Creating an IT Infrastructure Asset List

Abstract

This document was created following Lab #1 titled Creating an IT Infrastructure Asses List and Identifying Where Privacy Data Resides in the laboratory manual that accompanies Legal Issues in Information Security. The lab focuses on creating an IT assets/inventory checklist organized within the seven domains of IT infrastructure. Identifying assets and applying classifications to each asset and explaining how data classification standard is linked to customer privacy data and security controls. In addition to answering questions presented in the lab, I will also identify 1 piece of hardware, software, or firmware and provide a technical, operational, and managerial control as defined in SP 800-53 R4.

Keywords: Asset List, Privacy Data, SP 800-53 R4, Data Classification

Creating an IT Asset List and Identifying Where Privacy Data Resides

Organizations who handle customer data are increasingly being attacked by unscrupulous actors. One of the most sought after and stolen data is the organizations private customer data. The theft of this information can be used for a variety of reasons including identity theft. The protection of this important privacy data is best implemented with a well-planned strategy focused on minimizing the risk of improper disclosure.

An asset is anything that contains value to the organization. Inventory is considered part of an asset. The purpose for identifying assets and inventory is to quantify them and provide insight of threats to each asset. This is accomplished by using Risk Management. Asset Identification is more than creating a list of the hardware and software in the computer, it must include the information, or data, that is processed on those computers (Kadel, 2004). Part of the identification should not only be what the assets are, but also who in the organization is responsible for the asset. Once an organization has identified all the assets they can assign a value, and classification to the asset. It is important to keep asset and inventory documentation updated when assets are added or removed from the organization.

Asset classification is a process in which each asset identified is given a classification. The organizations security policy should make mention of relevant labels for classification. The lab manual offers the following three classifications Critical, Major, and Minor. One purpose of asset classification is to label an asset so it receives an appropriate level of protection. This label needs to be defined by upper level management but the IT and security staff is then responsible for implementing the required controls. It is important that senior management make this decision. Without data classification information protection decisions are being made every day at the discretion of security, system, and database administrators (Fowler, 2003).

An organization’s Web site would be classified as minor in this scenario because it is required for normal business functions and operations. The e-commerce server on the other hand would be considered critical because of what the asset does and the type of data it holds. In the lab manual, the web server Linux Server #2 is responsible for hosting the web site. Its function is required for normal business functions but does not contain any information to warrant it being classified as Major and does not represent an intellectual property asset or generate revenue. The e-commerce server on the other hand does generate revenue and is considered as an intellectual property asset. It also contains a customer database subset which contains information that needs to be protected.

One reason customer privacy data would be classified as critical is to meet compliance guidelines. For example, the Gramm-Leach-Biley Act (GLBA) is a law that was passed in 1999 by congress. It requires financial institutions to protect Nonpublic Personal information. One section, known as the safeguards rule required federal bank regulatory agencies to issue security standards to organizations they regulate. If an organization does not follow the law, they can be penalized.

The most compelling reason to classify information is to satisfy regulatory mandates. For example, the Gramm Leach Bliley and the Health Insurance Portability and Accountability Acts mandate information protection controls for financial and medical organizations, respectively. Although information classification is not specified as a required protection measure, it is implied by special handling requirements for sensitive, medical and financial information (Fowler, 2003).

Intellectual property would be considered critical because it is intellectual property. Intellectual property by its nature should be handled as critical. Assume the following example, your organization makes the best widgets, because they are the best, consumers are willing to pay extra for your widgets. This is because they perform better, and last longer than all other widgets being offered by your competitors. If the competitors had access to your widgets design and manufacturing process, your company would lose its competitive advantage over that competitor. Consumers would no longer rate your widgets as the best, and would buy competitors widgets. Loss of this intellectual property would result in your organizations loss of their competitive advantage and revenue.

Some security controls for HIPAA compliance is subcategory PR.DS-5: Protections against data leaks are implanted this can be mapped to the NIST SP 800-53 Rev. 4 controls of AC-4, AC-5, AC-6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-32, and SI-4 (HHS, 2016). AC-4 as defined by the NIST SP 800-53 Rev. 4 is referred to as information flow enforcement. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the same organization (NIST, 2003).

A data classification standard helps with asset classification because it sets a framework for uniformly assignment of classification. This in turn gives the organization guidance on what assets are most important and need to have the highest security controls implemented. This is also beneficial because it gives members of the organization an easy way to determine how to handle such assets.

