XYZ Bank is a local bank that has faced some information security attacks recently. Due to that, they have terminated their contract with the outsourced IT/IS functions. Now the bank in interested in developing a risk management process for the information technology infrastructure of the bank. For that purpose, the bank is particularly interested in the processes of asset identification, threat identification, assessment of the risks and preparing a risk mitigation/ countermeasure procedure.
The aim of this report is to complete these processed based on information about the current information technology infrastructure of the bank.
In the information security and technology parlance, an asset is a system that is used for storing, processing or transmitting data and information. Each of such asset will have impact on the business of the organization and can affect the revenue, reputation and future prospective.
Other than systems, documentation, human resources are also assets of an organization. It is difficult to identify these assets properly.(Bishop, 2011)
The classification of assets of an organization is given as,
Asset attributes related to people of an organization will include information such as the social security number, other identification numbers, personal details like name, date of birth etc, and expertise and skills details. In general, all details about an individual that is stored of processed by the organization, will be assets for the organization as this information add values to the business.
Details about the business process, business documentation, information storage and retrieval information etc. are the asset attributes of procedures followed by an organization.
Data about the operations and transactions made by the business, along with information like owner of the data, meta data, data structure, type of data, location of data, data backup plans etc. are the asset attributes for data.
For asset identification should be done with some tools or techniques that will help to understand the assets and its ‘valuations’ in terms of information security and the business. The asset identification process of the XYZ bank will be done using a Weighted Factor Analysis Worksheet technique. In this technique, particular weights will be imposed on each identified assets. The weights will be given based on the impact of those assets on the bank.