Digital assets fall into a number of groups, the common thing being that they are essential to the ongoing operation of the business. All digital assets have value to the business, and these may be directly financial or can be quantified in terms of the value of the service they provide.
Digital assets are used during the review stages and during the risk analysis. The value asset directly drives the outcome of the assessment and helps prioritize a risk mitigation or management program. So in going through the review, one of the ways to determine the priority of risk management is based on the business impact value.
Asset groups and classes, can all be grouped into common functional areas, such as human assets, computing assets, and infrastructure assets. These can be further defined as asset classes. That is the function of the asset within the group. This may include common human asset classes such as executives, operational staff or administrative staff, and these can further be divided into divisional subclasses.
All assets are assigned attributes, functions, knowledge, capability, and impact of failure. These are not intended to dictate how the business is structured but provide the risk manager with a common reference point for undertaking impact analysis reviews. And the risk manager may choose to assign asset classes to security domains to assist in the analysis process.
Asset management, as mentioned before, is a foundation principle in any risk management program. Only by identifying the digital assets, knowing the purpose of supporting the business, and understanding the consequences of failure can the risk assessment be truly effective. And knowing the dependency between assets ensures that the infrastructure can be properly defined and understood.
And how are asset classes and domains defined? As we outlined previously, knowing infrastructure is an essential first step in understanding and managing risk. Assets fall into a number of groups, the common thing being that they are essential to the ongoing operation of the business.
All digital assets have value to the business, and these may be directly financial or can be quantified in terms of the value of the service they provide. When defining assets, they will be assigned to asset classes. That is they are grouped together as common functions or capabilities. And in the cyber case, for example, applications, databases, and people that are supporting those systems, and within each of these asset classes, there can be digital assets subclasses.
Each of these has definable attributes that enable their status to be maintained. That is the building level, value, ownership, location, et cetera. When developing the risk framework, the digital assets can be separated into security domains, which can then align into common operational areas or business units.
There is likely to be an overlap. But this can be captured in the attributes as multiple stakeholders. And digital assets are very important during the risk analysis stage. The value of the asset directly drives the outcome of the assessment and helps prioritize the risk mitigation or management program.
So in going through the review, one of the ways to determine the priority for risk management is based on the business impact value. The importance of being able to understand digital assets in the security industry is essential. As mentioned before, without a good understanding of how the infrastructure is built and what is important, the ability to determine impact and then prioritize remediation is difficult. When you take this in concert with the business continuity program, it also determines which digital assets are recovered first. And how long it will take to recover them drives the value of the asset as well.
Using asset values also helps enable the program budget to be set. For example, if it will cost more to remediate a potential threat or exposure, then the likely impact would be that this risk should be placed on the do nothing but monitor risk list. For others, this is simply a return on investment exercise. That is, which risk management activity will deliver the best return or impact reduction?
- Capital value is the current worth minus depreciation.
- If it fails or no longer serves its purpose, the replacement value is calculated.
- Status: where does it fit within the organisation, and is it up to date?
- Who owns the item, who is accountable/responsible for it, and what is the continuous cost of ownership?
- Impact of loss: What is the impact of asset loss, failure, or compromise?
Rolling up assets into more manageable constructions greatly simplifies the initial pass of identifying important risk areas. As an example:
- financial systems and their supporting infrastructure
- HR systems and related infrastructure
- IT and related infrastructure
- source code systems
- corporate systems
- physical assets that support any class, including buildings and data centres
- key people
Keeping assets in easily recognised groups allows for a comparison of all assets, finding those with the greatest or most immediate business impact. The categories depicted above are common examples of asset grouping. By categorising assets into common asset categories or classes, the total risk assessment process can begin more rapidly by avoiding the problem of having too much detail. The assets can be classified into classes with predefined values.