What Are Information Assets?

Information assets can be physical devices, the data stored within devices, or the data itself as it moves over the network and through its devices. In a broad sense, then, the entire IT system is an information asset, each physical device within it is an information asset, and all the data that resides in or is transported over the system is an information asset.

This exam requires a different mind-set from that of most Cisco certification exams, which usually only address the networking hardware and software. For the CSI exam, you have to think about the servers and the workstations, as well as how they must be protectedincluding from each otherwhen necessary. You also must think about protecting the data when it is on the wire (or in the air, with wireless).

You should be aware that not all information assets are created equal. Some are more valuable to the operation (whether business or other organization) than others. Naturally, that means you must think about applying different degrees of protection to them. Let's take a look at the kind of assets you might find in a network.

Hardware Assets

The short description of an asset is "any physical device connected to the network, directly or indirectly." That doesn't help you prepare for the exam very much, so let's start by breaking things out a little. Hardware assets can be end-user devices, devices intended to support many users (we can call them user -support devices), and networking devices.

End-User Devices

These are the devices that your users actually operate : desktops, laptops, PDAs, and so on. These devices might reside within your network fairly permanently (desktops don't wander around often), or they might be exposed to the outside world some of the time. Depending on the users and how much they actually work inside your offices, some end-user devices might spend most of their time outside your network; when they do access information assets on the inside, they make that connection from somewhere outside.

Because of the exposure of end-user devices to networks outside your control (including their exposure to the Internet), you will have to pay extra attention to them when you get to the remote-user model in Chapter 12, "The Remote-User Design." Remember, even if you create secure access into your network for these devices, they sometimes access other networks and can be exposed to malware (malicious software) that they then can ferry into your network.

Other end-user devices might not be quite so obvious. IP phones also are end-user devices that have (or can access) information over the network. Bear in mind, too, that some end-user devices might not be your assets (and you might not know they are there). For example, an individual might supply his own PDA, which is synchronized with his desktop calendar, or he might have a copy of information, such as a spreadsheet.

In addition, many networks handling industrial processes or physical production or product distribution include appliances such as data-collection devices (bar-code scanners that update inventory data) and automated control devices that can open or close valves and relays. Also in this group are industrial robots, which are the end users of their control networks.

A problem also could enter your network when a mobile end-user device, such as a PDA, is reconnected after being used elsewhere. If it does, you likely will learn this after the fact; the problem will appear without warning. The SAFE architecture includes multiple layers of protection largely because, despite your best efforts to secure the network, some risks will remain . The multilayer approach minimizes the damage that those remaining risks can cause.

User-Support Devices

User-support devices are devices that individuals do not operate directly; instead, the users access such devices from time to time as they work. Many users might simultaneously access a single user-support device. Alternatively, a device might remain idle for some time because no user is accessing it.

Obvious choices for user-support devices are file and print servers, along with the printers controlled by the print servers. But other user-support devices should be considered . Some of these perform network-support services, without which users couldn't get much done. Examples of these devices are DNS and DHCP servers, proxy servers, Web and mail servers, and (for those IP phones) call managers.

Speaking of management, some servers are on a support network managing the network; these include Authentication, Authorization, and Accounting (AAA) servers; Network Time Protocol (NTP) servers; Simple Network Management Protocol (SNMP) servers; and log servers. These servers are not necessary for data to flow in the same way that routers and switches are; they support managing the network without actually being a part of the data flow. This might seem like a fine distinction, but you will see in the SAFE models that some devices have interfaces that connect to more than one module. Cisco places these devices in the module where they serve a primary function, and that is the kind of distinction we are making here: These servers support networking but are not networking devices (they support the networking devices, their users, in the same way that a printer supports a human user).

Unlike some of the end-user devices, user-support devices should always be under your complete control. However, because these user-support devices interact with many other hosts on the network, you often will be protecting them more than the end-user devices.

This idea might seem a little backward, but much of the SAFE architecture is intended to help you contain a problem that gets into your network, however it managed to do that. (You'll hear that idea repeated a few more times: It's important.) Think about the interactions a given device should have and those that it could have, based on how the device connects in the network. You should understand why user-support devices get more extensive security attention than end-user devices.

Networking Devices

Now we're finally talking about the devices you're probably most familiar with, at least as you prepare for this exam. These are the devices that you learned about to pass your CCNA exam (routers and switches) and those that you studied in depth for the more advanced exams, such as CSPFA (PIX firewalls), CSIDS (intrusion detection), CSVPN (VPN concentrators and clients ), and the Network Access Server (NAS) and AAA that you worried about for the SECUR exam.

For those exams, you focused on how to configure those devices. For this exam, you need to think more about how these devices connect with each other, what happens when they connect with the outside world (where malware seemingly lurks in every connectivity cloud), and how they can be configured to do the following:

1. Protect themselves

2. Protect each other

3. Protect the rest of the network devices (end-user and user-support devices)

If that order seems a bit odd, remember that if the devices don't protect themselves and then each other, they can't protect the rest of the network.

This is probably the biggest difference between the CSI exam and other Cisco certification exams, except possibly the CCIE. In this exam, you aren't demonstrating how to make the networking devices exchange more information as much as you are demonstrating how to be sure that they exchange only what's necessary and block anything else. Other exams want you to facilitate information exchange; this exam wants you to control it.

Software Assets

Of course, hardware without software is pretty much useless. But is there really any point to considering the software assets separately? Yesbut, of course, I would say that.

A group calendar is a kind of software that, if compromised, might reveal something as trivial as vacation schedules or something as important as project schedules and timelines . Database software is often the key to accessing very valuable informationinformation that unscrupulous parties can turn into money, often with little effort. That simple example shows that software assets can vary in their importance, just as hardware assets can.

Often considered in the same general grouping as software assets are the data sets that the software manipulates. These often contain the highest-valued information the organization has: In the event of a disaster, hardware and the operating and application software that it runs can all be replaced , funded at least partly by insurance payments. But the information unique to the organizationthe data filescannot be bought from any vendor. If the data files have been corrupted, restoring from a regular, sufficient backup program might not help, depending on how long the corruption has existed.

So we've established three broad categories of devices to protect and realized that they have some different hardware and software characteristics to consider when protecting them. But there's another big factor in how you protect them, and it's the old rule of real estate: location, location, location.