This chapter is from the book
This chapter is from the book
This chapter is from the book
Information as an Asset
Many people are used to viewing tangible objects as assets but have difficulty appreciating that information can be an asset. Companies spend billions of dollars every year on research and development. The discovered information is worth at least the amount of resources taken to derive the information plus the economic gain produced by the information. For example, if a company spends $200,000 researching a process that will in turn generate $1 million in revenue, then that data is worth at least $1.2 million. You can think of this economic gain as a simple equation:
VI (Value of Information) = C (Cost to Produce) + VG (Value Gained)
While some people are not yet fully cognizant of the concept, data does indeed represent a valuable asset. When we speak of the “information age” or our “information-based economy,” it is important to realize that these terms are not just buzzwords. Information is a real commodity. It is as much an economic asset as any other item in a company’s possession. In fact, it is most often the case that the data residing on a company’s computer is worth far more than the hardware and software of the computer system itself. It is certainly the case that the data is much more difficult to replace than the computer hardware and software.
To truly appreciate the concept of information as a commodity, consider the process of earning a college degree. You spend 4 years sitting in various classrooms. You pay a significant amount of money for the privilege of sitting in those rooms, and listening to others speak at length on various topics. At the end of the 4 years, the only tangible product you receive is a single piece of paper. Surely you can get a piece of paper for far less cost and with much less effort. What you actually paid for was the information you received. The same is true of the value of many professions. Doctors, attorneys, engineers, consultants, managers, and so forth all are consulted for their expert information. Information itself is the valuable commodity.
The data stored in computer systems has a high value for two reasons. First, a great deal of time and effort go into creating and analyzing the data. If you spend 6 months with a team of five people gathering and analyzing information, then that information is worth at least an amount equal to the salaries and benefits of those people for that length of time. Second, data often has intrinsic value, apart from the time and effort spent acquiring those facts. If the facts are about a proprietary process, invention, or algorithm, the value is obvious. However, any data that might provide a competitive edge is inherently valuable. For example, insurance companies frequently employ teams of statisticians and actuaries who use the latest technology to try to predict the risks associated with any given group of potential insureds. The resulting statistical information might be quite valuable to a competing insurance company. Even a customer contact list has a certain inherent value.
Thus, as you work in the computer security field, always keep in mind that any data that might have economic value is an asset to your organization and that such data provides an attractive target for any competitors who may not have ethical inhibitions against using espionage. If your company management thinks that this threat is not real, then they are very much mistaken. Any company is a potential victim of corporate espionage. You should take steps to protect your valuable information—and the first critical step in this process is asset identification.
Asset identification is the process of listing the assets that you believe support your organization. This list should include things that impact direct day-to-day operations as well as those that are tied to your company’s services or products. The CERT website offers a very useful worksheet that you can use to itemize the assets in your organization.5 This workbook includes a number of other useful worksheets for assuring information security within your organization. As the table of contents in Figure 7.1 shows, this workbook is also a tutorial that steps you through the various considerations in information security.
)
Figure 7.1 Table of contents from the CERT Supplemental Resource Guide.
Table 7.1 is a variation on the worksheet provided by CERT. Armed with this table and based on your knowledge and experience with your company, you can complete an asset identification by following the steps outlined below:
Table 7.1 Asset Identification Worksheet
Information |
Systems |
Services and Applications |
Other Assets |
|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In the first column of the table, list the information assets. You should list the types of information used by people in your company—the information people need to do their jobs. Examples are product designs, software programs, system designs, documentation, customer orders, and personnel data.
For each entry in the first column, in the second column fill in the names of the systems on which the information resides. In each case, ask yourself which systems people need to perform their jobs.
For each entry in the first column, in the third column fill in the names of the related applications and services. In each case, determine what applications or services are needed for individuals to perform their jobs.
In the last column, list any other assets that may or may not be directly related to the other three columns. Examples are databases with customer information, systems used in production, word processors used to produce documentation, compilers used by programmers, and human resources systems.
Once you complete these steps to fill out Table 7.1, you will have a good understanding of the critical assets for your organization. With this information, you will know how best to devote your defensive efforts. Some specific protective steps will be examined later in this chapter.