Service Asset – A Requirement or Duplication

Vinod Puthuseeri — Sun, 05 Jul 2009 11:35:42 +0000

It just came up recently while discussing with one of my friend, the need for capturing service assets as a part of asset inventory which will be used further for risk assessment exercise.

In a normal scenario, everyone uses a template that captures assests under different cateogories, viz

Information Asset – deals with electronic and paper based data
Hardware Asset – includes all your hardware, cupboards, safe, etc
Software Asset – includes all software’s used or implemented in the organization.
Service Asset – services that a department avails from the organization
People Asset – talks about people / employees

Now the discussion went like this:

We capture service assets and also get the availability value of that asset from each department to determine the asset value. Now, a disruption in service is caused to one or more of the following:

A failure of hardware
A failure of software
A failure of people

One or more of the above failures will cause a service disruption and we are already capturing the availability values of these parameters under hardware asset, software asset and people asset respectively.

The question arise was is it not a duplication of effort and capturing of availability value in the above case. If yes, why do we do this?

Now in security perspective:

Hardware is identified / recorded only if the end user has a direct interaction wit that server. For example: File Server
If it is a service availed by the end user, he/she is unaware of hardware that is used for providing that service. Hence he will only term that as an service and will not be captured as a part of hardware asset.
When it comes to the IT department, they will identify all the hardware that is available under their control. Now they will identify the hardware, but will be unable to determine the availability parameter of the service provided through that hardware from a business perspective.

Hence it is required to capture the service assets from various departments while we carry out a function based risk assessment exercise.

Further, it is not only about failures that are looked into while capturing the service assets. As a part of the control recommendations, based on the inputs from various user departments, it could also be possible that the recommendation will be to provide the service on a fail over module or utilize and load balancer etc.

Now, looking at the other aspect of capturing service assets would be to understand the services availed from the organization, where, the organization has procured it from a third party. For example: An internet connection from the ISP.

We will not be capturing the hardware, software or people asset outside our organization, but still will be using a particular service. There might be one piece of asset that is connecting between the organization and the ISP, but after that we have no controls. Hence we will require to capture the service assets which will help in defining SLA’s with the vendors and procure adequate service.

Looking forward for your thoughts.

ISMS Implementation Guide

Vinod Puthuseeri — Wed, 04 Apr 2007 08:43:58 +0000

ISMS Implementation Guide is one of my first white papers which was written out of my personal experience in implementing Information Security practices in an organization using the BS ISO/IEC 17799:2005 framework. This paper is intended to give an insight and help, those who are implementing this for the first time and for those who will be coordinating with external consultants for ISMS implementations in their organizations.

Please download the document here:
ISMS Implementation Guide

InfoSecMinds » Information Security Risk Assessment

Service Asset – A Requirement or Duplication

ISMS Implementation Guide