Asset Definition

From The Secure Arc Wiki

Jump to: navigation, search
You Are HereGo to Asset ValueGo to ExposuresGo to ExposuresGo to ExposuresGo to ExposuresGo to ExposuresGo to ExposuresGo to Asset VulnerabilitiesGo to Asset ImpactGo to ThreatsGo to Deterrent ControlGo to Detective ControlGo to Preventative ControlGo to Corrective ControlGo to CountermeasuresGo to CountermeasuresGo to CountermeasuresGo to CountermeasuresGo to CountermeasuresGo to CountermeasuresGo to CountermeasuresBack up to Security Controls

Everything ties back to Asset management and classification. If you don't know what it is that you're protecting and how valuable it is, you can't know or justify how much you should spend on Security Controls.

Determining the value of an Information Asset is not a trivial task. Our approach attempts to address this by making the process as quantitative as possible.


Asset Types

Image:InformationAssetsTable.png Image:InfrastructureAssetsTable.png

Infrastructure Assets

Put simply, Infrastructure Assets refer to the individual nodes displaying, transferring, processing and storing the Information Assets in a system. When drawing up the Security Architecture for a solution, each logical representation of a server that is placed on the architectural diagram has a one-to-one relationship with an Infrastructure Asset.

Information Assets

Information Assets are less tangible. They refer to the categories of data that pass through and are stored in the system. These should be considered in relation to Value at Risk, Regulatory, Reputation and Mission classifications (largely sourced from NIST 800-30).

If you need to protect a type of data for any of the above reasons, then it should be defined as an Information Asset. A good approach is to focus on the regulatory compliance needs and the ability to identify the types of assets that have regulatory constraints on them.

The definition of the assets themselves do not include the classification and valuation of them. That comes in the next step.

Asset Definition

When defining an individual asset, you need to identify the following:

  • Who owns it, both from a management and implied business unit perspective
  • What other assets of the same type it is dependent on
  • What information assets are stored on it (or what it’s stored on if it’s an Information Asset) and how many
  • What information assets pass through it (or what it passes through if it’s an Information Asset) and how many


The quantity parts of where information assets are persistently and transiently stored is very important later on. These are obviously very quantitative values and easy to come by. Each organization should know just how many Credit Card Numbers they store and how many Customers they have.


Personal tools