What is “Asset Security?” No, really. What is it?
That question often comes up whenever you or someone else comes across the term when discussing cybersecurity, and the answer sometimes creates more questions. That is partly because the term encompasses a large variety of topics and can send you down “rabbit holes” at every turn and twist. Because asset security can be such a broad topic, it might help to think of it using a bit of imagery.
Imagine that cybersecurity is a tree. The tree is every topic you can think of related to cybersecurity and more. Within the tree, you have data. Data is collected, categorized, processed, and stored to give an organization the ability to do its day-to-day business. When the data is no longer used, it is purged or destroyed. Asset security is how we work with data to protect it from the beginning of its life cycle to the end.
Here, we will touch on a couple of asset security topics so that you can understand what asset security is. We will talk about data roles and controls.
What are data roles?
Data roles define the who, what, and why of data collection and handling. They also provide a mechanism for ensuring that someone has control and oversight of all the data within an organization. These roles, big or small, help to determine what data is collected, used, stored, and eventually purged and what security measures are used to protect the data during its life cycle. Note that your organization may only need some possible roles and that some may cover more than one role in a smaller organization. The roles we talk about are not all, just a short list of some of the roles and responsibilities that might be a part of your organization’s security hierarchy.
Let’s start with the Data Owner(s), who are ultimately responsible for any and all data across the organization, either in part or as a whole. In other words, if data is collected and used by the organization, someone has to be responsible for it from the beginning.
Depending on where you look and what regulations or laws you reference, the data owner might be the CEO or a departmental head. If your organization is large, with many departments, one or more leaders will be data owners. The role is very high level and has the jobs of identifying data classifications, data marking (labeling) rules, enforcing adequate security policies and controls, and defining appropriate use. A data owner is likely also to be the person who makes overall decisions related to who should have access to the data and who shouldn’t, as well as with what privileges.
This role is vital as this person will set the stage for the entire organization or department’s data security profile, making it possible for everyone to properly handle and secure the information they use or disseminate to users.
Typically, the Data Owner will work directly with the System Owners or might even hold that role in conjunction with their primary function.
System Owners actually “own” the data processing systems for which they are responsible. In other words, the system owner controls anything related to the security of data on a system or that passes through that system. This person will create a system security plan, maintains and updates it, and ensures that all the system users and supporting roles that touch the system are appropriately trained in the security controls implemented on it. This role works with the Data Owner and others to ensure that the systems they control comply with organizational security requirements and policies and that the data processing is secure.
A Data Administrator can grant access to data under their control to the appropriate personnel. Think of this person as the doorman at a posh residential building. They check to ensure you are allowed access to the building and may even control where you go within the site. The Data Administrator knows what data they control, its sensitivity and uses, and who should have access to it.
Finally, we have the Data User. This one is easy to understand, as they are the people who access and use the data within the organization (based on their roles and needs) to complete their work daily. Each user is subject to the policies and procedures, regulations, and demands of the Data Owner(s), System Owners, and Data Administrators. A data user may have roles and responsibilities related to the security of the organization’s data. Still, they are the base upon which a company or group stands to accomplish its mission. One responsibility that is always a part of the user’s realm is ensuring that they specifically adhere to the security plan regarding their use of the data.
Now, let’s move on to security controls.
Security Controls
Security controls are the ways or methods we use to protect our data. Controls can be broad, such as access control, or very specific, like where fencing is to be placed and with what characteristics (electric, wire or wood, height). For the fence, the control might describe what materials were used in the fence, at what distance from buildings or parking areas, access points, and lighting to allow monitoring of the fence. Another control might speak to preventing personnel or visitors from bypassing moving through the access points in that fence. Another control related might be that security guards patrol the fence perimeter or that CCTV cameras monitor the area at all times.
For reference, some controls can be described as follows:
- Preventive – tries to stop a security threat before it is realized.
- Detective – to find or expose a danger.
- Corrective – fixes the data environment after a threat is realized or a potential threat is discovered.
- Or others not listed.
Controls ensure we are thinking about protecting our data and then doing the work required. They create a way to measure and quantify the potential risk and mitigate or eliminate it.
How will this affect you?
As you can see, asset security is an important topic, and we only discussed two areas here. However, with each bit of information you garner and learn, you come closer to understanding and appreciating the value fully and the need for security in your organization. With a better understanding, you can help secure the data you use each day and protect your organization’s interests moving forward.
What should you do
Investigate the different topics within Asset Security, above and beyond what we have discussed here. Perhaps you can start by finding and speaking with your company’s internal IT and cybersecurity team members. Find out what they do, how they do it, and how it impacts your organization. You would be surprised (or maybe not) just how much of your organization is involved in one way or another in the protection of its data.
Northstarr Recommendations
We can help you with your asset security planning and implementation, the maintenance of that plan, and your security control measures.
To find out more about how we can help, visit our website or give us a call at (888) 767-2210 to set up an appointment. We look forward to meeting with you!