Jump to content

A new approach to setting Security classifications on your Digital Information.

iain miskimmin

Recommended Posts

Let’s start with the word "Trust" one of the single most important words in business, industry, construction and information management.

"Without being able to trust information, I don't value it, and if I don't value it, I won’t expend any time, money or effort in procuring it, managing it, using it and disposing of it correctly."

Just one instance of something not trustworthy in your common data environment or CAFM system can then taint the perception of every other piece of data in it. Making all your expense and efforts pointless.

Trust is built by creating information that is needed, of quality and can be easily found, but there is a little more to it than that. Security.

If your information isn't secure, it could be manipulated by malignant actors, out for criminal profit, commercial damage or in a worst-case scenario attacking the lives and livelihoods of millions of people!

An IT department can assign a security level to a piece of information in a good "zero trust" environment easily enough, but how can we easily understand how secure each set of information needs to be and how to classify it? It is a daunting task when information requirements can run into the hundreds of thousands!

I am yet to see a project that does this in a well thought out and consistent manner. Most just blanket protect information, to a point where it is almost unusable or the people who actually need access so they can make a crucial decision have to wait weeks or months for someone to enable it.

Using a system of systems (see the previous article on Function/Performance Information Requirements) approach as the foundation of your design, construction and operations, allows a very smart way of securing both the physical and digital assets. (and the live links between them!)


A typical set of rail systems

At the beginning of a project, when you have identified the high-level systems that will achieve the desired outcomes, then a security assessment can begin.

The key is mapping out the systems, understanding their interdependencies, impacts and relationships, coupled with a standard CARVER (Criticality, Accessibility, Recoverability, Vulnerability, Effort and Recognisability) assessment.

These parent and child affect relationships, plus a plethora of other information about where these systems are, what type of systems they are, how they can be accessed, their potential value, how portable or replaceable they are, will allow a set of values to be calculated for each system, and then each sub systems giving a likelihood and importance rating.


An example of a systems of systems interdependency diagram

This in turn can be used to calculate a specific security rating for that system and, the information types that will be associated with it.

The ratings can be set and described in the Security Information Requirements which form part of the Security Management Plan as part of the ISO19650-5 process.


Example ratings set (image blurred for confidentiality)

As the project progresses and the finer details of the components and the interface connections of each system is defined, then these will further refine the classification process and outcomes.

The bonus of this approach allows us to set out the priority for detailed information requirements specification and collection. The more critical to the overall functioning of your asset, the more valuable any information will be. So with a limited budget, this is where you need to aim your resources.

Its great having a Common Data Environment that you know is secure and you can look back on to find out who did what and when, but if I am to trust what I see and base my key decisions on it, I need to know that the right person, with the right clearance, has done their job, at the right time, with the right information.

Without trust, there is no value, without value we might as well not bother!
  • Like 1
Link to comment
Share on other sites

  • 2 months later...

The passage proposes that using a SoS approach with CARVER analysis allows for efficient and effective security assessment and classification of information, especially within large datasets. This, in turn, helps prioritize resources for detailed information requirements and ultimately builds trust in the information used for crucial decision-making.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...