You could buy a tool to help with that, but you said you want to build one. We created about 20 pertinent tables within a DB, normalized the data/column distribution amongst them, and started populating them with all the data values from across our many systems. Whenever a system, interface, or etc. is updated so is the asset DB.

We also built a web front-end that can pull up dynamic views of whatever we need to see from within those inter-connected tables. That's for non-techie users, while techies with read access to the asset DB can run their own ad-hoc queries as desired also. There are access controls around the web front-end and the DB tables of course and it's not wide open for anyone within the organization to use.

Unfortunately I can't export a list of all of our tables and table structures to give you real-life examples of that. If you know what your sensitive data elements are, where they are, and what systems access them, then you can start building a list of pertinent columns that you'll want for your DB. In its 'very simplest form' you might have one small table or spreadsheet that has something like;

SENSITIVE_DATA_TYPE
SENSITIVE_DATA_LOCATION
DATA_PROTECTION_METHOD
PROCESSING_APPLICATION_NAME
ADHOC_DATA_DESCRIPTION
ACCESS_PERMISSIONS_GROUPS_ROLES
RECORD_MOD_DATE
RECORD_MOD_USER
Etc, etc.

Our system is a lot more complex because we're tracking over a hundred related attributes, so individual mileage may vary.

As for 'management tools', I don't know if you work in a Windows shop, Unix shop, mainframe shop, or some mix, nor what skill-sets you have in-house, so it's hard to provide any specific suggestions.

You do have some red flags to deal with for sure;
"e.g. Card Information being stored on local hard disk without any encryption"

That's a PCI compliance problem. You'll need to develop a way to mask that data or split it up, and control access to the data and masking/de-masking routines. You'll also have to ensure that the card data is encrypted in transit over the network. Finally you'll have to segment the storage system(s) from the rest of the network (e.g., put them behind some filtering firewall, hardware or software).

Good luck,
Vic

----- Original Message -----
From: sfmailsbm (at) gmail (dot) com [email concealed]
To: security-basics (at) securityfocus (dot) com [email concealed]
Sent: Wednesday, January 4, 2012 12:33:52 AM
Subject: Building an Information Asset database

Hi list,

happy New Year to all of you

Looking for some best practices, reallife recommendations on how to go about to build up an Information Asset register, which will basically contain a list of information being used within the organisation, where and how it is stored, and where it is distributed, e.g. Card Information being stored on local hard disk without any encryption

This will be the basis to perform information risk assessments to mitigate potential risk issues

Any help on how to proceed, methodology and tools to manage all of this will be greatly appreciated

Thanks & regards,
Ronish

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]