Identification of Assets

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:02
Listen 4.2 identification of assets
00:09
In this video, we will cover
00:11
tips around identifying assets,
00:14
understanding the different asset types,
00:17
what is in which you can value your assets
00:19
and how to document these assets.
00:23
This does not pertain to a specific I. So 27,001 clause.
00:29
However, this is an important step in the information security risk management process
00:35
and is applicable to multiple steps throughout. 27,001.
00:43
Some great guidance is provided in ISO 27,000 and five
00:48
with regards to risk management.
00:51
This is a standard that forms part of the eye. So 27,000 family
00:56
and a specific to information security risk management to support a nice um S
01:02
we'll cover some of the key concepts here.
01:06
So in acid is anything that is a value to an organization,
01:10
your organization will need to decide how it is going to define assets and containerized them.
01:15
For example,
01:18
it is easy to see service and software as acids thes air tangible.
01:23
But information assets such as the information in your databases and systems
01:30
are not so easily tangible and even more difficult to associate a value to
01:36
the most important is to identify the assets you want to protect.
01:40
What are your assets and what is their criticality and value to your organization?
01:46
You also need to consider the business impact of what could happen if these assets were lost, stolen or damaged.
01:53
And think off the business impact in terms of the CIA. Tried tried being confidentiality impact
02:00
in availability.
02:05
Generally, we want to start at information assets
02:08
and highlight any type off supporting assets,
02:12
but we'll get into that in the coming section.
02:19
So I said 27,000 and five makes to differentiations with regards to assets.
02:25
It classifies primary acids and supporting acids.
02:31
The two main types of premier assets are information, essence
02:36
and business processes.
02:38
These are the assets that allow your company to operate.
02:42
Without these assets,
02:44
they wouldn't be much value to your organization.
02:50
Supporting assets are all the tangible items that are used to support your primary assets,
02:57
so supporting assets are usually tangible in nature.
03:00
They often contain store process or otherwise interact with information acids.
03:07
Examples can include servers, software, databases, monitors, network components and so forth.
03:16
One important factor to consider here is the ice, um, s scope and how this comes into play.
03:23
While there is a possibility that not all assets or business processes full directly within the scope of the ice mess,
03:31
is there any indirect relationship between the two?
03:36
Can assets which are not directly in the ice missed scope
03:38
have an impact on those at all?
03:42
How are those dealt with
03:44
thes air? Also questions that can be answered further down in the risk assessment process
03:47
when the potential consequences and any ripple effects become clear.
03:53
But it's good to have these questions in mind as early on in the process as possible.
04:00
So how do we look at the asset valuation? An impact off assets
04:06
evaluation
04:08
consists of two main approaches. Your qualitative approach and your quantitative approach.
04:15
Your organization must decide if it wants to use
04:17
a qualitative or quantitative approach.
04:21
A quantitative approach would generally mean some sort of monetary value figure.
04:27
While a qualitative approach produces scale to show the level of importance or priority of the acids,
04:32
for example, low, medium or high.
04:35
Why is it important to value assets?
04:39
The value of an asset puts into perspective the rest of the risk assessment process.
04:45
It is difficult to determine the actual impact and consequences of something happening to an asset
04:50
when you don't have a defined indication off what the acid is worth.
04:57
The most important factor here is understanding the impact and treating the risk, which we will still get thio.
05:02
But in brief, it essentially boils down to If you have an acid worth $100
05:08
and mitigating an associated risk costs $200
05:12
you would probably just accept the chances of the risk occurring.
05:15
Meanwhile,
05:17
if in acid is valued at $10,000 and it only costs $1000 to put additional controls in place to protect that acid,
05:26
it makes the decision that much easier
05:29
now to add another layer to this.
05:31
I said 27,001 really wants you to think about your acid in terms of CIA.
05:38
In essence, value often doesn't stop at just its replacement cost.
05:43
What would be the knock on costs if in acid were to be affected due to the loss of confidentiality, integrity or availability?
05:51
How maney assets or processes are dependent on this acid?
05:56
What are the business consequences that could come from one or more of these assets being affected.
06:01
That would give you a bit of you off the total value of asset.
06:06
Once you have
06:09
an asset value, you could do a bit of an impact assessment.
06:13
This helps defray more clearly clearly what the actual impact to the organization could be.
06:18
If something goes wrong with the acid,
06:20
you can choose how to frame and document this.
06:24
This can also be linked to the business impact assessments you would perform for your BCP and I t DRP exercises.
06:31
You can look at the impact both from a direct as well as an indirect means.
06:38
The initial impact assessment will be without consideration of controls
06:42
and will therefore have an impact value virtually the same as Theus. It value,
06:46
while the next iterations of assessment will incorporate controls
06:50
on their effectiveness and thus reduce the impact
06:58
to touch on the impact methods a bit more,
07:00
we mentioned direct impact and indirect impact. Direct impact can involve financial loss due to the replacement costs off the acid
07:10
or a loss of income.
07:12
Indirect impact can be associated with reputational damage,
07:15
business interruption and so forth.
07:23
So what do you need to document for your ice miss
07:27
to ensure that your risk assessment process is as thorough as it can be.
07:30
It is important to have a solid list of identified assets.
07:34
These are the assets that you are wanting to protect and therefore the assets that you want to assess risks
07:42
when you are being audited for your internal audits and your certification orders,
07:46
your order to will generally want to see some kind of document or repository
07:50
where you have to find your information assets.
07:54
These can also be valuable processes
07:57
the information assets.
07:59
We'll also generally be associated with different types of supporting acids,
08:03
where the information is stored, how it is transported and so forth.
08:07
It is always easier to define values for tangible assets, as these have defined replacement costs.
08:15
But your information assets are often a lot harder in that regard.
08:20
Your information acid list is yours.
08:22
Document the information that you feel is pertinent to have on
08:26
on the list and ensure that this is appropriately classified and protected within your organization.
08:31
As this can can become quite a sensitive piece of information, especially if you are listening where assets are stored and what their associated containers are.
08:41
In essence,
08:41
the point of this all is just to ensure that you understand the assets you are trying to protect. A swell is the value there are and feed this into your risk management process
08:52
and be sure that you can somehow and demonstrates and prove this to your auditor
08:58
to summarize.
09:01
We covered why the identification of assets is important for the ice. Um, it's as well as your risk management processes.
09:09
We covered Essen valuation
09:11
as an impact. Determination
09:16
as evaluation can be both qualitative
09:20
or quantitative.
09:20
Well, impact can be direct or indirect.
09:26
We also covered what to document regarding your assets.
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By