Have you ever thought to stop for a minute to think about what exactly is an asset? Most people think of assets that sit on the company’s balance sheet. Many people tend to think about assets from a financial point of view. Thankfully, over the last few years as we have improved our outlook on what assets are, largely as a result of carrying out risk assessments. Our views on assets have improved and we are more likely to think about the intangible assets as well as the tangible.
- Tangible assets are physical assets such as equipment, machinery, office furniture, inventory and cash. These assets are the backbone of a company that keep it in production but are not available to customers. Tangible assets are at risk of damage either from naturally occurring incidents, people; either intentionally or accidentally or age related depreciation
- Intangible assets are nonphysical, such as patents, trademarks, franchises, goodwill and copyrights. Depending on the type of business, intangible assets may include Internet domain names, performance events, licensing agreements, service contracts, computer software, blueprints, manuscripts, joint ventures, medical records, permits and trade secrets. Intangible assets add to a company’s possible future worth and can be much more valuable than its tangible assets.
As an ISO 27001 assessor, what I especially like about payment card industry data security standard is the manner in which it makes visible certain assets to many that are otherwise invisible.
For example, when you get down to the granularity and specificity of network segment, would you ever consider each individual segment as an asset? I would. What’s more is I’d give them an asset tag i.e. a position in the asset inventory. I want to be absolutely sure when I am considering any changes in the organisation, I have visibility of all my assets that might be impacted on, as a result of the change.
Hiring a new member of staff? What access will they be given? What network segments will they have access to? What are the behaviours the individual will use as part of their role? Are they involved in marketing and allowed to browse many websites for marketing purposes? Do they open numerous emails from marketing initiatives? Are they therefore at a higher risk of becoming infected with network traversing viruses? Should they be isolated to particular network segments to minimise the risk?
Consequently, what I have found whilst auditing organisations is that ISO 27001 and PCI DSS v3.1 support each other to ensure organisation’s assets are visible and healthy diligence is applied to treat risks by,
- implementing controls in line with the organisation’s risk appetite whilst complying with relevant legislative statutory, regulatory and contractual requirements.
So don’t stop there, consider every,
- relevant legislative statutory act
- regulatory requirement document
- contractual requirements
- member of staff
- every contractor
What other assets are important to your organisation and how visible can you make them?