“Too many guys think I’m a concept, or I complete them, or I’m gonna make them alive. But I’m just a fucked-up girl who’s lookin’ for my own peace of mind; don’t assign me yours.” -Eternal Sunshine of the Spotless Mind (2004)
Hah! Great movie. Sorry. but so perfect for the theme of today’s article.
Peace of mind.. as it were.. As an IT security engineer or CISO, when was the last time you had peace of mind? No, not a “piece” of mind sicko! “Peace” of mind. Especially as it relates to your company’s asset register. Do you even have one? Over the last 12 months of ISMS Program Development engagements, I can probably count on one hand where the company had an asset management system let alone an asset register for their ISMS.
You know, that “thingy” that looks like a spreadsheet and contains the asset, asset owner, asset value, risk owner, etc? Riiiight, yeh, don’t pretend you know what I’m talking about, you know you don’t have one. Otherwise, you probably wouldn’t be reading this.
But that’s okay. We’re going to create one together, right now. What? Yes, I said it! It had to be said </Shameless Chris Rock Impersonation>
Okay, so you have an ISO 27001 ISMS? Great, this fits perfectly into your framework. You can’t perform a risk assessment against it (the operative word in asset-based risk assessment is, you guessed it! ASSET)
First let’s define what an asset register is and what it’s supposed to contain.
- Asset Class Number: Assign unique identifiers/numbers to each asset class.
- Asset Type: This denotes the type of asset it is, such as physical/infrastructure assets. software, information, service, and yes, people, even people are assets.
- Asset Class: For a much easier approach to the risk assessment, group assets into classes, so risks can be measured against classes of assets rather than individual assets. Asset class examples include desktops/workstations, servers, servers in scope for PCI, restricted/sensitive file shares, VOIP phones, restricted printers, etc
- Information Assets: Information asset defines specifically what kind of information is processed, transmitted, or stored by the asset, e.g. Customer PII, PCI data, etc
- Asset Owner: Define the department/company function that owns the asset and is responsible for risk associated with the asset. This is also sometimes referred to as the Risk Owner or Business Owner.
- Asset Custodian: This is the individual responsible for maintaining, monitoring, managing the asset. This would typically be a network or system administrator.
- Location: The physical location of the asset. E.g. San Jose Datacenter
- Function/Business Process: Describe the business process or function the asset supports, e.g. information processing facility.
- Data Type/Classification: The company’s established information classification policy should be used here to classify the information transmitted, processed, or stored by the asset. This will help drive the risk assessment later.
One final word on asset valuation. Asset valuation, based on the business needs is a major factor in performing your risk assessment. In order to identify the appropriate protection for assets, it is necessary to assess their value in terms of their importance to the business or their potential value given certain opportunities. The input for the valuation of assets should be provided by owners and custodians of assets; specifically, those who can speak authoritatively about the importance of the asset and its data to the business. Do not attempt to try and value the assets and information yourself. This is where you as security engineers need to crawl outside your box and meet other people in the organization and ask the asset owners how they would value their assets.
The layout of your final asset register should look something similar to this:
Based on Brier & Thorn’s methodology, we assign the values to assets based on what impacts to the loss of confidentiality ©, integrity (I) and availability (A) would have to the business against the following asset valuation parameters:
- Loss of Reputation — B2B (Customer) & B2C (Consumer)
- Organization scope — No. of functions/departments affected
- Litigation/contractual liability
- Mitigation / Recovery period
- Operating income loss or monetary loss to Total Assets
In order to consistently assess the asset values and to relate them appropriately, a value scale for assets is applied. The loss of confidentiality ©, integrity (I) and availability (A) parameters for information assets are rated as follows. We’ll discuss valuations further as well as other components of the assessment process in our next article on performing an asset-based risk assessment.
You’re probably thinking to yourself, WOW Alissa, that was easy! Let’s do it again! Sure, here we go again.. “Too many guys think I’m a concept, or I complete them, or I’m gonna make them alive. But I’m just a….”
Just kidding! Weirdo! I’m not doing it again, just re-read it lazybones!
Originally published at www.alissaknight.com on June 29, 2016.