Security Basics mailing list archives
Re: Building an Information Asset database
From: Vic Vandal <vvandal () well com>
Date: Wed, 4 Jan 2012 11:42:59 -0800 (PST)
You could buy a tool to help with that, but you said you want to build one. We created about 20 pertinent tables within a DB, normalized the data/column distribution amongst them, and started populating them with all the data values from across our many systems. Whenever a system, interface, or etc. is updated so is the asset DB. We also built a web front-end that can pull up dynamic views of whatever we need to see from within those inter-connected tables. That's for non-techie users, while techies with read access to the asset DB can run their own ad-hoc queries as desired also. There are access controls around the web front-end and the DB tables of course and it's not wide open for anyone within the organization to use. Unfortunately I can't export a list of all of our tables and table structures to give you real-life examples of that. If you know what your sensitive data elements are, where they are, and what systems access them, then you can start building a list of pertinent columns that you'll want for your DB. In its 'very simplest form' you might have one small table or spreadsheet that has something like; SENSITIVE_DATA_TYPE SENSITIVE_DATA_LOCATION DATA_PROTECTION_METHOD PROCESSING_APPLICATION_NAME ADHOC_DATA_DESCRIPTION ACCESS_PERMISSIONS_GROUPS_ROLES RECORD_MOD_DATE RECORD_MOD_USER Etc, etc. Our system is a lot more complex because we're tracking over a hundred related attributes, so individual mileage may vary. As for 'management tools', I don't know if you work in a Windows shop, Unix shop, mainframe shop, or some mix, nor what skill-sets you have in-house, so it's hard to provide any specific suggestions. You do have some red flags to deal with for sure; "e.g. Card Information being stored on local hard disk without any encryption" That's a PCI compliance problem. You'll need to develop a way to mask that data or split it up, and control access to the data and masking/de-masking routines. You'll also have to ensure that the card data is encrypted in transit over the network. Finally you'll have to segment the storage system(s) from the rest of the network (e.g., put them behind some filtering firewall, hardware or software). Good luck, Vic ----- Original Message ----- From: sfmailsbm () gmail com To: security-basics () securityfocus com Sent: Wednesday, January 4, 2012 12:33:52 AM Subject: Building an Information Asset database Hi list, happy New Year to all of you Looking for some best practices, reallife recommendations on how to go about to build up an Information Asset register, which will basically contain a list of information being used within the organisation, where and how it is stored, and where it is distributed, e.g. Card Information being stored on local hard disk without any encryption This will be the basis to perform information risk assessments to mitigate potential risk issues Any help on how to proceed, methodology and tools to manage all of this will be greatly appreciated Thanks & regards, Ronish ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Building an Information Asset database sfmailsbm (Jan 04)
- Re: Building an Information Asset database Vic Vandal (Jan 04)
- RE: Building an Information Asset database Parker Zhao (Jan 05)
- RES: Building an Information Asset database Fábio Soto (Jan 06)
- RE: Building an Information Asset database Santosh Kaimal (Jan 23)
- Re: Building an Information Asset database Bharat Gosalia (Jan 27)
- Message not available
- RES: Building an Information Asset database Fábio Soto (Jan 31)
- Re: RES: Building an Information Asset database Bharat Gosalia (Jan 31)
- RES: Building an Information Asset database Fábio Soto (Jan 06)