Under the SI family of the NIST 800-53 Rev 4, you could implement SI-16 known as Memory Protection. You could implement data execution prevention, and address space layout randomization. You could also implement SI-7 known as Software, Firmware, and Information Integrity. The intent of this control is to protect against unauthorized changes to software, or firmware. This should be implemented using an integrity verification tool, that reports any inconsistencies or changes that were not approved. In the IA family, you could implement Identifier Management or IA-4. In this case the organization could user role based access to the server. If your user account does not have access to the resource, you will not be able to access it.

I would recommend implicating two factor authentications for all users in the Mock infrastructure. This is important because one factor authentication such as something you know is considered a weak form of authentication. A solution such as a device that generates a random token that is also used would make the customer data much more secure. I would also implement a encrypted VPN solution for users that connect over to the ASA_student switch. A VPN uses a secure tunnel and all traffic through the tunnel will be encrypted. Last, I would make modifications to the network layout, the current layout does not allow for protective isolations. For example, the web server should be positioned in a DMZ and separated from the other components of the network.

An organization can use risk analysis to help mitigate risks, threats, and liabilities. A risk assessment is used to document the identity of assets, threats, and how the organization wants to mitigate the risk. The overall purpose of risk analysis is to identify the assets within a company and their value so that you can identify threats against those assets (Clark, 2014). The risk assessment is broken in to separate phases. The first phase is the identification of assets in this phase the organization identifies the assets. The second phase, focuses on identification of threats to each asset. It is important to understand that most of the threats come from the fact that weaknesses, or vulnerabilities, exist in the assets of the business (Clark, 2014). The third phase known as the impact analysis phase. The goal of impact analysis is to identify what the result of the threat occurring would be on the business (Clark, 2014). The fourth phase known as threat prioritization. In this phase the organization needs to prioritize the threats against each asset. You must prioritize the threats based on their impact and probability of occurring (Clark, 2014). The fifth phase, known as mitigation is the step that in most cases implements a security control to lower the risk associated with a threat. This is the phase where a control is implemented to reduce the risks, threats and liabilities. The last and final step, is evaluation of residual risk. This is looking at the remaining threats and deciding if the organization has properly mitigated the risk. It is critical to express this residual risk to management and decide if you are willing to accept that residual risk or need to implement additional solutions (Clark, 2014).

True, under both HIPAA and GLBA it calls for an implementation of IT security policies, standards, procedures, and guidelines. GLBA is comprised of the Privacy Rule, Safeguard Rule, and Pretexting Rule. The safe guards rule calls for each of the regulatory agencies to establish security standards. The FTC Safeguards Rule requires financial institutions to create a written information security program (Grama , 2015). HIPAA also calls for a similar implementation of security policies. 45 C.F.R. 164.316 calls for covered entities and business associates to, implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in statute 164.306(b)(2).

It is important to identify where privacy data resides so that proper controls can be placed on that privacy data. This is also important so that management and staff know if any changes made to places where privacy data resides, they leave the protections planned for and implemented in place. This is important for those organizations who are required to follow legislation such as the GLBA and HIPPA.

I choose the workstations in the user domain indicated in “B” in the lab manual. The operational control I choose is AC-9 which informs the user upon successful login, the last day and time of login. This is important because it give the user information relative to the last time their credentials were used. If a user was not at work or did not logon on the last logon shown they would be aware that their credentials have been used by someone else. The one technical control I choose for this piece of hardware is AU-3 which lays out the ground work in regards to audit records. This is important because unsuccessful, and successful logins will be recorded in the audit logs. The managerial control I choose to apply, is AC-2 which involves controls on account management. This is important for workstations to control access. It also defines who should have access to different resources and monitors the use of the information system accounts.

References

Fowler, S. (2003, February 28). Information Classification – Who, Why and How. Retrieved March 11, 2017, from https://www.sans.org/reading-room/whitepapers/auditing/information-classification-who-846

Kadel, L. A. (2004, March 24). Designing and Implementing an Effective InformationSecurity Program: Protecting the Data Assets of Individuals, Small and Large Businesses. Retrieved March 11, 2017, from https://www.sans.org/reading room/whitepapers/hsoffice/designing-implementing-effective-information-security-

program-protecting-data-assets-of-1398

Grama, J. L. (2015). Legal Issues in Information Security; Second Edition. Jones and Bartlett

Learning.

Clark, G.E. (2014). CompTIA Security+ Certification Study Guide (exam SY0-401).

Mcgraw-Hill Education.

Stewart, J. M. (2014). Network Security; Firewalls and Vpns: Second Edition. Jones and

Bartlett Learning.