Access and availability refers to how and when the asset needs to be available. Some assets need to be available 24 hours a day, 7 days a week. Other assets need to be available only Monday through Friday during business hours. The more available the asset needs to be, the greater are the risks related to outages.

For example, a web server is used to sell products over the Internet. Customers may access the website at any time, but, if the website is not operational when the customer tries to access it, the company loses a sale. Moreover, a customer may have been lost.

With this in mind, the risk assessment needs to consider the risks associated with this website going down at any given time, which includes how to perform maintenance on the system without taking the website down. Maintenance includes performing backups of the data and keeping the system up to date.

The web server may be one of many servers in a web farm, or it may be one of several web servers in a failover cluster. Both configurations allow a single server to go down while the website continues to function, but, if a single server is run, an outage can be catastrophic.

On the other hand, a system could have a file server that is used only internally by employees when they are at work between 8:00 a.m. and 5:00 p.m., Monday through Friday. This schedule allows extensive time for performing backups or other maintenance when employees are not at work.

The functions of a service-providing system should be considered when determining the asset’s value. Of particular importance is how the functions are performed, manually or through automation.

For example, the value of email in an organization is being evaluated. The email system could have several elements, including a spam filter. Studies report that as much as 90 percent of the email sent through the Internet is spam. Spam filters will eliminate some of this spam with a goal of not eliminating any valid emails.

A spam filter that filters out as much as 30 percent of the spam provides a significant reduction in unwanted email with a high assurance that valid email won’t be filtered. Figure 6-3 shows an email server with a spam appliance added to filter spam. In the figure, all email is routed from the Internet through the spam appliance. The appliance filters some of the spam and sends the rest of the email to the email server.

With this in mind, what is the value of the spam filter? It uses an automated process, so the value is simply the value of the appliance. If it breaks or malfunctions, it can be replaced.

However, some spam filters require much more interaction, such as dedicated technicians who are constantly viewing the filtered spam to ensure it doesn’t include any valid emails. These technicians could be adding valid email source addresses to whitelists and known spammers to blacklists.

When calculating the value of the manually managed spam appliance, the work done by the administrator also needs to be considered. The value of the asset may be higher if additional labor and expertise are needed to initially configure it as well as manage it.

Hardware assets are any assets that can be physically touched, which include computers, such as laptops, workstations, and servers. Hardware assets also include network devices, such as routers, switches, and firewalls.

A wide range of values exist among the devices. A simple desktop PC can cost less than $500. However, a high-end server can cost tens of thousands of dollars.

Software assets include both the operating systems and the applications. The operating system is what allows the computer to operate; an operating system could be a Microsoft system, such as Windows 10 or Windows Server 2016, or it could be a UNIX or Macintosh system.

Applications allow tasks to be performed. For example, Microsoft Word is an application that allows documents to be created and edited. Similarly, Oracle is a server-level application used to manage databases.

Operating systems and applications can also have a wide range of costs. For example, the operating system and applications for a desktop PC can range in the hundreds of dollars. However, the operating system and applications for a server can easily range in the thousands of dollars.

Personnel assets need to be valued. An organization that is able to retain personnel often has fewer problems than an organization with a high turnover rate. An organization can do specific things to retain valued personnel.

For example, organizations have different levels of benefit packages, which might include different types of insurance, such as health, dental, and life, or retirement plans, such as matching 401(k) contributions. Many organizations also take additional steps to increase the morale and working environment of their employees.

The steps taken to retain employees are often dependent on how much they are valued. When IT administrators have the high level of knowledge required to keep a network running in good order, they have a high value to the organization.

Data and information assets can have different levels of value depending on the data. Most organizations will take steps to identify the classification of data. For example, an organization could identify the following data classifications:

• Public data—Public data is freely available to anyone. It may be available via public sources, such as news releases or other publications, or via an organization’s website.
• Private data—Private data is internal data. It includes data on employees and customers. Because of its delicate nature, personal data should be protected for fear that the information may be abused, for example, for purposes of identity theft. It may also include data on internal processes.
• Proprietary data—Proprietary data is highly valuable data and deserves a high level of protection. If this data is lost, it could seriously affect the company’s profitability. For example, a company could spend millions of dollars on research and development whose goal is to create a product the company will sell. If a competitor gets this data, it could beat the originating company to market and sell the product itself, resulting in the research and development funds being lost.

Other items to consider when valuing assets are the facilities and supplies needed to run the business. This information is needed when calculating the company’s insurance needs.

Insurance is one of those items that a business always wants to have but never wants to use. It provides a layer of protection if the company suffers a loss. However, the loss is rarely painless. Even if the insurance company covers the loss, the process is difficult.

Some organizations may realize that one of their facilities is so important that it needs redundancy. In this case, redundancy is another site that can perform the same functions. The four types of alternate sites are:

• Hot site—A location that can take over the operations of another location within a short period of time. A hot site has all the hardware, software, and data needed to perform the critical functions of the original site and is the most expensive of the four types of alternate sites.
• Cold site—A building with electricity and running water but little else. Computers and data can be brought to this location to set up operations. A cold site is the least expensive of the four sites. However, it takes the longest time to set up and is the hardest to test.
• Warm site—A compromise between a hot site and a cold site. It may include all the hardware, but the data may not be up to date, and it may take as long as one or more days to implement.
• Mobile site—A compromise between a warm and a cold site. It has portable structures with necessary hardware and software. The temperature of a mobile site depends on how much infrastructure it has available for use; hence, it could almost function like a warm or cold site.

The type of alternate site chosen depends on the value of the primary location. The supplies that will be stored there need to be considered to ensure the alternate location can perform the same type of work. Of course, an alternate location may not be necessary at all.