Leveraging assets for improved information security
Published On: 27th November 2015
Home » Insights » Leveraging assets for improved information security
Have you ever thought to stop for a minute to think about what exactly is an asset? Most people think of assets that sit on the company’s balance sheet. Many people tend to think about assets from a financial point of view. Thankfully, over the last few years as we have improved our outlook on what assets are, largely as a result of carrying out risk assessments. Our views on assets have improved and we are more likely to think about the intangible assets as well as the tangible.
Tangible assets are physical assets such as equipment, machinery, office furniture, inventory and cash. These assets are the backbone of a company that keep it in production but are not available to customers. Tangible assets are at risk of damage either from naturally occurring incidents, people; either intentionally or accidentally or age related depreciation
Intangible assets are nonphysical, such as patents, trademarks, franchises, goodwill and copyrights. Depending on the type of business, intangible assets may include Internet domain names, performance events, licensing agreements, service contracts, computer software, blueprints, manuscripts, joint ventures, medical records, permits and trade secrets. Intangible assets add to a company’s possible future worth and can be much more valuable than its tangible assets.
As an ISO 27001 assessor, what I especially like about payment card industry data security standard is the manner in which it makes visible certain assets to many that are otherwise invisible.
For example, when you get down to the granularity and specificity of network segment, would you ever consider each individual segment as an asset? I would. What’s more is I’d give them an asset tag i.e. a position in the asset inventory. I want to be absolutely sure when I am considering any changes in the organisation, I have visibility of all my assets that might be impacted on, as a result of the change.
Hiring a new member of staff? What access will they be given? What network segments will they have access to? What are the behaviours the individual will use as part of their role? Are they involved in marketing and allowed to browse many websites for marketing purposes? Do they open numerous emails from marketing initiatives? Are they therefore at a higher risk of becoming infected with network traversing viruses? Should they be isolated to particular network segments to minimise the risk?
Consequently, what I have found whilst auditing organisations is that ISO 27001 and PCI DSS v3.1 support each other to ensure organisation’s assets are visible and healthy diligence is applied to treat risks by,
implementing controls in line with the organisation’s risk appetite whilst complying with relevant legislative statutory, regulatory and contractual requirements.
So don’t stop there, consider every,
relevant legislative statutory act
regulatory requirement document
member of staff
What other assets are important to your organisation and how visible can you make them?
Did you like what you read? Did you want to find out more about the subject? Or did you simply want to get in touch with us? Either way if you would like to get in touch with us you can do so using the form on the right.
Get In Touch
Want to find out more?
Follow the links below find out more about the services we provide, our insight into the industries we serve or the opportunities available with us.