3.3 Identification and Assessment of Assets and Risks

The College, as part of this Program, must identify and assess reasonably foreseeable external and internal risks to the confidentiality, integrity, and availability of its information and information systems.  The IT Division will assist with developing tools and establishing procedures for identifying and assessing such risks to relevant information and systems.  Major risk identification and assessment areas include identification and classification of information and information systems, assessment of employee training and management practices, information processing/systems risk analysis, and system failure and incident management identification processes.

3.3.1. Information/Information Systems Classification and “Ownership”

Information assets owned by the College must be identified, classified, and assigned an “owner” for information security purposes.  The owner is responsible for identification of the assets, assigning a classification level based on the confidentiality, integrity, and/or availability needs of the College, and assigning an individual or department primarily responsible for each asset.  Identification and classification of assets facilitates the decision making processes regarding the level of security required to protect each information asset.

3.3.1.1. Information asset identification

Virtually every piece of information about or collected by the College is considered an asset if used to conduct College business.  Examples of information assets include, but are not limited to:

1. Data/Information collections such as databases, data files, policies, standards, procedures, information archives, disaster recovery/continuity plans, and other paper or digital records.

2. Software assets such as application software (Colleague modules, MS Office) and system software (Windows, Unix, Unidata) and custom software (locally developed programs).

3. Physical assets, including computers (desktops, servers, notebooks, PDAs), communication equipment (telephone systems, fax machines, modems), storage media (tapes, removable disks, CDs), and even some facility equipment (generators, power supplies, air conditioners, furniture).

4. Outsourced services such as vendor support, consulting, contingency services, communication infrastructure, and environmental services (electricity, heating, etc.)

3.3.1.2. Information asset “ownership” (responsibility & accountability)

Each identified information asset must have a responsible/accountable party designated as the asset “owner.”  While many of these assets have multiple uses and users, primary responsibility for the information or system must be determined.  Examples of asset owners include network owners, hardware owners, application owners, and data owners.  Any access to, addition to, or modification to the information asset should only be done with the consent of the asset owner.  The asset owner is also responsible for classifying the criticality of the information to the College.

Every information technology device (hardware) connected to the Sinclair network must have an owner responsible for security of that device.  The owner should maintain some type of inventory registry for of all their devices.  This registry should include, where relevant, the device name, model, serial number, network ID, the IP address or subnet, MAC address, physical location, operating system, intended use (Web server, personal computer, lab server, PDA, T-Reg machine, etc.), and the department and person or persons primarily responsible for maintaining the device (owner and administrators).  The registry should also record what classification of information (see “c.” below) the device stores and/or provides access to.

Software must also have a designated owner.  Data is typically owned by the department primarily responsible for collecting or using the data, but may also rely on the application or application module used to store or collect it.  Information Technology Services is the primary owner of most of the standard application software supplied campus-wide via ‘core’ images.  Lab coordinators and department heads are generally designated the owners of, and are accountable for, the security of lab- and department-specific applications distributed via non-core images.  An owner must be determined and be accountable for non-imaged systems.

3.3.1.3. Information asset classification

To determine the measures required to adequately secure an information asset, the asset must be classified. The data owner is responsible for ensuring that each asset is evaluated against the below criteria and classified based on at least one of the three primary information security criteria, confidentiality, integrity, and availability. Criteria for classifying information include:

3.3.1.3.1. Confidentiality: For classification purposes, confidentiality refers to the sensitivity and the access controls required to protect the information.  Does legislation or College policy require the information be protected, or is it freely distributable? Is the information time sensitive? Will its confidentiality status change after some time? Confidentiality is defined in terms of:

1. Confidential: Access is restricted to a specific list of people. Examples include human resources/payroll data such as salaries, garnishment orders, child support orders, and employee health information.  Stored credit card numbers are also confidential.

2. Sensitive: Access and use of the information must be protected from routine disclosure and is restricted to specific uses only.  This includes information required to be protected by legislation and/or generally recognized best practices.  Examples include Social Security Numbers, Financial Aid Data, Student Records, and Personal Identifying Information (as defined by the Ohio Revised Code).

3. Public: Where the resources are publicly accessible. For example, the College Bulletin, the College Web Site, recruitment brochures.

Access control is a primary component of confidentiality.  Who must have access to the asset? Who should have access to the asset? Who can manipulate/modify the information? How should the information be stored? This is controlled by assigning access rights for individuals, groups, and the public. The asset owner determines these access rights.  For data stored in the Colleague system, access is determined by security classes and defined in terms of:

1. Never Do – no access (to the particular role or security class);

2. Privileged – access to specified individuals/roles;

3. Inquiry only – access to read information only; and

4. Do Only – write access unless restricted by inquiry only or privileged.

3.3.1.3.2. Availability: This is a measure of criticality.  How important is it that the information asset is accessible/available to the authorized constituent? Is it a single instance or is a backup available? Availability is measured based on reliability and timely access to the asset. In other words, is the system up and running when needed? How long can the asset be down or unavailable?  For classification purposes, the availability hierarchy is:

1. Vital: The asset is essential to the College, even a brief outage is significant and may result in a serious negative impact, financial, legal, or otherwise, to Sinclair.

2. Critical: Necessary for routine operation of the College, must be available during normal working hours and/or during registration, reporting, or other business cycles.  Brief outage other than during these periods is acceptable, outages during these periods are significant and result in serious negative impact.

3. Important: Significant to a small segment of the College such as a single department or committee. Should be available during normal working hours, outages of up to 24 hours do not significantly impact the College.

4. Routine: Has value to the college and should be routinely available, but extended outages (1-5 days) would not significantly impact Sinclair.

