43. Methods of Valuing Assets
Now, as we look at methods of valuing assets, there are some approaches and the approach of doing the valuation is used to basically determine a monetary value. And of course, that might be something that’s easy to do with things like artwork. But another approach is to look at the value add or some of the intangible cascading effects that the information may have. And again, remember, a cascading effect just simply means that the loss of some information or even the alteration or damage of that information can ripple out and cause other bad decisions and other information to no longer be valid either. Now, in many cases, the accuracy of the valuation is sometimes not as critical as maybe the approach we use to help prioritize the efforts that we use to lessen the risk.
Now, what does that mean to us? It means that, okay, look, maybe I can’t put an actual value on the asset, but that doesn’t mean I can’t still find the criticality of what it would mean to us if we lost that information, what the impact is going to be. And so even without a value that we have, we know the criticality and that still helps put that information at a higher priority that we would use our efforts there on this high priority information to help lessen the risk. Now, the process, again, for doing valuation can be very time consuming and potentially very complex, as I’ve tried to mention over and over again with some examples of just what does it mean in the long term. And sometimes the valuation of the assets may just have to be judgmental or done in a qualitative manner.
44. Information Asset Classification
Now, beyond the evaluation, as we said, which can be very difficult to do, it doesn’t mean that we couldn’t figure out the criticality, the classification. So when we talk about the information asset classification, we are talking about the sensitivity and criticality. That has to be some way reflected in the assets classification. Now, that might be things that we consider, such as in doing this is how many classification levels do I really need? Now, that is sometimes a difficult aspect because you can become too fine tuned and make it very difficult. If I were to use a different real world example of as far as risk when it comes to security. We have in the United States a color coded system for the threat level that we’re at, that we need to know about, what we’re supposed to do if we’re going to an airport, boarding a plane, those types of things.
And they use a color coded system. And now that I think about it, I don’t remember if it was a three or four color system, but we realize that some higher colors, a classification of red, is pretty darn scary, right? It’s like, hey, watch out, things are going bad and can go bad very quickly. They want you to be more aware of your surroundings and what’s happening. Okay, so that’s an example of a classification level. You might call it an alert level, but we have to look at the same thing. Would it have been better served for public use if I had 20 different colors to remember? Probably at that point, no, because I doubt that I would remember what each of those color coatings meant. Having three or four was an easier system, at least for me, to help understand the classification. Now, what you use in your company, again, is up to what makes sense, but generally speaking, we try not to have too many classifications.
Now the next thing we have to do is how do we determine what are the assets, again? Is that back to hardware? Is the assets, is it the information that’s stored on that hardware? What is it that we’re looking for as far as what the assets are? And then from that point we have to decide, well, all right, now how are we going to mark these assets? How should they be handled or even transported? And again, transportation could be of a physical device. It could be the transformation or transportation of data across a network connection. We also realize that over time, information is no longer as valuable as it once was. So that at some point we have to realize there is a life cycle of the asset.
Then we also have to remember that there are some regulatory compliances that we have to consider if we’re in the medical industry. HIPAA has a very lengthy set of regulations that talk about patient privacy and the steps we need to go through to ensure the privacy of their information. And so that right, there is something we have to realize. That is what we have to look at as far as the classification system of that information. Again, right. We have to realize that some of those regulations may make some information higher in the list of classifications than it might actually be to my particular business. And finally, we have to determine the ownership of data or the asset and also determine what are the access rights that we give to people being able to utilize that particular asset. So all of these can come down into helping you as you answer those questions and helping you come up with a proper classification system for those assets.
45. Determining Classification
Now having a classification system and some things we can answer, the next thing we have to do is actually determine the classification. Well, one of the first things you should do is look at the impact to the organization of the lost asset. And that should be considered rather than maybe by the means in which the damage can be done. Okay, so what are we saying here? We’re not looking at the vulnerability of the asset, we’re not looking at the ways in which it can be attacked. We’re actually just saying if it’s lost, what is the impact going to be? That may be a significant help in determining the classification. Now the rating systems used, as I said, should be approved by senior management. There shouldn’t be a lot of them. Sometimes part of the classification may be also to consider the cascading effect. And that means that in the classification it might not be possible to classify everything, maybe because of constraints of time.
And so one of the other things you might use as an effective option for determining classification is just that dependency assessment. Again, the cascading effect. So those are all going to be helpful in getting to the proper classification. Now what are your steps for the classification? Well, of course the first thing as I said, is finding, locating and identifying what the information resources are. Then of course determining the ownership of the data and as well as who its users are. We may even have to determine if there are any third parties involved, maybe in the storage or the transportation of that information and again, putting it into the classification.
