V: See attached | Information Systems

See attached V.docx Should organizations have data or information owners? Please explain why or why not. Consider the costs, roles, and responsibilities for the data and information. Course Textbook(s) Santos, O. (2019). Developing cybersecurity programs and policies (3rd ed.). Pearson. https://online.vitalsource.com/#/books/9780134858548 UnitV.pdf SEC 4303, IS Security Policy Analysis 1 Course Learning Outcomes for Unit V Upon completion of this unit, students should be able to: 4. Analyze a security policy for its completeness. 4.1 Determine information classifications for security policies. 4.2 Identify the information owners of an organization. 5. Show a familiarity with a wide range of substantive issues in IS security policy creation. 5.1 Indicate the different types of information assets. Reading Assignment Chapter 5: Asset Management and Data Loss Prevention Unit Lesson A major benefit of creating a policy is to protect the assets and prevention of types of data loss. If we fail to create these policies, then we increase our chances of the data loss or potential theft of the assets. The first phase of protecting the assets is to determine the values and importance to the organization. For example, if we have Cisco equipment that costs $250,000, then policies should be in place to protect this hardware. On the other hand, you may have a router or specialty equipment with less value; this does not mean it should not have a policy assigned to the equipment, but it can be grouped into a classification for general use and best practices. We would not want to spend 20 hours working on an asset policy for assets with a value of $5,000. At some point, there are diminishing returns, so proper planning and good decision-making are needed when examining the need for asset management policies. We also have to take into consideration the need for further updates as we make the decisions. Classifications The identification and classification of the information assets and systems are essential to protect against confidentiality, integrity, and availability (Santos, 2019). The National Institute for Standards and Technology (NIST) (2018) uniquely identifies assets (components) based on known identifiers and/or known information about the assets. Therefore, we can group or combine the assets for common policy practices. Asset management provides a framework or process to ensure that assets are adequately protected. An example of an asset management methodology is tracking and inventorying IT hardware and software. Additionally, it is recommended that organizations identify if there is an asset management system that needs to be included in the policy. Some of the private classifications are listed below. Protected: Data that is protected by law, regulation, memorandum of agreement, contractual obligation, or management discretion are considered protected (Santos, 2019). It is in this situation that organizations need to protect the nonpublic information from external personnel, employees without the proper access rights, and criminals. If you work for a financial institution, the entity will have its customer’s social security number, address, account numbers, and credit scores. This information needs to be protected because it is classified. Confidential: Confidential information should only be accessible and viewed by those individuals that an organization has deemed trustworthy and within the appropriate level. Santos (2019) provided examples of business strategies, financial positions, employee records, upcoming sales or advertising campaigns, laboratory research, and product schematics as confidential artifacts. It is obvious for this classification an organization may want its chief financial officer (CFO) to have access to the financial records and balance sheets, but not necessarily the laboratory research. Therefore, the classification of confidential should not UNIT V STUDY GUIDE Protecting Organizational Assets and Data SEC 4303, IS Security Policy Analysis 2 UNIT x STUDY GUIDE Title only apply to the most trustworthy personnel, but should also be appropriate to the department. In the case of the laboratory research, a CFO may not understand the full importance of the information he or she has, so he or she could accidently discard the information in a trash bin. However, a CFO would certainly protect the end-of-year financial reports because he or she understands the importance of protecting the information. Internal use: If the information or data are classified for internal use, then that information should only be distributed within the organization. We have seen information technology (IT) take a proactive role in disabling SharePoint site links for only internal personnel. For example, as part of Office 365 and One Drive, employees usually have the option to share a document or spreadsheet, but if this information is classified as internal use only, then the OneDrive links should be locked from sharing with anyone outside the domain or active directory. Public: Public information is certainly the less stringent classification. An organization may have marketing material, product brochures, or annual reports. This information is usually readily available to the public, so it is not detrimental if the information is sent outside the organization. However, management and possibly the legal department should approve any modifications or adjustments to the information. Organizations can review more information on the asset management standards by reviewing the ISO 55000 standard. The ISO 55000 series is comprised of three standards. ISO 55000 is an overview of the subject of asset management and the standard terms and definitions, ISO 55001 is the requirements specification for an integrated, effective management system for asset management, and ISO 55002 provides guidance for the implementation of such a management system (The Woodhouse Partnership, 2018). We can use these standards when creating the information system (IS) security