About Cyber Security

Digital Assets

Digital Assets

Digital assets fall into a number of groups, the common thing being that they are essential to the ongoing operation of the business. All digital assets have value to the business, and these may be directly financial or can be quantified in terms of the value of the service they provide.

Digital assets are used during the review stages and during the risk analysis. The value asset directly drives the outcome of the assessment and helps prioritize a risk mitigation or management program. So in going through the review, one of the ways to determine the priority of risk management is based on the business impact value.

Asset groups and classes, can all be grouped into common functional areas, such as human assets, computing assets, and infrastructure assets. These can be further defined as asset classes. That is the function of the asset within the group. This may include common human asset classes such as executives, operational staff or administrative staff, and these can further be divided into divisional subclasses.

All assets are assigned attributes, functions, knowledge, capability, and impact of failure. These are not intended to dictate how the business is structured but provide the risk manager with a common reference point for undertaking impact analysis reviews. And the risk manager may choose to assign asset classes to security domains to assist in the analysis process.

Asset management, as mentioned before, is a foundation principle in any risk management program. Only by identifying the digital assets, knowing the purpose of supporting the business, and understanding the consequences of failure can the risk assessment be truly effective. And knowing the dependency between assets ensures that the infrastructure can be properly defined and understood.

And how are asset classes and domains defined? As we outlined previously, knowing infrastructure is an essential first step in understanding and managing risk. Assets fall into a number of groups, the common thing being that they are essential to the ongoing operation of the business.

All digital assets have value to the business, and these may be directly financial or can be quantified in terms of the value of the service they provide. When defining assets, they will be assigned to asset classes. That is they are grouped together as common functions or capabilities. And in the cyber case, for example, applications, databases, and people that are supporting those systems, and within each of these asset classes, there can be digital assets subclasses.

Each of these has definable attributes that enable their status to be maintained. That is the building level, value, ownership, location, et cetera. When developing the risk framework, the digital assets can be separated into security domains, which can then align into common operational areas or business units.

There is likely to be an overlap. But this can be captured in the attributes as multiple stakeholders. And digital assets are very important during the risk analysis stage. The value of the asset directly drives the outcome of the assessment and helps prioritize the risk mitigation or management program.

So in going through the review, one of the ways to determine the priority for risk management is based on the business impact value. The importance of being able to understand digital assets in the security industry is essential. As mentioned before, without a good understanding of how the infrastructure is built and what is important, the ability to determine impact and then prioritize remediation is difficult. When you take this in concert with the business continuity program, it also determines which digital assets are recovered first. And how long it will take to recover them drives the value of the asset as well.

Using asset values also helps enable the program budget to be set. For example, if it will cost more to remediate a potential threat or exposure, then the likely impact would be that this risk should be placed on the do nothing but monitor risk list. For others, this is simply a return on investment exercise. That is, which risk management activity will deliver the best return or impact reduction?

 

Asset Value

Understanding the asset’s worth in the context of an organization’s operational model is critical first step in risk quantification. 
Determine the asset:
  • Capital value is the current worth minus depreciation.
  • If it fails or no longer serves its purpose, the replacement value is calculated.
  • Status: where does it fit within the organisation, and is it up to date?
  • Who owns the item, who is accountable/responsible for it, and what is the continuous cost of ownership?
  • Impact of loss: What is the impact of asset loss, failure, or compromise?
As indicated, the asset’s worth is measured in variety of methods. These should be assigned value in order to calculate the overall impact value. For those that can be measured in terms of capital and depreciation, this is quite simple. 
Other values, on the other hand, are more difficult to define. That is, putting monetary value on the loss of business if consumers or stakeholders are unable to access services for an extended period of time. This includes complete loss of market share. This could potentially happen as result of data theft.

​Asset Classes

Rolling up assets into more manageable constructions greatly simplifies the initial pass of identifying important risk areas. As an example: ​

  • financial systems and their supporting infrastructure
  • HR systems and related infrastructure
  • IT and related infrastructure
  • source code systems
  • corporate systems
  • physical assets that support any class, including buildings and data centres
  • key people

 

Keeping assets in easily recognised groups allows for a comparison of all assets, finding those with the greatest or most immediate business impact. The categories depicted above are common examples of asset grouping. ​By categorising assets into common asset categories or classes, the total risk assessment process can begin more rapidly by avoiding the problem of having too much detail. The assets can be classified into classes with predefined values.

en English
af Afrikaanssq Shqipam አማርኛar العربيةhy Հայերենaz Azərbaycan dilieu Euskarabe Беларуская моваbn বাংলাbs Bosanskibg Българскиca Catalàceb Cebuanony Chichewazh-CN 简体中文zh-TW 繁體中文co Corsuhr Hrvatskics Čeština‎da Dansknl Nederlandsen Englisheo Esperantoet Eestitl Filipinofi Suomifr Françaisfy Fryskgl Galegoka ქართულიde Deutschel Ελληνικάgu ગુજરાતીht Kreyol ayisyenha Harshen Hausahaw Ōlelo Hawaiʻiiw עִבְרִיתhi हिन्दीhmn Hmonghu Magyaris Íslenskaig Igboid Bahasa Indonesiaga Gaeilgeit Italianoja 日本語jw Basa Jawakn ಕನ್ನಡkk Қазақ тіліkm ភាសាខ្មែរko 한국어ku كوردی‎ky Кыргызчаlo ພາສາລາວla Latinlv Latviešu valodalt Lietuvių kalbalb Lëtzebuergeschmk Македонски јазикmg Malagasyms Bahasa Melayuml മലയാളംmt Maltesemi Te Reo Māorimr मराठीmn Монголmy ဗမာစာne नेपालीno Norsk bokmålps پښتوfa فارسیpl Polskipt Portuguêspa ਪੰਜਾਬੀro Românăru Русскийsm Samoangd Gàidhligsr Српски језикst Sesothosn Shonasd سنڌيsi සිංහලsk Slovenčinasl Slovenščinaso Afsoomaalies Españolsu Basa Sundasw Kiswahilisv Svenskatg Тоҷикӣta தமிழ்te తెలుగుth ไทยtr Türkçeuk Українськаur اردوuz O‘zbekchavi Tiếng Việtcy Cymraegxh isiXhosayi יידישyo Yorùbázu Zulu