It’s been three years since the U.S. Office of Personnel Management’s (OPM) two data breaches shocked the country and spawned immediate cyber initiatives in response to the theft of millions of highly sensitive records –possibly now resulting in identity fraud, as reported by the Wall Street Journal. In the months that followed, the nation’s agencies were required to make an honest accounting of vital systems and the state of their security.
Although the new processes will not mitigate the full impact of the OPM hack, we now have access to a better process for identifying and managing critical assets or high value assets (HVA), which are defined as information systems, information and data so essential that unauthorized access, use, disclosure, disruption, modification, or destruction could cause significant harm to national security or interests, and to an organization’s business operations.
It is equally important to keep in mind that the single most important part of the process is to fully understand what makes up a high value asset, regardless of whether you are in the public or private sector. In talking to many CISOs over the last past few years, it is clear many organizations are still not sure what constitutes their most valuable assets and, as a result, cannot adequately protect their “crown jewels.”
As part of the risk management process, I encourage all my clients to take a step back, so they can truly see the big picture in understanding their critical data assets. While this seems rather fundamental, it is still very much a challenge for many security professionals today.
The key takeaway is that until organizations, public and private, have a firm grasp on what their most valuable assets are, it is relatively impossible to develop an effective security program. Both public and private organizations that move forward without this knowledge generally invest time and resources that are not based on a solid foundation where critical assets are identified, business impact analysis performed and risk-based decisions executed accordingly. The results may yield a false sense of security, especially since they are not based on risk modeling and situational awareness.
To its credit, the U.S. federal government has issued several informative security bulletins to address prioritizing risk based on the value of its information assets, including several worthwhile ones that give users a good place to start:
- OMB M-16-04 details the Cybersecurity Strategy and Implementation Plan (CSIP).
- OMB Circulars A-123, A-130 and OMB-M-13-13 outline requirements for identifying assets, maintaining inventories, performing risk assessments and addressing risks related to assets and
- OMB M-17-09 lists additional agency obligations and introduces the Agency HVA Process for managing risk to HVAs across the enterprise.
In addition, the Department of Homeland Security, which is vested with the authority to define agency information security policies and practices, collaborated with NIST on an HVA Control Overlay. Risk management professionals, government or not, will find it provides valuable information on how they should implement critical security controls for their high value assets to mitigate against known threats and weaknesses.
As I tell my clients, always remember that compliance is a means to the objective of effective risk management. It’s so important to always take a step back and look at the big picture, so you can define and quantify the value of your assets and the business impact. Make sure the conversation is a business-focused one about what matters most to the board, agency heads and key stakeholders. Start by mapping critical assets to business priorities, beginning with an initial gap analysis that addresses the business impact. Then, identify the corresponding frameworks, and be on the path to effective risk management—all centered around your HVA.
When your foundation is solid, fulfilling the control requirements is much easier, and more importantly, you have the benefit of knowing that your sense of security is real.