Have You Identified Your IT High Value Assets?
By Jeremy West, Senior Cybersecurity Program Lead, CIAS-ISAO
In today’s increasingly connected world, it is more important than ever to ensure an organization’s information and information systems are protected from cyber threats.
Every organization has critical information and technology assets that are essential and require enhanced security. However, due to finite organizational resources, a deliberate and strategically-focused approach is needed to identify – and secure – the most important assets.
What are High Value Assets?
High Value Assets (HVAs) are the critical assets supporting an organization’s mission or critical operations, and include critical information that is processed, stored or transmitted.
These assets, systems and datasets may contain sensitive data, making them attractive to criminals, politically motivated or state-sponsored actors. These realities necessitate organizations adopt a formal program to identify, prioritize and protect their HVAs to sustain and maintain critical mission essential functions (MEFs). We’ll elaborate on MEFs later in the article.
Identifying HVAs provides an opportunity to review proposed HVAs, validate and prioritize them according to the organization’s mission and identify what is truly deemed critical. Each asset owner, understandably, may identify their assets as critical to the overall organization. However, taking time to systematically process your organization’s HVAs can more accurately identify critical assets that could affect the overall organization’s ability to perform its mission or conduct business in the event your information or information systems are compromised.
To assist with this process, a working definition of high value assets was developed by the federal government in 2018. The Memorandum defining HVAs also shares a list of attributes to consider when determining whether an asset, dataset or repository is of high value.
As defined by federal OMB Memorandum M-19-03[1], a high value asset can be any information or information system that relates to one of these three categories[2]:
- Informational value: The information or information system that processes, stores or transmits the information is of high value to the government or its adversaries.
- Mission essential: The organization owning the information or information system cannot accomplish its mission essential functions (MEF) within expected timelines without the information or information system.[3]
- Protective assets: The assets serving critical functions for maintaining security or resilience2. Security and resilience are not the same. Security assets are needed to protect the organization from attacks and breaches while resilience focuses on continuing business operations even after an attack has occurred.
Don’t Overlook Your Mission Essential Functions
The Center for Infrastructure Assurance and Security (CIAS) at The University of Texas at San Antonio (UTSA), through a collaborative effort with the Cybersecurity and Infrastructure Security Agency (CISA), have developed a HVA pilot program to assist states, tribes, territories and localities (SLTTs) with protecting their HVAs.
As part of this program, the CIAS has developed a process for mitigating risk to and protecting HVAs. These steps include:
- Planning
- Identifying Mission Essential Functions (MEFs)
- Identifying, Validating and Prioritizing High Value Assets (HVAs)
- Assessing Organization and/or HVA against Cybersecurity Framework (CSF)
- Developing a Remediation Action Plan
After the initial planning stage is completed, the first major activity is to identify the Mission Essential Functions (MEFs). If organizations have not identified their MEFs, then selecting HVAs can become a much for exhaustive task than necessary (so, please, don’t skip this step!).
Mission essential services/functions are a service, or a collection of services, normally performed by a unit that must continue at a sufficient level without interruption or restart within given timeframes (e.g., within 12 hours) after a disruption to the service. In other words, MEFs are the highest priority for an organization to maintain, with minimal disruption, during all incidents or emergencies.
An essential service/function will meet at least one of the following conditions:
- A service that, when not delivered, creates an impact on the health and safety of individuals. The service or function preserves life, prevents injury or protects property.
- A service that may lead to the failure of a business unit if activities are not performed in a specified time.
- A service(s) that must be performed to satisfy regulatory requirements. Is it required by law or regulatory authority?
- A service where, if not performed, the impact may be immediate or may occur over a time.
- Critical activities that cannot cease.
- Activities driven by mission.
- Provides indispensable support for provision of other critical functions.
- It must be continued under all circumstances/cannot suffer a significant interruption.
- Directs or controls instruction or research—be sparing about tagging a function as directing or controlling these services.
- It provides vital support to another department, unit or organization (with critical functions).
- It is a system that is connected to a major revenue source.
Clearly defined mission essential functions are paramount to identifying those organizational assets and HVAs that are identified as critical assets. When documenting your MEFs, think about the big picture and ask yourself: What are the ways your organization serves its stakeholders, such as the people, businesses and critical infrastructure, in your jurisdiction?
Once this step is complete, it becomes possible to identify those systems, assets and information, which could potentially be classified as an HVA.
Again, these are just the first steps toward mitigating risk to and protecting your HVAs. Please contact the CIAS-ISAO if you have any questions or need assistance in identifying your information and information system-related high value assets!
[1] OMB Memorandum M-19-03. https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf
2 Benestelli, B., & Shawgo, E. (2020, October 26). How to Protect Your High Value Assets. SEI Blog. https://insights.sei.cmu.edu/sei_blog/2020/10/how-to-protect-your-high-value-assets.html
[3] HVA Control Overlay v2.0. (2021). CISA. https://www.cisa.gov/sites/default/files/publications/HVA%20Control%20Overlay%20v2.0_0.pdf
