| The information in this article is based on work done | | | | - help with the selection of proper security controls |
| at Carnegie Mellon University on | | | | and best practices by insuring security requirements |
| Information Asset Profiling. | | | | are addressed; |
| Information security (IS) requires the classification | | | | - refine policy and procedure by defining the |
| and valuation of the information assets to ensure | | | | information asset, its user-base, its custodians, its |
| that the right level of protection for those assets is | | | | owner/stewardship, its boundaries, and its |
| provided. The required level of protection is usually | | | | characteristics. |
| determined by using a risk assessment. | | | | The IAP defines the information itself, the people |
| A Threat Risk Assessment (i.e. TRA) is the first part | | | | involved in its creation and use, and the processes or |
| of any risk management methodology. It is use to | | | | procedures that rely on the information. The primary |
| determine the extent of the potential threat and the | | | | contents are: Asset Name, Asset Description, Owner, |
| risk associated with a companies information assets. | | | | Stakeholders, Custodial Aspects, (i.e. Custodians ... |
| The output of this process helps to identify | | | | paper or electronic, and Locations), Security and |
| appropriate safeguards for reducing or eliminating risk | | | | Privacy Requirements, and Classification and Valuation. |
| during risk mitigation. | | | | Any, or a combination, of the following techniques |
| The threat risk assessment methodology | | | | can be used to gather information about the |
| encompasses nine primary steps: | | | | information asset: a questionnaire, on-site interviews, |
| 1. Information Characterization | | | | document reviews, or automated scanning tools. |
| 2. Threat Identification | | | | In summary the benefits of the Information Asset |
| 3. Vulnerability Identification | | | | Profile are: |
| 4. Safeguard Analysis | | | | - allows owners to profile their information assets to |
| 5. Likelihood Determination | | | | meet Information Security Policy requirements for |
| 6. Impact Analysis | | | | the protection of those assets; |
| 7. Risk Determination | | | | - validates the security aspects of the processes |
| 8. Safeguard Recommendation | | | | relying on the information; |
| 9. Results Documentation | | | | - provides the information profiling required as the |
| An Information Asset Profile (IAP) provides the | | | | first step of a threat risk assessment; |
| information characteristics required in the first step | | | | - defines security requirements for new information |
| shown above. The IAP allows information owners to | | | | systems applications; |
| profile (i.e. classify and value) their information assets; | | | | - requires the CISO to provide the following services: |
| this is usually a requirement of an IS Policy to ensure | | | | - assistance to owners on how to complete an IAP, |
| the protection of a company's information assets. | | | | - central storage and control for all completed IAPs. |
| Using an IAP allows a company to: | | | | Did you find this information on information asset |
| - provide a consistent, unambiguous, and agreed upon | | | | profiling useful? You can learn a lot more about how |
| description of an information asset; | | | | our set of documents on information security can |
| - feed strategic information security activities, such | | | | help you protect your information assets by visiting |
| as threat and risk assessments used to determine | | | | our web site at: Information Asset Profile Standard |
| potential negative impacts; | | | | and Template. |