6.3 Select Critical Assets

This activity requires you to make decisions that shape the remainder of the evaluation—selecting your organization's critical assets. Depending upon the size of the organization, the number of information assets identified during processes 1 to 3 could easily exceed a hundred. To make the analysis manageable, you need to narrow the focus of the evaluation by selecting the few assets that are most critical to achieving the mission and meeting the business objectives of your organization. These are the only assets that you will analyze during later activities.

Step 1: Identify Critical Assets

Select your organization's five most critical assets. When you select critical assets, you are not bound to choose only five. Five assets are normally enough to enable you to develop a good set of mitigation plans during phase 3. However, you must use your judgment—you can select fewer than five or more than five if you desire. As you select critical assets, consider which assets will result in a large adverse impact on the organization in one of the following scenarios:

• Disclosure to unauthorized people

• Modification without authorization

• Loss or destruction

• Interrupted access

Remember that each of you brings a unique perspective to the discussion. Make sure you review the consolidated list of important assets from the processes 1 to 3 workshops. It is important that you review what was judged to be important from the participants' perspectives. Remember that you must consider the organizational view when you make your selections. When you reach a decision and select the critical assets, make sure that you record your selections.

Let's review which critical assets the analysis team at MedSite selected. Before reaching a decision, each analysis team member reviewed the assets identified as important by each organizational level, the rationale for selecting them, the security requirements for each important asset, and the areas of concern for each important asset. They then engaged in a lively discussion about the relative merits of selecting each asset. In the end, they selected the five assets shown in Figure 6-8.

You should not feel overly bound to the assets identified as important during the knowledge elicitation workshops. Often, an organization's critical assets will have been identified as important during earlier workshops. However, if you feel that one of the other assets from those workshops is critical to your organization, you can select it.

For example, in this case study, at MedSite, personal computers were not identified as an important asset by any of the groups during processes 1 to 3. However, when the analysis team was selecting MedSite's critical assets, it realized how important personal computers were for accessing all of the organization's systems. Thus, the analysis team decided to make personal computers one of the critical assets.

Step 2: Record the Rationale for Selecting Each Critical Asset

While selecting critical assets in step 1, you will discuss a lot of issues related to these assets. In this step you document your rationale for selecting each critical asset so that if you are asked subsequently why you designated an asset as critical after the evaluation, you will be able to provide an answer. In addition, by understanding why an asset is critical, you will be better able to define security requirements and threats in later process 4 activities. For each critical asset, consider and record your answer to this question: Why is the asset critical to meeting the mission of your organization?

At MedSite, the analysis team recorded information related to the organization's critical assets. Figure 6-9 shows information related to PIDS. The rationale for including PIDS as a critical asset is simple: MedSite depends upon it to deliver patient care. PIDS stores, processes, and transmits many types of patient information for various departments at MedSite. The other piece of information that the team recorded is a description of PIDS. Step 3 deals with how to create a description for each critical asset.

Step 3: Record a Description for Each Critical Asset

Discuss the operational aspects of each asset. Consider the following questions for each critical asset.

• Who controls it?

• Who is responsible for it?

• Who uses it?

• How is it used?

These questions focus on how assets are used and why they are important. If you can't answer all of these questions, you may need to ask people in your organization who can answer them. The information that you identify by answering these questions will be useful later in this process when you identify threats to the critical assets and in process 8 when you build mitigation plans. Make sure that you record this information.

At MedSite, the analysis team discussed the questions relative to PIDS. Two of the team members wrote a brief description based on their experiences using PIDS. Figure 6-9 shows the results.

Now that you have identified the critical assets for your organization, you next need to document what about each asset is important by describing or refining its security requirements. In the next activity we examine this topic.