Adding an Asset
Clicking the Add Asset button brings up the Add Asset form. The form contains two sections - General Information and Assurance. Only the General Information tab is required to add a new asset, but it is recommended that both areas are completed.
Asset Name
The name of the asset.
Asset Type
The type of asset. The options are as follows:
Browser
Any component of a web browser that is critical to maintaining the security and integrity of the information being accessed or transmitted through the browser.
Cloud Service
Any component of the cloud computing environment that is critical to the security and availability of the cloud service. This can include data storage, virtual machines, network infrastructure, and other resources provided by the cloud service provider.
Desktop
Any physical device, software or data stored on a computer that is considered important for maintaining the security and integrity of an organisations information system.Email Application.
Firewall
A security control that is used to protect a network from unauthorised access and to prevent malicious traffic from entering or leaving the network.
Hypervisor
Any software or hardware component that enables virtualisation on a server.
Information Asset
Any piece of information that is valuable to an organization and needs to be protected. It can be anything from customer data to financial information or intellectual property.
Laptop
Any laptop computer that contains sensitive or valuable information that needs to be protected from unauthorised access, use, or disclosure.
Malware Protection
A security measure that aims to prevent and detect malicious software or computer viruses from infecting computer systems or networks.
Mobile Device
Also known as a cell phone or smartphone, is a portable electronic device that allows people to make and receive phone calls, send and receive text messages, and access the internet and various mobile applications.
Network
A group of interconnected devices such as computers, servers, and other electronic devices that communicate with each other through various communication channels such as wired or wireless connections.
Office Application
Any type of computer software designed to help users perform common tasks related to office work, such as creating and editing documents, spreadsheets, presentations, emails, and other types of digital content.
Router
A router is a device that is used to connect different networks together and route data traffic between them.
Server
A computer system that is used to store and manage data and resources, and can be used to support information security management systems (ISMS).
Tablet
A type of mobile computing device that is typically larger than a smartphone but smaller than a laptop. It is a flat, portable computer that is operated through a touchscreen interface and typically lacks a physical keyboard.
Thin Client
A computer that runs a lightweight operating system, such as Google's Chrome OS, and relies on a remote server to perform most of the processing and data storage.
Virtual Desktop
A desktop computing environment that is hosted and managed in a virtualised environment, typically on a server or in the cloud.
Virtual Server
A type of server that runs within a virtual environment, created by a virtualisation technology. It is a simulated server that provides the same functionality as a physical server, but it exists only in software.
Asset Description
A brief description of what the asset is.
Date Onboarded
The date on which this asset was first introduced to the organisation.
Critical
Whether the asset is critical for business operations or not.
Asset Owner
The person responsible for this asset.
Last Review Date
The last date on which this asset was reviewed.
Next Review Date
The next scheduled date for this asset to be reviewed.
Has an access review been carried out in the last 12 months on the system, including administrators?
Whether a review of employees' access has been conducted within the last 12 months on the respective asset.
Does the system encrypt data in transit?
Whether the asset encrypts data while it is being transferred over a connection.
Does the system encrypt data at rest?
Whether the asset encrypts data in its storage.
Have logs been reviewed regularly and incidents raised for suspicious event?
Whether any logs associated with the asset are regularly checked for potential incidents.
Has a vulnerability scan or penetration test been performed on the system and issues remediated?
Whether a vulnerability scan or penetration test has been performed to ensure there are no active vulnerabilities or misconfigurations within an asset.
Has a backup and restore been carried out to ensure that the disaster recovery process works for the system?
Whether backups of the assets data has been performed so that in case of an outage, any lost data can be restored.
Has multi-factor authentication been implemented on the system for all users?
Whether multi-factor authentication has been enabled where possible.
Has the system been reviewed to cleanse and ensure quality of the data inline with retention policies?
Whether the system has been checked to ensure data is within data retention parameters.
Result of assessment
Whether this asset has passed or failed its assessment based on previous answers.
Conducted by
The person responsible for conducting this assessment.
If an asset is marked as critical, the Disaster Recovery section will be available to complete.
Disaster Recovery Plan
The steps to follow in order to recover this asset in the event of an incident or disaster.
Security considerations during DR
What points of security must be considered in terms of this asset in the event of an incident. For example, employee or client data if a work laptop is stolen.
RPO (Recovery Point Objective)
The maximum tolerable loss of data in terms of time. For example, a loss in 2 hours work worth of data.
RTO (Recovery Time Objective)
The maximum tolerable time in which an asset can be unavailable. For example, if the RTO is 2 hours then the asset should be available again after failure in less than 2 hours.
BIA Owner
The person who is responsible for this disaster recovery assessment.
Last updated