The higher the classification, the more we’re going to expend time cycles at determining ways to protect it. But whenever you’re going through this process to avoid confusion, make the classification as simple as you can so that it’s not going to have so much variety that, that people may spend time arguing over is it a classification 5000 or 6000? Okay, I’m getting a little extreme there with all of the different classification numbers.
46. Impact Part1
Now your impact assessments is a way of being able to add value to an asset because what you can do is through the impact assessment is you can determine things like replacement cost. Now, replacement cost of hardware I think is pretty straightforward. I know what a new server costs and I can figure out how much time it takes to set up that server and to restore information to it. But of course, replacement costs for data, now that’s a different story. Now, I don’t know if I made mention about an issue I found at a plant that I was working at in the Portland, Oregon area. Again, I know I’m being vague because a lot of times with nondisclosures I can’t talk about specifics.
Now, I was there for a different purpose than what I’m about to talk about. But while I was there, they had a little problem with one of their SQL servers. And to tell you how long ago this was, it was a SQL Server 6. 5. That means it was prior to the year 2000. Now, what had happened was that they had a loss of hardware, the hard drive, and so they needed to rebuild their SQL Server and they were trying to restore the information from their backups. Now, they had never gone through the process of actually testing the backups to make sure that they actually were working. And I remember right, it took them almost to go back almost eight months in time before they found a backup that they could use for a restoration.
All right, so what’s the replacement cost of that information? Eight months of information that dealt with customers, their orders, their inventory. Yes, they had those paper records. That’s how the data originally got in. It was not near the type of automation we have today with a nice front end, point of sale type of setup that’s a lot of people spending a lot of time recreating information. So you think about it when you’re doing your impact assessment. That’s a part of the replacement cost as well, especially if it’s data or information.What would it take to recreate that? We also want to consider the impact if we have a loss of integrity, of availability or confidentiality. Again, integrity just means information has been changed.
If I don’t know how it’s been changed, then I have a tough time being able to come back to the original information I was supposed to have. Availability can be what we call high availability. Now, eliminating single points of failure to have multiple servers acting in the cluster, so if one goes down, the other can still work. Or a network load balancer to do essentially the same type of idea using storage area networks so that this data is always available regardless of what server that we’re using. And of course, the confidentiality is what would happen if the information was stolen? Could it be stolen? Do we have an encryption both in storage and in motion. Although those are things we can look at as the impact. You might consider looking at different scenarios that have a range of potential outcomes.
Now through the scenario base and having a range of outcomes, it is kind of helpful because as I said, especially in like a quantitative type of a method, sometimes we want to have a worst case scenario but have a range from which we can work at. We also want to know what would be the adverse impact of a successful threat to the asset. All right, so all of these are part of your impact assessments. Now, one of the things you can use is a business impact analysis or business impact assessment, a BIA to help identify the impact of risks.
And that information from the result of that assessment can help you in determining some of the classifications that you might use when you’re dealing with your data. And that information can also be a part of the impact assessment as well. So again, remember, you’re trying to determine the impact that a loss might have. And again, we’re not necessarily looking at the risk that the loss might occur, but we’re on just pure impact assessment. We’re saying if it happened, here’s the scenario, here’s what it could mean to our corporation.
47. Impact Part2
Now, an effective approach for your impact assessment might be to use a small set of scenarios as ways to analyze what could happen. And that way, again, you get a range of outcomes that can be determined from that. Now, this approach can often provide maybe a more realistic look at the actual impact that a loss might have. Now, before you start an impact assessment, it some of the questions you might want to have answered are things like what is the system’s mission?
In other words, what does the process do? What is the system and data criticality? And also we might ask questions like what is the system data and personnel criticality? Questions like what’s the impact if we have an unintended disclosure of information again, if we talk about health risk records for patients, what’s that impact going to be if the wrong people get to see that information when we know that we’re supposed to keep it as private as we can, especially through regulations like HIPAA?
48. Lesson 7: Recovery Time Objectives
Some of the other things we should consider are things like the recovery time objectives. Now, we also have recovery point objectives as well. Now the goal for recovery time is really to determine what is an acceptable time to be able to return to normal operations. Now, this will vary, of course, depending on the criticality of the assets. And that is something we have to think about because again, we may have classifications of things like it are critical, meaning we need to have it returned within minutes versus those things that may be okay to go for, you know, a few, several days or even weeks. Now, the RTO should be considered as far as the time of the occurrence as well. Sometimes it may not be as critical in off hours. If I’m not a 24 hours type of a business. The business continuity plan should reflect what your recovery time objectives are.
