| The information in this article is based on work done | | | | - feed strategic information security activities, such |
| at Carnegie Mellon University on Information Asset | | | | as threat and risk assessments used to determine |
| Profiling. Information security (IS) requires the | | | | potential negative impacts; |
| classification and valuation of the information assets | | | | - help with the selection of proper security controls |
| to ensure that the right level of protection for those | | | | and best practices by insuring security requirements |
| assets is provided. The required level of protection is | | | | are addressed; |
| usually determined by using a risk assessment. | | | | - refine policy and procedure by defining the |
| A Threat Risk Assessment (i.e. TRA) is the first part | | | | information asset, its user-base, its custodians, its |
| of any risk management methodology. It is use to | | | | owner/stewardship, its boundaries, and its |
| determine the extent of the potential threat and the | | | | characteristics. |
| risk associated with a companies information assets. | | | | The IAP defines the information itself, the people |
| The output of this process helps to identify | | | | involved in its creation and use, and the processes or |
| appropriate safeguards for reducing or eliminating risk | | | | procedures that rely on the information. The primary |
| during risk mitigation. | | | | contents are: Asset Name, Asset Description, Owner, |
| The threat risk assessment methodology | | | | Stakeholders, Custodial Aspects, (i.e. Custodians... |
| encompasses nine primary steps: | | | | paper or electronic, and Locations), Security and |
| | | | Privacy Requirements, and Classification and Valuation. |
| 1. Information Characterization | | | | Any, or a combination, of the following techniques |
| 2. Threat Identification | | | | can be used to gather information about the asset: a |
| 3. Vulnerability Identification | | | | questionnaire, on-site interviews, document reviews, |
| 4. Safeguard Analysis | | | | or automated scanning tools. |
| 5. Likelihood Determination | | | | In summary the benefits of the Information Asset |
| 6. Impact Analysis | | | | Profile are: |
| 7. Risk Determination | | | | - allows owners to profile their information assets to |
| 8. Safeguard Recommendation | | | | meet Information Security Policy requirements for |
| 9. Results Documentation | | | | the protection of those assets; |
| An Information Asset Profile (IAP) provides the | | | | - validates the security aspects of the processes |
| information characteristics required in the first step | | | | relying on the information; |
| shown above. The IAP allows information owners to | | | | - provides the information profiling required as the |
| profile (i.e. classify and value) their information assets; | | | | first step of a threat risk assessment; |
| this is usually a requirement of an IS Policy to ensure | | | | - defines security requirements for new information |
| the protection of a company's assets. | | | | systems applications; |
| Using an IAP allows a company to: | | | | - requires the CISO to provide the following services: |
| - provide a consistent, unambiguous, and agreed upon | | | | - assistance to owners on how to complete an IAP, |
| description of an information asset; | | | | - central storage and control for all completed IAPs. |