Cybersecurity - Asset ClassificationJul 30, 2021
Let us start with why asset classification is so essential; asset classification is the foundation of everything else to come in cybersecurity; it will help your organization, for example, small or large, to better understand, manage, identify, and classify your assets. Here is the challenge, the business will hear, "oh, you want to spend how much, just to know what we have, which you should have known to begin with?" These are tricky questions to answer, as the business sees no value in this effort, it is not making their product or service better, the customer does not see any improvements in service or features, and so on.
However, it will assist your leadership in determining which processes and assets are the most important in assuring critical operations, service delivery, and overall business resilience. This, in turn, indicates where to focus your cybersecurity investments in a world of limited budgets and increasing costs. Now you could articulate this point even further, but that is not the focus of this episode, so let us get back to asset classification, shall we?
The assets can be categorized into three distinctive types; however, how they are named may vary from company to company or industry to industry. The three categories are crown jewels, business-critical, and business crucial. I will break them down for you, first:
These are the most prized and valuable assets related to profitability and future gains or client prospects. Failure of these assets could result in the company going out of business. Crown jewels assets can also be tangible or intangible.
Some examples of these crown jewel assets are:
- Safety systems: if they fail, it may result in injury, loss of life, or an environmental disaster; some examples are the safety systems in a coal mine or nuclear plant. Imagine if these safety systems failed.
- Mission-critical systems: system failure at this level would fail critical objectives, such as the navigational system for an aircraft. Another tragic example is the Lion Air Flight 610 crashed in October 2018, and Ethiopian Airlines Flight 302 crashed in March 2019; both were Boeing 737 Max aircraft. Post-crash investigations found that in both the Lion Air and Ethiopian Airlines crashes, incorrect data from a single angle-of-attack sensor caused by the Maneuvering Characteristics Augmentation System or MCAS force the planes into repeated nosedives the pilots eventually could not pull out of.
Business-critical systems are those if they fail, resulting in very high costs for the business, such as the customer accounting system in a bank or a CRM application serving a customer service organization.
Business crucial systems are those that are not critical but have a significant impact. For example, systems that may not bring down a critical system but affect its performance. Let us take LinkedIn as an example; one of LinkedIn's features is video posting, which is supported by a crucial business system. LinkedIn's leading service will not be taken offline, but it will have a significant impact.
Does this make sense? Identifying and classifying these assets is essential for any organization; remember, an asset can be tangible or intangible, so do not hyper-focus on the system, servers, databases, firewalls, routers, etc. Keep always a questioning attitude.
So, a final thought is that categorizing these assets is essential. When a cyber event happens, the prioritization is aligned to the classification, and the risk metrics are calculated in terms of what is essential for the organization. Moreover, remember, this is not only for a cyber event but also for cybersecurity investments.
Dr. Bill Souza
Executive Cyber Education