Information Assets of Value are the “things” that a company, organization and, in a non-professional sense, individuals have determined are vital to their continued operation, safety, security, well-being, etc. For the purpose of basic understanding, it can be most easily explained from the vantage point of the individual. A homeowner utilizes preventive measures, such as hurricane shutters, to protect their property. Concurrently, they also understand that preventive measures are not fail-proof, so they also utilize reactionary measures, such as an insurance policy, to ensure that they are able to replace any assets of value that may ultimately be lost.
In the organizational context (e.g. small business, financial institution, university, etc.) of Information Management and Information Technology operations, Information Assets of Value (AOV) are the assets that require assessment in the risk management process to determine if protection is required and, residually, the degree of protection required. In the organizational sense, information AOV may include physical items, such as working facilities, personnel, servers, and computer workstations. More specifically, in the case of organizations such as financial institutions, AOV may include intangible objects such as the databases, auditing programs and other critical software that are of the most critical necessity to ensure continued and successful operations.
Once AOVs have been determined, it is necessary to determine what the actual level of risk is regarding them. A risk can be defined as the probability of damage, injury, liability, or loss caused by external or internal vulnerabilities. This generic definition can be more succinctly applied to Information Management and Information Technology by considering the most critical components pertaining to risk, which are the classic triad of Confidentiality, Integrity, and Availability (CIA). A crucial part of the risk management cost analysis is determining what the “measure of the magnitude of loss or impact on the value of an asset” actually is to accurately identify its overall exposure factor. These concepts, in turn, lead one into the huge and often overwhelming territory of risk management, which is relatively self-explanatory.
Organizations must identify AOVs, the potential risk to said assets and how the potential risks will be managed in the form of preventive safeguards and disaster recovery and continuity of operations and contingency planning. Once the potential risks have been identified, prioritized and mitigated to the greatest extent financially and technically possible, there will invariably still be risk incurred. This is the key difference between initial and residual risk. The initial risk is what was identified in the risk management process, and the residual risk is that which remains following the implementation of security controls (e.g. standard operating procedures, secure technical configuration, personnel vetting processes, etc.).
Ultimately, a significant portion of the risk management process, as a whole, is determining the relationship between threats and vulnerabilities. A threat cannot exist if there is no vulnerability. This can be most easily understood in the three separate contexts. In the first context, network users can pose a threat to an organization’s network if they are not properly trained to spot suspicious emails or unauthorized personnel. Additionally, even technical personnel can pose a threat to a network if separation of duties does not exist (e.g. server administrators have access to network switches). The second context involves the implementation of security processes. These may include standard operating procedures that identify how personnel will be vetted prior to be granted access to the network. They may also include two-person integrity processes that ensure certain changes, access, etc. are not available to a single individual. Finally, in the third context, technical controls can be implemented to minimize the possibility of external or internal intrusions. Specifically, these may include network firewalls which restrict traffic by type, port, etc. They may also include the implementation of network access control systems, which prevent servers or workstations from being arbitrarily plugged in or moved allowing uncontrolled connectivity to the internal network.
Summarily, the aforementioned examples constitute the security controls or, in simpler terms, the countermeasures and safeguards that are employed to manage the risk that has been determined to exist for the organization’s initially-determined Assets of Value.