¶ Asset Evaluation in Diri
Asset evaluation is the cornerstone of the risk assessment as it helps determine which assets need protection. An asset has value for the organization and must be protected. Still, for information security risk, our concern is primarily on information assets. Diri presents a novel process for mapping information assets that are either stored, processed, or transmitted in the risk-assessed object. In Diri, this object will often be an IT system. Step 2 aims to identify which information assets the system handles and prioritize them. Diri proposes to use an information classification approach for evaluating assets. This approach builds on the pillars of information security and evaluates the need for:
- Confidentiality - How secret is this information?
- Integrity - How dependent are we on that the data is correct, complete, and up-to-date?
- Availability - How long can we manage without the information?
Confidentiality, integrity, and availability, abbreviated as CIA. The information classification provides a way of understanding consequences if something happens to an information asset or system. We, therefore, use the classification results as a measure of system criticality and prioritizing.
¶ Benefits of the asset evaliuation
There are multiple benefits from conducting a proper asset evaluation, here are a few:
- Get an overview of where important assets are located in your organisation.
- It is a fundamental step in risk understanding. One needs to answer, "what will happen if this asset becomes known/ gets changed/ becomes unavailable"?
- The asset evaluation is essential in system criticality and determining security requirements.
- The asset can be the added to the consequnce side of the risk assessment.
¶ Before jumping into the asset evaluation
In preparation for the asset evaluation, you should make sure that the information classification levels are defined with descriptions of each classification level. For assessment of CIA for values, Diri has developed four security levels as suggestions with descriptions that you can use. When we set the security level of the system, we use the highest ranked value, for example, if a system contains assets that are classified on level 4, then the security level of the system also becomes level 4. Asset evaluation is the cornerstone of information security because it determines how we approach the rest of the risk assessment according to the criticality level of the system. An object managing strictly confidential information will naturally have higher security requirements than one managing open information but be sure to consider requirements to integrity and availability.
Configure your classification levels in Settings, located under the General tab, select the "Levels for information classification and asset evaluation." You can configure how many classification levels you want in this setting and name the levels according to your existing policy.
¶ Key principles in the Diri asset evalution
The primary purpose of the asset evaluation is to map critical assets and evaluate their need for security. Assets are also added to consequences in the Diri Risk Analysis (step 3). Asset evaluation in Diri is built on categorisation and processes. We have created several high-level asset categories with subcategories based on our research. The broad categorisation of asset types aims to ease the asset evaluation as much as possible while retaining a sufficient quality level. Each category contains knowledge specific to that asset type and eases the workload on the user. The workflow is such that the user is asked a simple yes/no question if the asset category is within scope. If the answer is yes, the user is asked to provide more information about the asset, including an assessment of confidentiality and integrity. Clicking no allows the user to document a brief rationale or move on.
The category "Other" should be used in risk assessments containing assets that are not on the list. This option allows you to name and provide a broad categorisation of the special assets included in your risk assessment. You can re-name the assets in the list.
¶ Starting an asset evaluation in Diri
Start the asset evaluation by clicking on step 2 in the risk assessment dashboard. Clicking on the Add asset button will open the form for asset evalution, which looks like this:
Each information type has additional knowledge baked into the Diri helper to make asset evaluation an easy-as-possible task. The form has multiple asset types have built-in information, the picture above is illustrative for the asset evaluation process. Selecting a pre-defined asset type will provide some alternative tags you can use to simplify the process.
Clicking "Submit" will record the results and list them in the asset overview.
¶ Editing existing assets
Clicking on an asset in the list will give you additional editing options will re-open the form. You can also edit directly in the table using our standard table functionality.
