Example Assets

Below are some examples of assets and how they might look once filled in.

Frodo's Laptop

For this example, we'll be adding a work laptop for Frodo.

Asset Name

It's important to give your asset a clear name as this is what will be displayed in the table on the Assets page.

Frodo's Laptop

Asset Type

We will now select what the asset is. For this example, it is a laptop.

Laptop

Asset Description

This is a brief description of what the asset is. This could include make, model, serial number, etc. as desired. For this example, we will just write a simple description.

Frodo's work laptop.

Date Onboarded

This is the date in which the asset was introduced to the organisation. We will input 8th July 2023 as an example for this.

08/07/2023

Critical

For the purposes of this example, we will mark the asset as critical to activate the Disaster Recovery section.

Yes

Asset Owner

Since this laptop belongs to Frodo, we'll assign the asset owner as Frodo Baggins.

Frodo Baggins

Last Review Date

This would be the date where Frodo's laptop was last reviewed. For the purposes of this example we'll assume this was when we onboarded the laptop.

08/07/2023

Next Review Date

This will be automatically set to a year from the last review date. Since we've set the last review date as 08/07/2023, this will be set to 08/07/2024. To maintain compliance, assets must be reviewed at least yearly to ensure they remain up to security standards.

08/07/2024

Has an access review been carried out in the last 12 months on the system, including administrators?

Whether a review of employees' access has been conducted within the last 12 months on the respective asset.

Yes

Does the system encrypt data in transit?

Whether the asset encrypts data while it is being transferred over a connection.

Yes

Does the system encrypt data at rest?

Whether the asset encrypts data in its storage.

Yes

Have logs been reviewed regularly and incidents raised for suspicious event?

Whether any logs associated with the asset are regularly checked for potential incidents.

Yes

Has a vulnerability scan or penetration test been performed on the system and issues remediated?

Whether a vulnerability scan or penetration test has been performed to ensure there are no active vulnerabilities or misconfigurations within an asset.

Yes

Has a backup and restore been carried out to ensure that the disaster recovery process works for the system?

Whether backups of the assets data has been performed so that in case of an outage, any lost data can be restored.

Yes

Has multi-factor authentication been implemented on the system for all users?

Whether multi-factor authentication has been enabled where possible.

Yes

Has the system been reviewed to cleanse and ensure quality of the data inline with retention policies?

Whether the system has been checked to ensure data is within data retention parameters.

Yes

Result of assessment

Whether this asset has passed or failed its assessment based on previous answers.

Pass

Conducted by

The person responsible for conducting this assessment.

Bilbo Baggins

If an asset is marked as critical, the Disaster Recovery section will be available to complete.

Disaster Recovery Plan

The steps to follow in order to recover this asset in the event of an incident or disaster.

Step 1) Determine the status of the laptop:
If the laptop is lost, stolen, or damaged, immediately report it to the IT manager and follow their instructions for further actions.
In case of theft, report the incident to both the IT manager and the police to initiate appropriate measures.

Step 2) IT manager initiates remote data wipe and tracking:
If the laptop is lost or stolen, the IT manager should remotely wipe the device to protect sensitive data.
If available, utilise tracking software or services to locate the laptop or increase the chances of recovery.

Step 3) IT manager issues a temporary or new laptop:
The IT manager should provide a temporary laptop or arrange for a replacement to ensure minimal disruption to the employee's work.

Step 4) Determine repair or replacement options:
Assess the extent of damage and consult with the IT manager to determine whether the laptop can be repaired or if a replacement is necessary.
If repair is required, send the laptop to a trusted manufacturer or repair service.

Step 5) Restore data and applications:
If a new laptop is issued, the IT manager should restore necessary data and applications from backups or cloud services.
Ensure that all restored data is up to date and compatible with the new laptop.

Step 6) Change passwords and strengthen security:
Prompt the user to change passwords for all cloud-based services and accounts to prevent unauthorised access.
Encourage the use of strong, unique passwords and enable multi-factor authentication for enhanced security.

Step 7) Decommission the old laptop:
If the laptop is beyond repair or has been replaced, securely wipe all data or physically destroy the storage device before disposing of it.
Follow appropriate procedures to ensure compliance with data protection regulations.

Step 8) Evaluate and improve the disaster recovery plan:
Conduct a post-incident review to identify any gaps or areas for improvement in the plan.
Update the plan accordingly to address any shortcomings and enhance future response and recovery efforts.

Security considerations during DR

What points of security must be considered in terms of this asset in the event of an incident. For example, employee or client data if a work laptop is stolen.

Ensure IT manager is informed as soon as possible so the appropriate actions can be implemented. Ensure Police are notified if laptop is reported stolen 

RPO (Recovery Point Objective)

The maximum tolerable loss of data in terms of time. For example, a loss in 2 hours work worth of data.

1 day

RTO (Recovery Time Objective)

The maximum tolerable time in which an asset can be unavailable. For example, if the RTO is 2 hours then the asset should be available again after failure in less than 2 hours.

1 day

BIA Owner

This is the person who conducted this disaster recovery assessment and is responsible. For this example, we'll say Bilbo Baggins conducted the assessment.

Bilbo Baggins

Last updated