3.3.1.3.3. Integrity: Integrity is seldom used for primary information classification, but may be used as a ‘tie-breaker’ when determining priority during business continuity and contingency planning. How important is it that the information is 100% accurate and can be verified as tamper-free?  How critical is the accuracy of information to the College or stakeholder? Can it be duplicated or replaced? Integrity is defined in terms of value: high, medium or low. As this is often a subjective valuation, justification may be required for assigning a value classification if the rationale is not obvious or is questionable.

3.3.2. Assessment of employee training and management

Nearly everyone associated with the College has some degree of access to information and information systems, and consequently has the potential to cause harm.  While technology can help mitigate risk to the College’s information assets, the weakest link in the information protection chain is people. The College must continually assess the current state of each end-user’s understanding of the importance of information security, including assessing the effectiveness of current training practices and management policies and procedures in this area.

3.3.2.1. Employee management policies and procedures

Employee management policies and procedures must be evaluated to identify and assess how well they enforce information security practices.  Hiring practices should be reviewed to verify references and skill sets of potential employees.  Existing employees must be familiar with applicable information security policies such as this policy, the Acceptable Use and Email policies, as well as other policies, procedures, and standards with information security implications.  Procedures should be reviewed to ensure information systems/security administration is aware of employee actions such as termination, retirement, extended absence, or department transfer.  Procedures and standards should outline actions that determine when and how a user account (and the access the account provides) is added, revoked, suspended, or modified, and should also specify time-frames for the activity. Managers/supervisors should also understand their responsibilities relating to periodic review of employee access.

3.3.2.2. Security Awareness, Training, and Education (SATE)

Security awareness is the most effective and efficient method for protecting information assets.  If employees view information security measures simply as a collection of burdensome rules and processes, rather than as a critical requirement for successful College business, they are likely to ignore or “shortcut” protective measures.  Informed employees also improve information security by recognizing threats/vulnerabilities and recommending corrective actions.

Every vice-president, dean, director, chair, manager, or supervisor responsible for employees who use information assets should assess general and specific information handling practices within their area to identify current or potential vulnerabilities. This assessment should include determining who has access, what information they can access, where they can access the asset, and how it is used and protected.  Supervisors must ensure their employees know, understand, and are accountable for fulfilling their information security responsibilities, and should implement training or education programs to correct identified deficiencies.

3.3.3. Information Systems Security Risk Analysis

The directors/managers of Information Technology departments, and directors/managers of other applicable departments owning information systems, must regularly identify and assess risks to these systems.

3.3.3.1. Risk Analysis Approach

The risk analysis of each system should as a minimum identify information systems threats and vulnerabilities, measure the likelihood and magnitude of compromise, recommend control measures to increase the security of the system in the most effective and efficient manner, and document and communicate the results of the analysis.  Individual departments and divisions should initiate and conduct risk analysis of the systems under their control and should follow up/act on results.  IT should assist with the technical controls, but systems risk originating with process must be addressed by the process owner.  Current and planned internal operating polices, standards, and procedures relating to information systems must be evaluated. Areas for consideration during the analysis should include:

1. Network and software design and development

2. Change management (including patches and other software “fix” management)

3. Physical security

4. Access control

5. External vulnerability (including penetration testing, intrusion detection)

6. Internal vulnerability (including services running, “rogue” modems, wireless”)

7. Storage and backup strategies

8. Contingency planning/testing (disaster recovery/business continuity)

9. Information transmission

10. Disposal of information assets

11. Systems audit practices.

Controls implemented to mitigate risk must also be regularly analyzed for currency, applicability, and effectiveness.

3.3.3.2. Risk Assessment Process

One recommended risk assessment process is:

1. Identify the asset/assets being evaluated, this includes hardware, applications, data, and connectivity. Complex assets may need to be broken into simpler components.  Determine a quantitative or qualitative (or combined) value of the asset to the College.  How much would it cost to replace? How long can it be unavailable? What effect does it have when not available?  Include the costs/effects of recovering the asset.

2. Identify as many practical potential threats as possible that could harm or otherwise adversely affect operation or efficacy of the asset.  Both internal (disgruntled or untrained employees), and external (hackers/criminals, natural disasters, malicious code) threats should be identified and documented.  

3. Estimate the likelihood of each threat occurring, and the frequency of the occurrence.  This may be based on historical information, estimates of those with expertise, or other experience.  This estimate is often subjective, and may require a team of knowledgeable individuals to reach consensus for a realistic estimate.

4. Estimate the effect of the loss of the asset.  A quantitative method is to multiply the value of the asset (from step 1) by the frequency of incident occurrence (from step 3) for each potential threat identified (in step 2).  This value may be used as a baseline to determine practicality and cost efficiency of protective controls.

5. Identify controls or actions that could mitigate or reduce the risk. These actions can include implementing new organizational policies and procedures as well as technical or physical controls.

6. Finally, evaluate and select appropriate controls based on the cost of the control vs. the cost of the effect of the loss of the asset (from step 4).

3.3.4. Information Security Failure/Incident Management Assessment

Information Security incidents must be properly identified, recorded, reported, investigated, and assessed.  The Sinclair Computer Security Incident Response Team (CSIRT) is responsible for identifying, assessing, and responding to actual and potential system failures and information security incidents.  The assessment responsibilities include: defining, identifying, and categorizing actual and potential “incidents;” determining the impact of such incidents; evaluating, recommending, and implementing appropriate response; and developing, leading, and implementing recovery and reporting procedures.

Incidents should be assessed for causative factors such as human error, natural disasters, system failures, malicious acts, malicious software, and collateral damage from other systems.  Impact of incidents should be examined for results such as denial of service, theft of information, deletion of information, inappropriate disclosure of information, corruption of information, and collateral damage to other systems.