Identifying Assets and Activities Within Risk Assessment Boundaries

Asset valuation is the process of determining the fair market value of an asset, which is one of the first priorities of risk management. The asset value can be determined from the asset replacement value or either what the asset provides to the organization or the cost to recover the asset. The value can also be determined using a combination of both values.

After the value of the assets has been determined, then their importance can be prioritized. If an asset is worth $1,000, it may require one level of protection. If another asset is worth $1 million, that asset may require another level of protection.

NOTE

This section introduced assets and activities related to risk assessment.

Only the assets that are within the boundary of the risk assessment should be evaluated. Scope creep occurs when assets outside the scope of the risk assessment are evaluated, a process that results in wasted time and resources.

The value of an asset can be viewed from different perspectives:

  • Replacement value—The replacement value is the cost to purchase a new asset to replace an existing asset. For example, if a laptop fails or is stolen, the price to purchase a new laptop with similar hardware and software may be $1,500.
  • Recovery value—The recovery value is the cost to get the asset operational after a failure. For example, if the hard drive on a server fails, the entire server wouldn’t be replaced. Instead, just the hard drive would be replaced, and steps would be taken to recover the system, which may require reinstalling the operating system and restoring data from a backup. The time needed to perform the repair would also need to be considered. For example, if a repair requires two hours, the system is not available for two hours. For example, if the system is a web server generating $10,000 an hour in revenue, $20,000 would be included as part of the recovery value.

Several elements need to be considered when determining the value of any asset. These include:

  • System access and availability
  • System functions
  • Hardware and software assets
  • Personnel assets
  • Data and information assets
  • Facilities and supplies

System Access and Availability

Access and availability refers to how and when the asset needs to be available. Some assets need to be available 24 hours a day, 7 days a week. Other assets need to be available only Monday through Friday during business hours. The more available the asset needs to be, the greater are the risks related to outages.

For example, a web server is used to sell products over the Internet. Customers may access the website at any time, but, if the website is not operational when the customer tries to access it, the company loses a sale. Moreover, a customer may have been lost.

With this in mind, the risk assessment needs to consider the risks associated with this website going down at any given time, which includes how to perform maintenance on the system without taking the website down. Maintenance includes performing backups of the data and keeping the system up to date.

The web server may be one of many servers in a web farm, or it may be one of several web servers in a failover cluster. Both configurations allow a single server to go down while the website continues to function, but, if a single server is run, an outage can be catastrophic.

On the other hand, a system could have a file server that is used only internally by employees when they are at work between 8:00 a.m. and 5:00 p.m., Monday through Friday. This schedule allows extensive time for performing backups or other maintenance when employees are not at work.

System Functions

The functions of a service-providing system should be considered when determining the asset’s value. Of particular importance is how the functions are performed, manually or through automation.

For example, the value of email in an organization is being evaluated. The email system could have several elements, including a spam filter. Studies report that as much as 90 percent of the email sent through the Internet is spam. Spam filters will eliminate some of this spam with a goal of not eliminating any valid emails.

A spam filter that filters out as much as 30 percent of the spam provides a significant reduction in unwanted email with a high assurance that valid email won’t be filtered. Figure 6-3 shows an email server with a spam appliance added to filter spam. In the figure, all email is routed from the Internet through the spam appliance. The appliance filters some of the spam and sends the rest of the email to the email server.

A network diagram of an email server with a spam appliance.

FIGURE 6-3 Email server with a spam appliance.

With this in mind, what is the value of the spam filter? It uses an automated process, so the value is simply the value of the appliance. If it breaks or malfunctions, it can be replaced.

However, some spam filters require much more interaction, such as dedicated technicians who are constantly viewing the filtered spam to ensure it doesn’t include any valid emails. These technicians could be adding valid email source addresses to whitelists and known spammers to blacklists.

NOTE

An email whitelist is a list of approved email addresses or domains. For example, [email protected] could be added to the whitelist to ensure any email from this address is never marked as spam. The xyz.edu domain could also be added to ensure email from anyone in that domain is not marked as spam. Addresses added to a blacklist are automatically marked as spam.

IT Appliances

Many IT appliances exist to help make IT jobs a little easier. Technicians don’t have to know how an appliance works; they just need to plug it in.

As a comparison, a toaster can be operated without knowing the technical details of how the toaster works. Bread goes in and hot toast pops out. Of course, even a toaster has some knobs and controls and does require user interaction.

