What is an Asset?
An asset is anything that brings value to the organisation and therefore requires protection. Assets fall into two categories:
- Tangible Assets — physical, visible, measurable: servers, laptops, firewalls, office buildings, network cables, storage devices, backup tapes, physical security systems.
- Intangible Assets — non-physical, knowledge-driven, reputation-related: intellectual property (patents, source code, designs), customer data, trade secrets, algorithms, brand reputation, contracts, goodwill.
The machine learning model that powers Neuromesh's fraud detection (intangible) is just as valuable as the racks of GPUs that train it (tangible). Both need protection — but in very different ways.
Key Terms and Processes
Classification — "Label the Data"
Purpose: Identify and mark assets so only those with proper clearance can access them.
Who does it? Data Owners or Business Units.
How it works: Inventory all assets → Assign classification labels (Public, Internal, Confidential, Restricted) → Apply handling rules: encryption, retention, destruction, audit scope.
Finance marks a quarterly earnings spreadsheet as Confidential. Marketing marks a campaign flyer as Public.
Categorisation — "Score the Impact"
Purpose: Assess the consequences of loss of Confidentiality, Integrity, or Availability (the CIA triad).
Who does it? Security or Risk teams.
How it works: Evaluate the system hosting the data → Assign criticality (High, Medium, Low).
The finance spreadsheet lives on a shared server → categorised as High Impact for confidentiality. A test VM with dummy data? Low Impact.
Data Classification Policy Considerations
- Who has access (roles and permissions)?
- How it's secured (default-off vs. default-open)
- Retention period (regulatory vs. business-driven)
- Disposal methods (shredding, secure wipe)
- Encryption requirements (PCI-DSS data must be encrypted)
- Intended use (internal-only, restricted, or public release)
Value, Sensitivity, and Criticality
Value of Assets
- Quantitative: measurable in money — replacement cost, revenue loss.
- Qualitative: harder to price — brand trust, legal exposure.
Sensitivity
- How harmful if exposed? (e.g., PII, PHI, trade secrets)
- Drives Confidentiality controls (encryption, access)
Criticality
- How damaging if unavailable? (e.g., transaction system downtime)
- Drives Availability controls (redundancy, DRP, HA)
Sensitivity = Keep it secret. Criticality = Keep it running.
The Asset Classification Process
Step 1 — Identify and Locate Assets
Objective: Conduct asset discovery — identify all valuable assets (data, hardware, software, intellectual property).
Why it matters: You can't protect what you don't know exists.
- Customer databases
- Employee HR records
- Financial platforms
Step 2 — Classify Based on Value
Objective: Assign classification levels based on value, sensitivity, and criticality. Requires ownership and accountability — the business or data owner signs off.
- Trade secrets → Confidential + Encryption
- Marketing brochure → Public + minimal controls
Step 3 — Protect Based on Classification
Objective: Apply security controls tailored to the classification level. Baselines defined for each class (Confidential, Sensitive, Public).
- Confidential Data: AES-256, MFA, DLP, monitoring
- Critical Systems: HA clusters, DRP, incident response
- Confidentiality → Encryption, Access Controls
- Integrity → Hashing, Checksums
- Availability → Redundancy, Backups
Types of Classification Levels
Commercial Business Levels
- Confidential — trade secrets, customer data
- Private — HR records, internal comms
- Sensitive — supplier lists, project plans
- Proprietary — product specs, limited release
- Public — marketing content
Military Levels
- Top Secret
- Secret
- Confidential
- Sensitive but Unclassified
- Unclassified
Challenges in Classification
- Human Error — over/under-classifying data
- Knowledge Gap — classifier not trained in regulations
- Labelling Issues — inconsistent or missing labels
- Lifecycle Gaps — no declassification or destruction processes
At Neuromesh, Susan (HR) once sent "Confidential Employee Review Notes" over unencrypted email — not out of malice, but because the data wasn't labelled. A classic classification gap.
Brain Ticklers
1. Anya finds that Neuromesh's AI fraud detection model is proprietary and underpins their market advantage. Which type of asset is it?
- Tangible Asset
- Intangible Asset
- Public Asset
- Classified Asset
2. A finance spreadsheet is labelled Confidential by the owner. The security team rates the server hosting it as High-Impact. What process is this?
- Data Labelling only
- Categorisation only
- Classification and Categorisation
- Sensitivity Scoring
3. Neuromesh loses access to its payment processing system for 6 hours. What attribute of the CIA triad is most affected?
- Confidentiality
- Integrity
- Availability
- Non-Repudiation
4. If an HR record is over-classified as Restricted, what's the likely downside?
- Employees mishandle data
- Resources wasted on excessive controls
- Legal non-compliance
- Data breaches become more likely
5. Which best distinguishes sensitivity from criticality?
- Sensitivity is about uptime; criticality about disclosure
- Sensitivity is about disclosure; criticality about uptime
- Both measure legal compliance
- Both are the same as classification
- Assets = anything of value — both tangible and intangible
- Classification = label the data; Categorisation = score the impact
- Sensitivity drives confidentiality; Criticality drives availability
- Asset valuation can be quantitative ($) or qualitative (reputation)
- Strong policies, training, and labelling systems prevent misclassification