Information Asset Management Guidelines

All information assets shall be handled securely to maintain the required level of confidentiality, integrity, and availability.

An Organization shall maintain a set of guidelines in order to achieve this,

• Information Asset owners shall be identified for all information assets.
• Information asset inventory shall be maintained by the information asset owner.
• Sufficient records shall be maintained to locate and navigate information assets as and when required by authorized parties.
• All information assets shall be stored and disposed of securely as per the information classification level. 
• All assets shall be returned at the change of employment status (transfers, promotions, resignations, terminations, retirements, secondments, etc.) or long duration of leave as per the procedure defined by the HR department.
• The physical security of information assets shall be ensured by the Asset Custodian and/or Asset Owner as applicable.

The following template can be used for Asset inventory,

Information handling for electronic materials,

Information handling for printed materials,

Mobile Device Policy

Having a Mobile Device Policy is very important for every organization. Today we will look at a sample policy that can be modified to suit your organization.

Policy Statement:

"When using mobile devices, special care shall be taken to ensure that business information is not compromised"

Policy Components:

    Information communication and usage devices:

• For generally used software at the organization, licensed and updated versions that are approved by IT Division shall be used. For other sectional-specific requirements, software approved by the Unit Head of the relevant operational area shall be used.
• Before using open-source software, the outcome of the information security risk assessment shall be considered.
• User shall not make any changes to the hardware or software without the approval of the device issuing section/party of the organization.
• For mobile devices owned by third parties, to connect to the organizational network prior approval shall be obtained considering the outcome of the risk assessment.
• For mobile devices owned by third parties shall be protected with required security controls.
• All mobile devices shall be kept updated with the latest patches.

    Information Storage mobile devices:

• All information storage mobile devices shall be documented at the business unit level.
• Confidential information stored in the mobile device shall be encrypted.  

    Security Controls:

• Reputed anti-virus software shall be installed and kept updated.
• Screen locking mechanism shall be deployed.

Mobile Device Security

“Mobile Device” is a general term used to identify common portable devices such as smartphones, tablets, and laptop computers. These devices have revolutionized the way we do work but at the same time, brought unique security and privacy challenges for us. 

What is Mobile Device Security?

Mobile device security refers to being free from the danger or risk of asset loss or data loss using mobile computers and communication hardware.

Organizations use mobile devices under different enterprise mobility strategies to improve productivity, facilitate teleworking, and ensure access to data anytime/anywhere.

Based on the selected approach, Organizations would implement mobile device security policies and assign roles/responsibilities accordingly. 

A study conducted by Verizon® found that 1 out of 3 companies who use enterprise mobility solutions surveyed reported a compromise involving a mobile device. 47% say remediation was "difficult and expensive," and 64% say they suffered downtime.

Threats for Mobile Devices

Smartphones and personal digital assistants (PDAs) like tablets give users mobile access to email, the internet, GPS navigation, and many other applications. However, smartphone security has not kept pace with traditional computer security. In addition to that, many smartphone users do not recognize security shortcomings in their devices. Due to this reason, mobile phones are becoming more and more valuable as targets for attackers. So, it is important to take steps to protect your mobile devices from attacks from the threats such as those listed below. 

Take Steps to Protect Your Mobile Devices

With nearly every employee possessing a mobile device, organizations need to be cognizant of the fact that this is a huge attack vector for criminals with malign intentions.

Even the most careful users can still fall victim to attacks on their mobile phones. However, following best practices regarding mobile phone security can reduce the likelihood or consequences of an attack. Remember, a hacked mobile device can be used to compromise an entire corporate network.

