It just came up recently while discussing with one of my friend, the need for capturing service assets as a part of asset inventory which will be used further for risk assessment exercise.
In a normal scenario, everyone uses a template that captures assests under different cateogories, viz
- Information Asset – deals with electronic and paper based data
- Hardware Asset – includes all your hardware, cupboards, safe, etc
- Software Asset – includes all software’s used or implemented in the organization.
- Service Asset – services that a department avails from the organization
- People Asset – talks about people / employees
Now the discussion went like this:
We capture service assets and also get the availability value of that asset from each department to determine the asset value. Now, a disruption in service is caused to one or more of the following:
- A failure of hardware
- A failure of software
- A failure of people
One or more of the above failures will cause a service disruption and we are already capturing the availability values of these parameters under hardware asset, software asset and people asset respectively.
The question arise was is it not a duplication of effort and capturing of availability value in the above case. If yes, why do we do this?
Now in security perspective:
- Hardware is identified / recorded only if the end user has a direct interaction wit that server. For example: File Server
- If it is a service availed by the end user, he/she is unaware of hardware that is used for providing that service. Hence he will only term that as an service and will not be captured as a part of hardware asset.
- When it comes to the IT department, they will identify all the hardware that is available under their control. Now they will identify the hardware, but will be unable to determine the availability parameter of the service provided through that hardware from a business perspective.
Hence it is required to capture the service assets from various departments while we carry out a function based risk assessment exercise.
Further, it is not only about failures that are looked into while capturing the service assets. As a part of the control recommendations, based on the inputs from various user departments, it could also be possible that the recommendation will be to provide the service on a fail over module or utilize and load balancer etc.
Now, looking at the other aspect of capturing service assets would be to understand the services availed from the organization, where, the organization has procured it from a third party. For example: An internet connection from the ISP.
We will not be capturing the hardware, software or people asset outside our organization, but still will be using a particular service. There might be one piece of asset that is connecting between the organization and the ISP, but after that we have no controls. Hence we will require to capture the service assets which will help in defining SLA’s with the vendors and procure adequate service.
Looking forward for your thoughts.
#1 by Venu on August 2nd, 2009
Quote
Hi Vinod,
This was a confusion for me for longtime when I entered into Infosec profession. The way I understand is as follows:-
The the individual equipment’s availability asessment will be limited to the extend of that asset’s contribution to the services it provides. Sometimes it may be possible that a single asset may also be used for multiple services. Here depends on the service and the architecture, the availability value of that particular asset may vary and this may taken into consideration.
Regs
Venu
#2 by Vinod Kumar Puthuseeri on August 2nd, 2009
Quote
Hello Venu,
Exactly. So if there is two different departments availing two different services, which is provided through and single asset, then each department will identify their service asset and provide the availability parameters. They will not identify the hardware assets. Hence recording both hardware assets and service assets is required.
Regards
Vinod