – Restore operations after an incident.

• CSF Tiers: Measuring Security Effectiveness

  • Level 1 (Passive) – Bare minimum security.

  • Level 4 (Adaptive) – High-level, continuously improving security.

  • Tiers help organizations refine security plans based on effectiveness.

• CSF Profiles: Tracking Security Over Time

  • Think of profiles like photos of a tree—comparing them over time shows growth & changes.

  • Helps organizations assess how security improves or weakens.

• Beyond Fines & Attacks: The Human Side of Security

  • Good security practices show care for people and their information.

  • Next focus: The "Protect" function of security plans.