• Use a Secure Lock Screen: If someone gets ahold of your device, the last thing you want is for them to just turn it on to access everything!!! Therefore, use a secure screen lock. This could be a strong password or perhaps a biometric lock such as a fingerprint scanner.
• Enable Services to Track Device Location: A feature available in your device may help you identify where your lost device could start ringing or include a helpful screen message as to how to contact you, the owner, and track your device.
• Use Remote Wipe Security Application: Remote wipe security applications give device owners the ability to “wipe” or lock down devices from a distance.
• Use secure Wi-Fi: Using password-protected Wi-Fi connections keeps unwanted third parties from snooping or carrying out man-in-the-mobile attacks between your device and your intended destination. Avoid public Wi-Fi as much as possible.
• Watch your email/SMS and instant messaging: Don't click on links in email and other messages, as these may direct you to phishing or malware websites — this applies to all mobile platforms.
• Be consistent: Only download apps from trusted sources. This ensures that the apps are legitimate and not havens for mobile malware. Further, assign permissions to the applications in a minimal way and keep them updated.
• Install antivirus protection: Antivirus and anti-malware solutions are now popping up for mobile devices; install one from a trusted source, then run it regularly to ensure your device is clean.
• Don't jailbreak or root your device: Doing so increases your risk of infection from untrusted third-party sources. Stay rooted and benefit from automatic security updates and patches.
• Switch off Bluetooth or Wi-Fi when not in use: Mobile devices pairing on open connections enables attackers to eavesdrop and intercept data transmission using techniques such as blue bugging and blue snarfing. You can also disable automatic WiFi/Bluetooth connect features.
• Use Encryption: If the device manages critical functions and sensitive information, you can encrypt your device.

In addition to the above, it is mandatory to follow the organization’s security policies and guidelines while using your mobile device for official work. At the same time, Root of Trust (RoT) principles can be used to provide a robust level of security to official mobile devices handling critical data, if necessary.

It is the best practice that all the devices connecting to an enterprise network need to be authenticated. Proper authentication provides secure identity provisioning for devices to allow trusted communications with servers for data exchanges and can help identify, isolate, and exclude compromised devices.

 

Information Classification and Labelling Policy

An organization shall define its Information Classification and Labeling Policy.

For example,

"All business information shall be classified and labeled based on the business requirement and sensitivity of the information as "Strictly Confidential", “Confidential”, “Internal Use Only” or “Public.”

Information Classification

The classification level shall be defined in terms of its value, legal requirements, sensitivity, and criticality to the organization by the relevant information owner considering one of the classification levels defined under information classification standards (Ex: Confidential, Internal Use Only, or Public).

The information owner shall reclassify information once the defined classification level no longer applies to the information.

Information Labeling

Information Owner/ Information Custodian shall immediately label after creating information as per the classification level.

Head of the Business Unit shall be responsible to ensure that the sectional documents (in any format- paper-based or electronic) are clearly labeled with the classification.

All unlabeled information shall be considered “Confidential” until it is classified under the appropriate category.

All older versions of documents/unused/obsolete documents shall be marked as “OBSOLETE” clearly to avoid reference or usage by mistake.

The label shall be comprised of the following basic fields and it shall be clearly visible. 

• Name & Section of the Owner
• Date of preparation
• Date of expire
• Archival period
• Classification Personal

Business Units can include additional details in addition to the above.

Sensitive information shall not be included in the label content as exposing confidential or internal use information.

Sample Classification can be as follows,

Information Classification

There is an increasing need for businesses to protect their customer and financial information for a variety of reasons. It makes good business sense to categorize corporate information based on business risk and data value. Not all information has the same value or application, or is subject to the same types of risks. Therefore, protection mechanisms, recovery processes etc. are different.

The goal of information classification is to reduce the cost of data protection while also improving the overall quality of corporate decision-making by ensuring a higher quality of data/information on which decision-makers rely. The increasing complexity of information and technological sophistication make classification difficult, but information can be protected through mechanisms such as information security policies and risk analysis.

Why Information Classification?

• Legal Obligations, industry and customer expectations.
• Formally documenting information sources and the individuals who are responsible for their protection provides a framework to ensure that the right people are involved in the provisioning process.
• The company can reduce most of its information protection cost as the protection mechanisms can be designed & implemented where they are needed most & less costly controls can be put in place for non-critical information.
• Implementing an information classification system exemplifies an organization’s commitment to protecting customer information while strategically this could provide a competitive advantage over companies who have not considered information protection seriously.
• Provides a realistic yardstick against which to measure company compliance and provide employees more defined goals to work towards.

How to conduct Information Classification?

