In a bid to assist organisations in classifying data, a crucial part of any data management exercise, research house Gartner recently released its methodology for sorting the crucial from the trivial.
According to the report, it is well understood that risk is a function of asset value. "A hacked or crashed computer has no loss impact unless valuable data is accessed or mission-critical functionality is inaccessible.
"It is also well recognised that the amount of money spent on protective controls must be appropriate for the risk - it makes no sense to apply the highest levels of protection to every single IT asset. Determining just what level of protection is necessary requires some understanding of the system's or data asset's relative importance, a process that often is referred to as 'classification'.
"The IT risk management practice is still somewhat burdened by early unsuccessful attempts to completely quantify risk, which leads many organisations to feed the risk management process by undertaking completely impractical data classification processes.
"Organisations recognising the futility of this approach often err in the opposite direction, avoiding information asset classification as an impossible exercise. However, a growing number of organisations have taken a very practical approach to identifying which information has a high protection priority."
High-water mark
Organisations often avoid information asset classification as an impossible exercise.
Gartner
The basic process is simple, the report notes. "For a given IT asset, an estimation is made of the largest potential business impact, based on failures of confidentiality, integrity and availability. The relative business impact of these three types of failure events is estimated as being high, medium or low. The overall sensitivity, or classification, of an information asset is the 'high-water mark' of the three different estimations.
"For example, if a system is estimated as having a low requirement for confidentiality, a medium requirement for data integrity and a high requirement for service availability, then that IT asset is treated as having a high requirement for attention. To apply such a model, an organisational-criticality model must specify exactly what constitutes an IT asset, and a consistent scale of high, medium and low must be applied for confidentiality, integrity and availability."
Further, the report states: "The model can be very flexibly applied to whatever an organisation considers IT assets, whether servers or services. Almost anything that is information-related can fit into the model, as long as it is identifiable and rateable. A single assessed asset can include multiple components (there will always be a higher level of granularity), as long as the organisation understands that a single assessment will apply to the whole.
"Although at first glance it seems somewhat imprecise, the use of a three-level scale has proved highly practical. Four- and five-level scales are difficult to apply without training and their use requires a great deal of discipline. Of course, even a three-level scale can be applied successfully only if everyone using it has a consistent understanding of what constitutes high, medium and low," Gartner states.
Start simple
The research firm recommends starting with a simple model and not extending it until after it has proven itself in the organisation as being practical to use, compatible with the organisation's internal politics and providing output that can drive good decisions. That said, the model certainly can be extended in multiple ways. A common extension is to add the dimension of time. In many cases, the protective requirements for information diminish over time.
"This model is intended primarily for periodic assessments of information assets that are actively being used. Its simplicity makes it particularly appropriate for self-assessment exercises in which business managers are expected to assess the sensitivity of their own information. However, the basic confidentiality/integrity/availability and high/medium/low data-criticality expression can be used successfully at any point in the IT asset lifecycle where it is necessary to understand the potential impact of a security failure," the report adds.
* Source: Gartner - A Simple Method for Expressing Information Criticality and Classification, Jay Heiser, 20 March 2008.
* Article first published on brainstorm.itweb.co.za
Share