A security assessment process can be simply divided into four stages: asset classification, threat analysis, risk analysis, and confirmation of solutions.
Generally speaking, following this process to implement security assessment, there will be no major problems in the results. This implementation process is progressive layer by layer, and there is a causal relationship between before and after.
If you are dealing with a system that has not yet been evaluated, then you should start with the first phase: If the system is maintained by a dedicated security team for a long time, then some phases can be implemented only once. Among these stages, the previous stage will determine the goal of the next stage and to what extent it needs to be implemented.
Classification of
Assets Classification of assets is the basis of all work. This work can help us clarify what the target is and what to protect.
When we mentioned the three elements of security, confidentiality and integrity are related to data. In the definition of availability, the author uses the word "resource". The concept of "resource" describes a wider range than data, but in many cases, the availability of resources can also be understood as the availability of data.
Today, when the Internet infrastructure is relatively complete, the core of the Internet is actually driven by user data—users generate services, and services generate data. Internet companies not only own some fixed assets, such as servers and other dead objects, but the core value is the user data they own. Therefore, the core issue
of Internet security is data security.
What does this have to do with our asset evaluation? ?Yes, because classifying the assets owned by Internet companies is classifying data. Some companies are most concerned about customer data, and some companies are most concerned about employee information. Depending on their business, the focus is different. In the process of classifying assets, it is necessary to communicate with the heads of each business department one by one to understand what is the most important asset of the company and the data they value most