Chapter 5. System Context

How often do you hear people say things like, “It’s all about the data!”? When it comes to security, what matters is protecting the data from having its availability, integrity, and confidentiality compromised in any way. Unfortunately, a lot of the time, the emphasis shifts from protecting the data that an application is processing to protecting the infrastructure that stores and processes the data. This lack of awareness demonstrates the necessity of taking a data-centric approach to the design of security controls, where an architect considers how to safeguard data.

This chapter begins our exploration into the process of designing security for information systems by emphasizing that data protection is central to information security while the data is in transit, at rest, or in use. We explain the context for why security is about safeguarding important information assets, not just IT systems. We will look at how to categorize data assets based on asset classes and remind you that processing data creates new assets, including metadata. The classification of the data is then performed based on its sensitivity to loss of confidentiality, integrity, and availability.

By creating a system context diagram and then identifying the business transactions that will handle the data flowing in and out of the system, this will be the start of an information asset register listing the data flowing through the system. We then classify the data based on sensitivity, ...