Young hacker smiling

We hack your software

zero false positives

Expert intelligence + specialized technology

REQ.001 Identified Information Assets

This document contains the details of the security requirements related to a company's information assets. All the information assets must be properly identified in order to protect them from potential risks and allow for implementation of security controls.

Name

All the system´s information assets must be identified.

Description

The organization must identify all their information assets with the purpose of classifying them in order to protect them from potential risks and implement controls according to their value.

Implementation

  1. It is recommended to set the scope for the asset identification activity, ideally this identification is set in the scope of an Information Security Management System (ISMS).

  2. When the organization doesn’t have an ISMS, It is possible to set the scope of the activity by first identifying the assets that correspond to the organization’s most important processes and gradually broaden the scope to the remaining processes.

  3. The identification of assets may contain the following information:

    • Asset ID.

    • Asset name.

    • Asset description.

    • Asset group (If a grouping parameter has been set, which is recommended.)

    • Name of the process it belongs to.

    • Severity of the process it belongs to.

    • Owner, person in charge of the asset (REQ. 004).

    • Asset classification in terms of confidentiality, availability and integrity.

    • Asset value according to its classification (REQ. 005).

  4. It is recommended that the asset identification be done by the responsible of each process of the organization thus allowing for a proper classification of the asset as shown in the following diagram:

Diagram1

Solutions

  • Consulting - Define the Information Asset Inventory.

  • Consulting - Defining the Information Asset Granularity.

  • Consulting - Establishing the Owner of an Information Asset.

  • Consulting - Answering the Information Asset Inventory Questionnaire.

  • ISO 27005 - Risk Management for ISMS with ISO 27005.

  • ISO 27003 - ​ISO 27003 Guide.

Abuse Cases

An anonymous person or employee executes actions that attempt against the security of any of the organization’s information assets, since the impact of the assets is unknown the incident can´t be put in terms of value/cost. In consequence, the incident´s solution can come late or cause a greater impact to the organization.

Attributes

  1. Layer: Resource Layer

  2. Asset: Information Assets

  3. Scope: Adherence

  4. Phase: Analysis

  5. Type of Control: Procedure


Service status - Terms of Use