Sir Francis Bacon is attributed with the quote, "Knowledge is Power". There have been many variations on this phrase but I want to add one more twist around information assets.
I presented at a conference last week where the session was dedicated to discussing the risks and remedies of ransomware, which are the practices and technologies used by bad guys to gain access to systems and hold information hostage until a ransom is paid. Sometimes the information they get ahold of is not so important, but other times they hit the jackpot and gain access to the "crown jewels" of a company - customer information, trade secrets or pending business strategies and plans. Company and institutional knowledge/information your company has worked hard to accumulate, formulate, organize and use is the lifeblood of your business. In some organizations, this information is the most vital asset they possess.
The venue for my presentation was the Washington D.C. Spy Museum. As I toured the museum afterward, I learned a few things about the history of "spying". I learned that people who spy do it for many reasons, but the single most important goal is the attainment of - you guessed it, information. Information gives them power. Back to the "knowledge is power" concept - when the bad guys have access to your information, they don't necessarily have knowledge but they have power. However, safe and secure in your hands, this information equates to knowledge, and how this knowledge translates into power is in your ability to use it to compete and win in the marketplace.
My speaking topic at the conference was business resiliency. A key underlying tenet is having an understanding of what is most important to your organization - and this starts at the top. For example, (the most critical) products/services provided to customers; the business processes that produce them; supporting IT systems; and the information assets produced or used in that product/service. Determining what is critical starts at the highest levels and can be determined through business impact analyses (BIA).
Let me share an example and a caution. Not all information is created equal (or equally important). For example, Coca Cola's recipe for Coke is, safe to say, very critical to them, whereas a lower tier vendor's contract details probably isn't as critical. Now, these examples are obvious and most companies intuitively know what their most importation information assets are, and maybe have an inkling of what is on the lower end of the scale. But, what about what is in between? Herein lies the rub - of the hundreds of information assets organizations produce and use, do they know which of those are critical? Which of these information assets are undervalued and therefore under-protected? Which require special compliance considerations? This all presents exposure and risk.
There are many implications on information assets across the spectrum of governance, risk and compliance (GRC) activities. For example, which risks or threats could impact your information; what compliance requirements such as privacy considerations require that you take certain protective steps and implement controls, and could result in penalties if not done; or which vendors have access to your (critical) information and what are they doing with it, and are they protecting it. Given the far-reaching implications to your organization across many use cases, these GRC activities related to information assets should be coordinated at some level. This blog highlights just a few examples of the exposures our organizations face due to not properly evaluating criticality of and exposures to our information assets.
I took this picture at the Spy Museum of a Trojan horse exhibit, which depicts the infamous method Greek soldiers used to infiltrate the City of Troy and win the Trojan War. In today's world, the goal is access to information. Now, a Trojan malicious computer program is used to gain unauthorized access to a computer and access personal or proprietary information. Information assets are the lifeblood of our organizations and we must remember that their proper use, management and protection enables our power to compete and thrive.
Author: Patrick Potter
Category: RSA Fundamentals, Blog Post