Leveraging assets for improved information security

Have you ever thought to stop for a minute to think about what exactly is an asset? Most people think of assets that sit on the company’s balance sheet. Many people tend to think about assets from a financial point of view. Thankfully, over the last few years as we have improved our outlook on what assets are, largely as a result of carrying out risk assessments. Our views on assets have improved and we are more likely to think about the intangible assets as well as the tangible.

Gemserv Icons Info Sec 2-06Have you ever thought to stop for a minute to think about what exactly is an asset? Most people think of assets that sit on the company’s balance sheet. Many people tend to think about assets from a financial point of view. Thankfully, over the last few years as we have improved our outlook on what assets are, largely as a result of carrying out risk assessments. Our views on assets have improved and we are more likely to think about the intangible assets as well as the tangible.

Tangible

  • Tangible assets are physical assets such as equipment, machinery, office furniture, inventory and cash. These assets are the backbone of a company that keep it in production but are not available to customers. Tangible assets are at risk of damage either from naturally occurring incidents, people; either intentionally or accidentally or age related depreciation

Intangible

  • Intangible assets are nonphysical, such as patents, trademarks, franchises, goodwill and copyrights. Depending on the type of business, intangible assets may include Internet domain names, performance events, licensing agreements, service contracts, computer software, blueprints, manuscripts, joint ventures, medical records, permits and trade secrets. Intangible assets add to a company’s possible future worth and can be much more valuable than its tangible assets.

As an ISO 27001 assessor, what I especially like about payment card industry data security standard is the manner in which it makes visible certain assets to many that are otherwise invisible.

For example, when you get down to the granularity and specificity of network segment, would you ever consider each individual segment as an asset? I would. What’s more is I’d give them an asset tag i.e. a position in the asset inventory. I want to be absolutely sure when I am considering any changes in the organisation, I have visibility of all my assets that might be impacted on, as a result of the change.

Hiring a new member of staff? What access will they be given? What network segments will they have access to? What are the behaviours the individual will use as part of their role?  Are they involved in marketing and allowed to browse many websites for marketing purposes? Do they open numerous emails from marketing initiatives? Are they therefore at a higher risk of becoming infected with network traversing viruses? Should they be isolated to particular network segments to minimise the risk?

Consequently, what I have found whilst auditing organisations is that ISO 27001 and PCI DSS v3.1 support each other to ensure organisation’s assets are visible and healthy diligence is applied to treat risks by,

  • implementing controls in line with the organisation’s risk appetite whilst complying with relevant legislative statutory, regulatory and contractual requirements.

So don’t stop there, consider every,

  • relevant legislative statutory act
  • regulatory requirement document
  • contractual requirements
  • contract
  • member of staff
  • every contractor

What other assets are important to your organisation and how visible can you make them?

Share this...

Share on email
Share on twitter
Share on linkedin
Share on facebook

Find out

More

Every day our teams of experts are analysing information like this, providing high-level need to know reports for our clients so they can continue to stay ahead and lead their industries.

Get an unfair advantage – subscribe to our mailing list by filling out the form opposite. You can find out how we look after your data in our Data Policy.

About the Authors

Following the most recent government guidance, we are asking all but essential staff to work remotely. Consequently, for the time being, we will no longer be hosting meetings at our London and Dublin offices, though we will continue to provide our services as normal.

Visit our Coronavirus Information page for full details of the procedures we are adhering to and who to contact if you have any questions.

We are in unprecedented times and businesses are needing to adapt faster than ever to an ever changing situation. But what does that mean in practice and what does that mean for employees?

We are launching a series of live podcasts with some of our team whose backgrounds are in IT, Security, Business Resilience and Digital Transformation. They will discuss advice and guidance for companies in the process of adapting to unprecedented changes in the way we work and live.

Following the most recent government guidance, we are asking all but essential staff to work remotely. Consequently, for the time being, we will no longer be hosting meetings at our London and Dublin offices, though we will continue to provide our services as normal.

Visit our Coronavirus Information page for full details of the procedures we are adhering to and who to contact if you have any questions.