|
Impact to CIA (H/M/L) |
||||||
|
Category |
Asset |
Description |
Value to Threat Actor |
C |
I |
A |
|
IT Assets |
Servers |
Servers that we use to run our own business but also data centers that we use to support our customer’s business |
Very high value as they can not only obtain info on our business but also many of our customer’s business |
H |
H |
H |
|
User Devices |
Cell phones, tablets, PC’s, Laptops. Many of which are now BYOD |
Represents a wide attack surface and many more vectors of attack to gain access to the network and critical information. |
H |
M |
L |
|
|
People |
The general IT staff who maintain the servers, applications, contracts, network configuration, etc |
IT personnel are a great target given their admin privileges. |
H |
M |
M |
|
|
Storage Media |
This includes our Disaster Recovery back-up media, active storage for email accounts and cloud storage |
High value asset as this will provide a threat actor with historical information and current data |
H |
M |
H |
|
|
Critical Information |
Intellectual property |
This is all of our current patents in process and future technology roadmap |
This would provide a threat actor insight into our future technology pipeline. Usually kernel technology (~3-5 years in the future) |
H |
M |
L |
|
Product Development Plans & M&A |
Product roadmap which includes co-development and joint go-to-market strategies with partners and customers. This also includes M&A proposals and activity |
Tremendously valuable to a bad guy as this can be used to game the stock on an M&A target for financial gain. Additionally, it can be used to disclose info to our competitors |
H |
H |
L |
|
|
Business Plans |
This includes our revenue targets by region/industry segment and sales territories |
Has some value but it is only a plan, it may be useful to potentially game our stock price if it can be reconciled with the current pipeline data |
M |
L |
L |
|
|
Organization Charts |
Contains all 90K employees along with the reporting line – phone numbers, email, title, location and skills |
This is a perfect data source to obtain for phishing attacks |
H |
L |
L |
|
|
Sales Pipeline Data |
This includes worldwide pipeline data |
Current sales pursuits, pricing proposals, and customer contacts |
H |
M |
M |
|
|
Historical sales reports (product, territory, channel) |
Historical sales will provide customers, what they bought, how much they paid, the sales territory, customer contact info |
This is tremendously valuable for a threat actor who is intent on damaging our business. They could provide this confidential data to other customers. |
H |
M |
L |
|
|
On-going and previous legal cases |
Legal cases in process include employment law, defense claims, settlement offers, M&A, etc |
A breach of confidentiality could create a massive liability for the company |
H |
L |
M |
|
Appendix A – Impact to Confidentiality, Integrity and Availability (CIA)