An asset is something that is useful or valuable to an individual or an organisation and it can take the form of property, information and even personnel. While all assets are valuable, the level of sensitivity and criticality to an organisation may differ.
Classification of Assets
The main objective of of Information Security is to protect and maintain the three tenets, that is, confidentiality, integrity and availability of Information Assets and Information Systems. Classifying the assets ensures that appropriate security controls are in place for protecting the information. Information assets may be classified based on the sensitivity of the information and the adverse impact it would cause to the organisation if the confidentiality, integrity or availability is compromised.
- Public Information: It is the lowest level of classification whose disclosure will not cause serious negative consequences to the organisation and is thus available to the public, such as the information available on a company’s website.
- Sensitive Information: Data which is treated as classified in comparison to the public data and negative consequences may be expected if such kind of data is disclosed, for example, disclosure of some embarrassing emails.
- Private Information: Data which is meant only for internal use, whose significance is great and its disclosure may lead to a significant negative impact on an organisation. Such internal information should only be handled by employees and its access to outsiders should be restricted, such as the salary information of the employees in an organisation.
- Confidential Information: It is the highest level of classification scheme, which is restricted to a limited group of people within an organisation. It is reserved for extremely sensitive data and internal data which can cause a considerable amount of damage to an organisation if it is disclosed or damaged. Proprietary data is an example.
Information Assets Roles and Responsibilities
A Data Owner is usually the senior most officer in a department and is responsible for a specific data which may be used, transmitted or stored on a system(s). The owner has the administrative control over the management and use of that particular data and is generally responsible for establishing the guidelines for granting/revoking access privileges; to ensure compliance with policies and assign classification to information assets appropriately.
A Data Custodian or a system administrator is accountable for the technical control over the information assets. The custodian usually has the administrator account or equivalent level of access and is responsible for ensuring that access guidelines established by the owner are carefully followed.
Data User can be an employee, contractor or a third-party provider who is authorised by the Data Owner to access information assets. The data user is expected to follow all policies and guidelines put in place but the above authorities, for safeguarding the information assets.
Access Control is a method by which users are granted access to systems, resources or information. This is done after verifying that a user is who they say they are and they have appropriate access.
Components of Access Control
In order to gain access to certain resources or services, a user must first prove his identity, that is, he has the necessary credentials, and has been given the necessary rights or privileges to perform the actions he is requesting. Identification is usually done with the help of a username or account number.
When a user has been identified, he must also prove that he is who he says he is. Authentication is the process for verifying the user’s identity so that appropriate access to resources can be given. There are three ways a user can be authenticated – (i) something a person knows, such as a password or PIN; (ii) something a person has, such as a card or a key; and lastly (iii) something a person is, for example, biometrics such as fingerprints and face ID. In other words, a user can be authenticated by knowledge, ownership and characteristic.
Once a user has been identified and authenticated, the process of specifying access rights or privileges to resources takes place, which is known as authorisation. If the system determines that the user has access rights to the resource, it authorises the user.
Once the user has been authorised to access the resources, it is also necessary to audit logs and monitor the user’s activities and enforce accountability for his actions. This may also involve adding and removing authentication and authorisation of users or systems.
Types of access control
Attribute Based Access Control (ABAC)
In ABAC, the resources and users are assigned a series of attributes, which are then assessed to allow or deny access to the resources and services. A central policy generally defines which combinations of user and resource attributes are required to perform any action.
Discretionary Access Control (DAC)
In DAC, the data owner or administrator of the system or resources sets the policies and determines who can access specific resources. For example, a system administrator may create a hierarchy of files to be accessed based on certain permissions.
Mandatory Access Control (MAC)
In MAC, a central authority which is based on multiple levels of security is accountable for granting access rights and users do not have much freedom to determine who has access to their files. For example, security clearance of users and classification of data (such as public, sensitive or confidential) are used as a basis to either grant or deny access by the operating system or security kernel.
Role-Based Access Control (RBAC)
RBAC allows access based on the job title or business functions, that is, the role the user holds within the company and the privileges that come with it. In RBAC, the access is controlled at the system level and is outside of user control. For example, only network administrators should have the access to create network accounts and this privilege should be denied to a human resource or marketing specialist.
Rule-Based Access Control (RAC)
RAC method allows the administrator to define a set of rules and guidelines that is meant to govern who has access to a specific system or resource. These rules may also be based on certain conditions such as the time and location. For example, students are allowed to use the labs during a certain time of the day.