Everyone has data they need to keep private to certain degrees. My credit card number, my telephone book, my bank details, that document containing the truth about alien abduction. These are your Assets – each can be classified with different levels of sensitivity.
Know what you are protecting and why
When you buy your $15 Mozart CD from www.cdshop.com, there are a number of bits of information that are up for grabs:
- That you have performed a transaction with www.cdshop.com at all
- You have an interest in Classical period music
- You are willing to spend $15 on your music collection
- The address the CD is shipped to
- Some mechanism that can transfer $15 from you to www.cdshop.com
In general, the first three are low sensitivity. Most people wish to protect their real-world address, and the mechanism that transfers your money.
Information $ value
Information has value, often a financial value. Your interest in Classical music and willingness to purchase CDs on-line, has a value for advertisers. Your real-world address has value for fraudsters wishing to impersonate you. Your credit card has a $5000 monthly limit. Armed with this information, you are ready to investigate the protection that you need for your information.
Protecting information based Security Assets is much like protecting real world Assets. You know how much they are worth to a thief, how much they would cost to replace, and you have a complete inventory.
At this point you could even consider taking out an insurance policy just as you would on real world Assets. As in the real world, your insurers will determine your risk based on the value, protection and risk of theft. The same principles can be applied to your virtual Security Assets. You just need to think like people who work in Insurance Sales.