A spam appliance works similarly. It is connected to a power source, the input is connected to receive external email, and the output sends the email to a server. It automatically filters out some of the spam. Administrators can still interact with the spam filter; they may want to view the filtered spam or adjust the sensitivity of the spam filter. Many spam filters also allow addresses to be added, and they let email always be blocked or allowed.

A firewall appliance is another example. It needs little configuration after it has been plugged in. Administrators can still tweak it here and there for special needs; however, it will do most of what is needed right out of the box.

When calculating the value of the manually managed spam appliance, the work done by the administrator also needs to be considered. The value of the asset may be higher if additional labor and expertise are needed to initially configure it as well as manage it.

Hardware and Software Assets

Hardware assets are any assets that can be physically touched, which include computers, such as laptops, workstations, and servers. Hardware assets also include network devices, such as routers, switches, and firewalls.

A wide range of values exist among the devices. A simple desktop PC can cost less than $500. However, a high-end server can cost tens of thousands of dollars.

Software assets include both the operating systems and the applications. The operating system is what allows the computer to operate; an operating system could be a Microsoft system, such as Windows 10 or Windows Server 2016, or it could be a UNIX or Macintosh system.

Applications allow tasks to be performed. For example, Microsoft Word is an application that allows documents to be created and edited. Similarly, Oracle is a server-level application used to manage databases.

Operating systems and applications can also have a wide range of costs. For example, the operating system and applications for a desktop PC can range in the hundreds of dollars. However, the operating system and applications for a server can easily range in the thousands of dollars.

Personnel Assets

Personnel assets need to be valued. An organization that is able to retain personnel often has fewer problems than an organization with a high turnover rate. An organization can do specific things to retain valued personnel.

For example, organizations have different levels of benefit packages, which might include different types of insurance, such as health, dental, and life, or retirement plans, such as matching 401(k) contributions. Many organizations also take additional steps to increase the morale and working environment of their employees.

The steps taken to retain employees are often dependent on how much they are valued. When IT administrators have the high level of knowledge required to keep a network running in good order, they have a high value to the organization.

Data and Information Assets

Data and information assets can have different levels of value depending on the data. Most organizations will take steps to identify the classification of data. For example, an organization could identify the following data classifications:

  • Public data—Public data is freely available to anyone. It may be available via public sources, such as news releases or other publications, or via an organization’s website.
  • Private data—Private data is internal data. It includes data on employees and customers. Because of its delicate nature, personal data should be protected for fear that the information may be abused, for example, for purposes of identity theft. It may also include data on internal processes.
  • Proprietary data—Proprietary data is highly valuable data and deserves a high level of protection. If this data is lost, it could seriously affect the company’s profitability. For example, a company could spend millions of dollars on research and development whose goal is to create a product the company will sell. If a competitor gets this data, it could beat the originating company to market and sell the product itself, resulting in the research and development funds being lost.

Facilities and Supplies

Other items to consider when valuing assets are the facilities and supplies needed to run the business. This information is needed when calculating the company’s insurance needs.

Insurance is one of those items that a business always wants to have but never wants to use. It provides a layer of protection if the company suffers a loss. However, the loss is rarely painless. Even if the insurance company covers the loss, the process is difficult.

Some organizations may realize that one of their facilities is so important that it needs redundancy. In this case, redundancy is another site that can perform the same functions. The four types of alternate sites are:

  • Hot site—A location that can take over the operations of another location within a short period of time. A hot site has all the hardware, software, and data needed to perform the critical functions of the original site and is the most expensive of the four types of alternate sites.
  • Cold site—A building with electricity and running water but little else. Computers and data can be brought to this location to set up operations. A cold site is the least expensive of the four sites. However, it takes the longest time to set up and is the hardest to test.
  • Warm site—A compromise between a hot site and a cold site. It may include all the hardware, but the data may not be up to date, and it may take as long as one or more days to implement.
  • Mobile site—A compromise between a warm and a cold site. It has portable structures with necessary hardware and software. The temperature of a mobile site depends on how much infrastructure it has available for use; hence, it could almost function like a warm or cold site.

The type of alternate site chosen depends on the value of the primary location. The supplies that will be stored there need to be considered to ensure the alternate location can perform the same type of work. Of course, an alternate location may not be necessary at all.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.224.57.16