Security Basics mailing list archives

Re: Building an Information Asset database

From: Vic Vandal <vvandal () well com>
Date: Wed, 4 Jan 2012 11:42:59 -0800 (PST)

You could buy a tool to help with that, but you said you want to build one.  We created about 20 pertinent tables 
within a DB, normalized the data/column distribution amongst them, and started populating them with all the data values 
from across our many systems.  Whenever a system, interface, or etc. is updated so is the asset DB.  

We also built a web front-end that can pull up dynamic views of whatever we need to see from within those 
inter-connected tables.  That's for non-techie users, while techies with read access to the asset DB can run their own 
ad-hoc queries as desired also.  There are access controls around the web front-end and the DB tables of course and 
it's not wide open for anyone within the organization to use.

Unfortunately I can't export a list of all of our tables and table structures to give you real-life examples of that.  
If you know what your sensitive data elements are, where they are, and what systems access them, then you can start 
building a list of pertinent columns that you'll want for your DB.  In its 'very simplest form' you might have one 
small table or spreadsheet that has something like;

SENSITIVE_DATA_TYPE
SENSITIVE_DATA_LOCATION
DATA_PROTECTION_METHOD
PROCESSING_APPLICATION_NAME
ADHOC_DATA_DESCRIPTION
ACCESS_PERMISSIONS_GROUPS_ROLES
RECORD_MOD_DATE
RECORD_MOD_USER
Etc, etc.

Our system is a lot more complex because we're tracking over a hundred related attributes, so individual mileage may 
vary.

As for 'management tools', I don't know if you work in a Windows shop, Unix shop, mainframe shop, or some mix, nor what 
skill-sets you have in-house, so it's hard to provide any specific suggestions.

You do have some red flags to deal with for sure;
"e.g. Card Information being stored on local hard disk without any encryption"

That's a PCI compliance problem.  You'll need to develop a way to mask that data or split it up, and control access to 
the data and masking/de-masking routines.  You'll also have to ensure that the card data is encrypted in transit over 
the network.  Finally you'll have to segment the storage system(s) from the rest of the network (e.g., put them behind 
some filtering firewall, hardware or software).

Good luck,
Vic

----- Original Message -----
From: sfmailsbm () gmail com
To: security-basics () securityfocus com
Sent: Wednesday, January 4, 2012 12:33:52 AM
Subject: Building an Information Asset database

Hi list,

happy New Year to all of you

Looking for some best practices, reallife recommendations on how to go about to build up an Information Asset register, 
which will basically contain a list of information being used within the organisation, where and how it is stored, and 
where it is distributed, e.g. Card Information being stored on local hard disk without any encryption

This will be the basis to perform information risk assessments to mitigate potential risk issues

Any help on how to proceed, methodology and tools to manage all of this will be greatly appreciated

Thanks & regards,
Ronish

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Building an Information Asset database sfmailsbm (Jan 04)
- Re: Building an Information Asset database Vic Vandal (Jan 04)
- RE: Building an Information Asset database Parker Zhao (Jan 05)
  - RES: Building an Information Asset database Fábio Soto (Jan 06)
    - RE: Building an Information Asset database Santosh Kaimal (Jan 23)
    - Re: Building an Information Asset database Bharat Gosalia (Jan 27)
    - Message not available
    - RES: Building an Information Asset database Fábio Soto (Jan 31)
    - Re: RES: Building an Information Asset database Bharat Gosalia (Jan 31)