policies for asset management. Knowing what the organization has, where everything is, its importance, and ownership are important pieces to asset management. The following site explores a great outline for creating a policy using ISO 550001. In the article, you will find the importance of alignment, top management support, business objectives, purposes, and communication of the policy. The article states the policy should be short, consistent with the overall goals and other policies, provide guidance, and have common elements found with other policies. We previously discussed the importance of using templates or common headings to ensure everyone uses a standard and approved format. Dunn, S. (n.d.). How to write a good asset management policy - Implementing ISO 55000. https://www.assetivity.com.au/article/asset-management/implementing-iso-55000-part-3-how-to-write- a-good-asset-management-policy.html We now understand assets are important to protect, consequently, we need to define how IS assets relate to the organization. Santos (2019) explains that an information asset is a definable piece of information that is recognized as having value. Therefore, the information residing on our databases is of value to our operations, so it is considered an information asset. If you become an IT manager, then your department should develop an asset strategy to include information assets, software assets, and information technology equipment. Consider the information the employees have when it comes to procedures or intellectual property. Santos (2019) outlines data warehouses, intellectual property, and operation procedures as information assets. An asset management strategy is a broad level plan set by senior management as a guide to how an organization intends to protect assets, ranging from legislative mandates (and their enforcement) to policies to technical security controls. Information and physical assets must be protected throughout their life cycle, from creation or purchase through final disposal or long-term storage. As we have learned, with the importance of identifying the information assets, there is also a need to assign accountability to manage these assets. Are employees considered an asset in an organization’s asset management strategy? https://www.assetivity.com.au/article/asset-management/implementing-iso-55000-part-3-how-to-write-a-good-asset-management-policy.html https://www.assetivity.com.au/article/asset-management/implementing-iso-55000-part-3-how-to-write-a-good-asset-management-policy.html SEC 4303, IS Security Policy Analysis 3 UNIT x STUDY GUIDE Title The key concept is to determine the ownership of the information assets. Some of the most important elements to consider when developing an asset management strategy are: • inventory assets, • definition of responsibility and ownership, • importance, • establishment of acceptable use policies for information and assets, and • protection. A best practice is for the data owner to also function as a secondary champion to embrace the confidentiality, integrity, and availability (CIA) model (Santos, 2019). We want the staff employees to be users of the information, but we need data owners, such as supervisors or management, to ensure the policies are being enforced to protect the assets. Once the data owners are identified, then the information security owner needs to work with these individuals to review existing policies or create new ones. The information security officer (ISO) should provide direction and guidance as to the appropriate controls and ensure that controls are applied consistently throughout the organization (Santos, 2019). It is certainly an ideal situation to have a designated employee with the role of the ISO, but this is not always the case in most organizations because of resources or budget limitations. Many organizations have ineffective or insufficient policies simply because they have not been updated. Additionally, there needs to be clear communication between the users, data owners, and information security officer regarding these policies. Summary As found in Chapter 5, information can be classified by confidentiality, integrity, and availability factors. Santos (2019) also discussed how national security applies classification to top secret, secret, confidential, unclassified, and sensitive/but classified information. In business, we can review the sensitivity of the data and then assign access controls depending on the group or level of the employee. For example, an accounts payable employee should have access to the accounts payable forms or pages, but he or she should not have access to the vendors form because this employee could create a vendor for a family member and then Data owner responsibilities (Adapted from Santos, 2019) What would be the value and impact of creating a policy to address the information assets, but not assigning teams or groups with a responsibility for the protections? SEC 4303, IS Security Policy Analysis 4 UNIT x STUDY GUIDE Title send payments. However, the chief financial officer (CFO) should have access to all forms and ensure the payables policies are followed. Therefore, it is extremely important for IT and human resources (HR) to constantly work together to ensure the employees have access to the appropriate information depending on their roles within the organization. A large organization may have well-defined processes for this alignment, while most small- or medium-size businesses may be set up as verbal rather than formal policies. References The Woodhouse Partnership. (2018). Latest news in standards for asset management. ISO 55000 Standards for Asset Management. https://www.assetmanagementstandards.com/ National Institute of Standards and Technology. (2018). Computer security resource center: Asset identification. https://csrc.nist.gov/glossary/term/Asset-Identification Santos, O. (2019). Developing cybersecurity programs and policies (3rd ed.). Upper Saddle River, NJ: Pearson. Course Learning Outcomes for Unit V Reading Assignment Unit Lesson