49. Recovery Point Objectives
Now, when we talk about recovery point objectives, one of the things we might take a look at is how quick of a recovery do we need? And sometimes that recovery may be really based on the frequency of how backups are performed. So our goal might be to lose as little data as possible but it has to be balanced with the availability of the asset during the backup. So what does that mean? That means sometimes you have to also consider, you know, the time that it takes to recover as far as the backup process. So let’s just take an example of, you know, a server that has data on it.
Generally speaking, we conduct a full backup at one point. And one of the downsides of a full backup is that the information might be readable but we can’t have any updates or modifications to the data during the time that it takes to do that full backup. And a full backup for a large amount of data may take a lot of time. Now, if I decided that I wanted to do that on every single day of the week, then what we’re coming to is what does it take to do the recovery? Well, one of the cool things is that if I’m doing a full backup every single day of the week, then if this is the point at which something fails, I can simply recover the information from having one backup to restore.
Now, there is a balance there as well. As far as the availability, it says we want to balance it with availability. Well, the problem is if it takes four or 5 hours every day to do that backup then that’s leaving the data in somewhat of an unavailable state. So another thing we could look at here as I get rid of my little backup drawings is that we may choose to do things like a differential or incremental backup. These are just making changes or copies of what has changed since the last full backup. The purpose of this is that in doing these, in this case I’m doing little incremental ones. So I’ll put an eye up above them that I’m just backing up what is what has changed since the last backup. So this first incremental is changing, keeping a copy of what’s changed since the fall and this one’s doing it since that last incremental and that last incremental.
And again, if now is where I lose my service here, then my restoration may take a little bit more time because I will have to restore that full backup and then restore each of the incrementals in the order in which they were taken. So that may increase my recovery time, although giving me better availability. That also might not be a solution. So other options we have in this process is doing what we call a differential. Now, the difference in a differential and an incremental is that the differential is still backing up those things that have changed since the last full backup. But each day it doesn’t mark it as being backed up. So when I do the next differential, it starts to back up everything from the last full backup. That means that we are doing a duplicate of the work we did on this differential. Okay, now the benefit there eventually you’ll see that. But one of the downsides of that is that the differential may take solely every day a little bit more time to do because the amount of files changing since those previous backups might be increasing. So again, as I’m going on through time, the availability becomes less.
But if now I have that failure, as you saw there before, I have to first restore the full and then I can restore my last differential. So my recovery is faster. Now, the availability is still greater because it doesn’t take as long to do the differential as it did to do the full backup. But again, it’s a balancing act. Now of course, that’s where Windows came in with this idea of the shadow volume copy so that we can do some of these backups and still maintain availability for the use of the files. And things like that are nice innovations that are really kind of working towards understanding about recovery point objectives and balancing it with our availability.
50. Service Delivery Objectives
The other thing we look for are the service delivery objectives. Now your SDOs are defined as the minimal level of service that must be restored after an event to be able to meet certain business requirements. All right? So sometimes these are articulated within our service level agreements. Now I made a mention of working with cellular phone companies and for them any single minute of outage is a severe impact in what they have to maintain for their customers. And so they design their networks purposely to avoid single points of failure so that cellular traffic will still move, the business connectivity will still work, but sometimes we have to say okay, let’s take a look at it. We realized in today’s world that sometimes voice and data travel a little bit differently.
Cellular connections. And we talk about this 4g service and the 3g service and CDMAs, and I’m trying to make sure I’m not being any vendorspecific.GSM all right, so what we’re saying, though, is that maybe if I lose connectivity what is the minimum level of service? Maybe I have to guarantee you that phone voice services are the first thing restored or considered that the minimal level of service. That way if there’s an emergency you can call for emergency services. You just might not be able to look up what coffee shop is closest to you. So again, these are just examples I’m throwing out there as what might be considered minimum service levels until normal operations can resume.
Now, your STOs are going to be affected by the RTOs and the RPOs as we talked about before, the restore time and the re points and your sedos. Again, the service delivery objects or objectives should still be a consideration that you have when you’re working with your risk management strategy, realizing that if you want a higher level of service as your minimum service, it may require more resources to be able to provide it.