Last time we talked about the benefits of an ISMS. The cornerstones of an ISMS are knowing what your assets are and then conducting Risk Management processes based on the value of those assets versus the value of the control against a likelihood and consequence matrix. Show Firstly, what do we mean by some of these things? “Information Asset” is bandied around pretty loosely and could mean a lot of different things because it is a subjective term. For the purposes of this article, and for most of the work we do, here is how we move the terms from subjective to objective: An asset is anything that has value, including:
Information is meaningful data, the structure of which, is unimportant. The Elephant Problem
Divide and ConquerOne of the hardest things to get started on is managing risk where assets are poorly defined. Quite often people start with a individual device based database and work from the ground up. Applying a risk assessment to every single network device, server, endpoint, door etc gets kind of silly and almost always fails. If you had a handful of things to assess initially, wouldn’t that be easier? The Asset ClassThe idea of an asset class is to roll up groups of platforms, systems and infrastructure into more manageable constructs. Less that 10 for a first pass is ideal. The classes will depend on your organisation, your structure and your appetite for Risk Management. Initial candidates for Asset Classes are:
While we still use spreadsheets or proprietary GRC tools to carry out our risk component, managing complexity allows us to:
**Footnote, no elephants were harmed in the production of this article, it’s a metaphor, we like elephants, please don’t flame us on it. Recommended textbook solutionsHuman Resource Management15th EditionJohn David Jackson, Patricia Meglich, Robert Mathis, Sean Valentine 249 solutions
Information Technology Project Management: Providing Measurable Organizational Value5th EditionJack T. Marchewka 346 solutions Service Management: Operations, Strategy, and Information Technology7th EditionJames Fitzsimmons, Mona Fitzsimmons 103 solutions
Operations Management: Sustainability and Supply Chain Management12th EditionBarry Render, Chuck Munson, Jay Heizer 1,698 solutions What are the physical asset risks?[10] have classified the asset management risks in six categories including physical failure, operational failure, risks associated with natural environmental events, risks associated with factors outside of the organization's control, stakeholder related risks and asset life-cycle phases.
What is asset in risk management?Asset Risk — the measure of an asset's default potential or market value fluctuation. For example, assume a firm's investment portfolio includes grain futures purchased on the Chicago Board of Trade (CBOT).
|