Identify all information sources that need to be protected

Create a high-level description of the company's information sources, where the data resides, existing security measures, information owners, information custodians responsible for maintaining the information, end users, and resource type.

Identify information protection measures that map to information Classification Levels

Information protection goals can be obtained from various sources such as the company's  Information Security Policy.  Information may also come from technical support teams, information custodians, business champions, and managers. There may also be regulatory and legal requirements to consider.

Individual access Vs Role Based Access, Various Levels of Authorization/Authentication, System backup, redundancy, disposal methods, data retention periods and Disaster Recovery are examples of information protection measures.

Identification of Information Classification Levels

Information  Classification Levels should convey the protection goals being addressed.

All business information shall be classified in terms of its value, legal requirements, sensitivity, and criticality to the organization by the relevant information owner into one of the four classification levels (Strictly Confidential, Confidential, Internal Use Only, Public) defined in the Company information classification standards.

Map information protection measures to information Classification Levels

Before information can be classified, the protection measures must be mapped to the information Classification Levels to reflect company protection goals.

Information Classifying and Labeling

In this step, the classification levels and protection measures must be applied to the sources. The main objective is to validate that the protection measures associated with the classification are appropriate for the information source.

End-Point Security

What is End-Point Security?

Endpoint security is the process of protecting computers, laptops, mobile phones, and tablets from cyberattacks and malicious threats.

Endpoint security software allows businesses to protect employees' work devices from cyber threats, whether they are on a network or in the cloud.

Given the sheer number of endpoints used to connect to networks, they are one of the most common targets. According to Strategy Analytics insight, there were 22 billion connected devices in 2018, with 38.6 billion devices expected by 2025 and 50 billion devices expected by 2030. As a result, according to Verizon's threat report, malware was installed on endpoints in up to 30% of data breaches.

The Human Element – It means “You” and “Me”!!! 

Employees have a critical role to play in cybersecurity. In fact, a compelling report published in 2022 by the World Economic Forum linked 95 percent of data breaches to human error. Common errors include being duped by phishing attacks, downloading malware, not updating apps, oversharing information on social media, and practicing poor password hygiene. These types of errors happen both in a business and personal context, so awareness at all times is regarded as increasingly important.

Endpoints Create Larger Attack Surfaces

Digital transformation strategies have widened the potential attack surface in IT environments and lead to increased data security risks. The hybrid work arrangements that have become the norm since the pandemic further increase the attack surface as employees connect to business resources and apps from multiple devices, including their mobile devices. Threat actors prize sensitive customer data when conducting cyber-attacks because this valuable information commands a high price on dark web marketplaces. Ransomware attacks often involve a data exfiltration component because threat actors believe they can hold organizations to ransom with the threat of publishing stolen information.

Privacy

Increased recognition of privacy risks led to an increase in new compliance regulations and the strengthening of existing laws over the last few years. Organizations need to ensure compliance with these laws to protect sensitive data belonging to their customers. Falling foul of these laws by not implementing appropriate security measures leads to severe reputational and monetary risks. At an individual level, societal technology changes pose increased “online” privacy risks. As more services become digitized, app-based, and interconnected, individuals need to share more of their information with different parties.

How to Protect the Endpoints

Prevent data loss where it happens most!!!

If we were to focus on the sensational information coming from the media, it would be easy to believe that the number one reason for data loss is cyberattacks performed by skilled, professional black-hat hackers. This, however, is far from the truth!!! Most data breaches are the result of human error, not malicious activities. Therefore, User Awareness is a must when it comes to endpoint security as well. 

What is Information Security?

Information Security refers to the controls that protect information from unauthorized access, destruction, modification or disclosure.

What are Information Assets?

Information assets are defined as the resources associated with information systems. All types of information including files, databases, paper-based and electronic documents, records, hardware items, software or other infrastructure items.

Why should you be concerned about information security?

The information that you routinely handle may require protection. Whether you work with paper documents, on a computer or spend most of your day directly on the phone dealing with people, you are an integral part of your company’s business. Information security is not an option or choice, it is a requirement. Information security is embedded in the law and is found in regulatory requirements.