Asset classification is a popular concept among security specialists. Quoting from The Pragmatic CSO:
You can’t protect what you don’t know about, so the first step is to figure out what you have. Likewise, you don’t want to spend $50,000 protecting a $2,000 business system, so in Step 1 you talk to senior management and discern how important each system is to the operations of the business. Then you can figure out how much to invest in protecting it.
Here’s why it won’t work:
Senior management may not think of the business in terms of particular systems facilitating it. They will rely on you to provide that information;
In today’s interconnected world, a single system means nothing. Mainframes tend to be very important to the businesses using those -so should most resources be allocated to protecting mainframes? Not really, not just mainframes. Rather, their entire ecosystem – that included the mainframe, its storage system, administrative workstations, user workstations, network infrastructure linking all that, directory services that is used for authentication and authorisation to the infrastructure elements, identity management system, and supporting processes. So, what is not so important?
Underinvesting in protection of supposedly low-risk infrastructure is a big risk. Most of the multimillion dollar breaches happened through sub-$2000 systems that have had little visibility to technical staff, let alone senior management.
An alternative (yet also pragmatic) approach would be to protect everything. That requires knowing everything in the enterprise – and not allowing the unknowns.