SMotW #32: asset management maturity
Security Metric of the Week #32: information asset management maturity
'Managing information assets' may not be the sexiest aspect of information security but it's one of those relatively straightforward bread-and-butter activities that, if done well, can substantially improve the organization's overall security status.
The premise for this week's candidate security metric is that the management of information assets and the management of information security are related. In mathematical terms, they are positively correlated. A mature, comprehensive, well-thought-out and soundly implemented approach to the management of information assets is likely, we believe, to be associated with a high quality, effective approach to security management. Even if the correlation is not terribly strong, asset management at least provides a solid foundation for assessing and ultimately managing the organization's information risks.
Conversely, weak or poor information asset management practices do not bode well for information security: if management has a rather loose grip on the organization's information assets, focusing myopically on its physical and financial assets while ignoring information in all its forms, it is unlikely to appreciate their value, understand the risks and be willing to invest adequately in the security needed to address them.
That's all very well, but how can information asset management practices be measured in practice by an ordinary organization such as Acme Enterprises Inc.? One possibility is to adopt the maturity scale approach that we have discussed before in relation to measuring both business continuity and HR security practices. Creating the maturity metric involves analyzing information asset management activities, picking out the key elements and then determining how they typically differ across the spectrum from bad to good practice. Section 7 of ISO/IEC 27002:2005 ("Asset management") is a useful starting point, both in terms of the structure (laying out various responsibilities relating to information assets, including their identification, ownership, and classification) and the content (several security controls are recommended in this area).
With a strong PRAGMATIC score of 86%, this metric is a strong candidate for inclusion in Acme's information security measurement system.
P | R | A | G | M | A | T | I | C | Score |
90 | 95 | 70 | 80 | 90 | 85 | 90 | 85 | 90 | 86% |
We have been a bit harsh on the Actionability criterion, figuring that it would be quite difficult in practice to persuade Acme's management to pay more attention to managing the organization's information assets, particularly if they were of the myopic persuasion noted above. In certain circumstances, the metric alone may generate more heat than light on the security situation.