7 hours 52 minutes
Listen 4.2 identification of assets
In this video, we will cover
tips around identifying assets,
understanding the different asset types,
what is in which you can value your assets
and how to document these assets.
This does not pertain to a specific I. So 27,001 clause.
However, this is an important step in the information security risk management process
and is applicable to multiple steps throughout. 27,001.
Some great guidance is provided in ISO 27,000 and five
with regards to risk management.
This is a standard that forms part of the eye. So 27,000 family
and a specific to information security risk management to support a nice um S
we'll cover some of the key concepts here.
So in acid is anything that is a value to an organization,
your organization will need to decide how it is going to define assets and containerized them.
it is easy to see service and software as acids thes air tangible.
But information assets such as the information in your databases and systems
are not so easily tangible and even more difficult to associate a value to
the most important is to identify the assets you want to protect.
What are your assets and what is their criticality and value to your organization?
You also need to consider the business impact of what could happen if these assets were lost, stolen or damaged.
And think off the business impact in terms of the CIA. Tried tried being confidentiality impact
Generally, we want to start at information assets
and highlight any type off supporting assets,
but we'll get into that in the coming section.
So I said 27,000 and five makes to differentiations with regards to assets.
It classifies primary acids and supporting acids.
The two main types of premier assets are information, essence
and business processes.
These are the assets that allow your company to operate.
Without these assets,
they wouldn't be much value to your organization.
Supporting assets are all the tangible items that are used to support your primary assets,
so supporting assets are usually tangible in nature.
They often contain store process or otherwise interact with information acids.
Examples can include servers, software, databases, monitors, network components and so forth.
One important factor to consider here is the ice, um, s scope and how this comes into play.
While there is a possibility that not all assets or business processes full directly within the scope of the ice mess,
is there any indirect relationship between the two?
Can assets which are not directly in the ice missed scope
have an impact on those at all?
How are those dealt with
thes air? Also questions that can be answered further down in the risk assessment process
when the potential consequences and any ripple effects become clear.
But it's good to have these questions in mind as early on in the process as possible.
So how do we look at the asset valuation? An impact off assets
consists of two main approaches. Your qualitative approach and your quantitative approach.
Your organization must decide if it wants to use
a qualitative or quantitative approach.
A quantitative approach would generally mean some sort of monetary value figure.
While a qualitative approach produces scale to show the level of importance or priority of the acids,
for example, low, medium or high.
Why is it important to value assets?
The value of an asset puts into perspective the rest of the risk assessment process.
It is difficult to determine the actual impact and consequences of something happening to an asset
when you don't have a defined indication off what the acid is worth.
The most important factor here is understanding the impact and treating the risk, which we will still get thio.
But in brief, it essentially boils down to If you have an acid worth $100
and mitigating an associated risk costs $200
you would probably just accept the chances of the risk occurring.
if in acid is valued at $10,000 and it only costs $1000 to put additional controls in place to protect that acid,
it makes the decision that much easier
now to add another layer to this.
I said 27,001 really wants you to think about your acid in terms of CIA.
In essence, value often doesn't stop at just its replacement cost.
What would be the knock on costs if in acid were to be affected due to the loss of confidentiality, integrity or availability?
How maney assets or processes are dependent on this acid?
What are the business consequences that could come from one or more of these assets being affected.
That would give you a bit of you off the total value of asset.
Once you have
an asset value, you could do a bit of an impact assessment.
This helps defray more clearly clearly what the actual impact to the organization could be.
If something goes wrong with the acid,
you can choose how to frame and document this.
This can also be linked to the business impact assessments you would perform for your BCP and I t DRP exercises.
You can look at the impact both from a direct as well as an indirect means.
The initial impact assessment will be without consideration of controls
and will therefore have an impact value virtually the same as Theus. It value,
while the next iterations of assessment will incorporate controls
on their effectiveness and thus reduce the impact
to touch on the impact methods a bit more,
we mentioned direct impact and indirect impact. Direct impact can involve financial loss due to the replacement costs off the acid
or a loss of income.
Indirect impact can be associated with reputational damage,
business interruption and so forth.
So what do you need to document for your ice miss
to ensure that your risk assessment process is as thorough as it can be.
It is important to have a solid list of identified assets.
These are the assets that you are wanting to protect and therefore the assets that you want to assess risks
when you are being audited for your internal audits and your certification orders,
your order to will generally want to see some kind of document or repository
where you have to find your information assets.
These can also be valuable processes
the information assets.
We'll also generally be associated with different types of supporting acids,
where the information is stored, how it is transported and so forth.
It is always easier to define values for tangible assets, as these have defined replacement costs.
But your information assets are often a lot harder in that regard.
Your information acid list is yours.
Document the information that you feel is pertinent to have on
on the list and ensure that this is appropriately classified and protected within your organization.
As this can can become quite a sensitive piece of information, especially if you are listening where assets are stored and what their associated containers are.
the point of this all is just to ensure that you understand the assets you are trying to protect. A swell is the value there are and feed this into your risk management process
and be sure that you can somehow and demonstrates and prove this to your auditor
We covered why the identification of assets is important for the ice. Um, it's as well as your risk management processes.
We covered Essen valuation
as an impact. Determination
as evaluation can be both qualitative
Well, impact can be direct or indirect.
We also covered what to document regarding your assets.