Assessing the importance of service assets
Asset owners should understand the value of the information, applications and infrastructure they’re responsible for so they can assess the impact of compromise, loss or unavailability.
Your documented assets all have cyber security risks and associated consequences such as reputational damage, financial loss, regulatory penalties, or public endangerment. By assessing the importance of each asset that forms part of your digital service you will be able to:
- establish the severity and types of loss that can occur as a result of cyber attacks
- evaluate the significance of consequences if assets are compromised
- prioritise investment into security based on what matters to the organisation
- prepare for threat modelling and risk assessment activities
This should be completed as part of the discovery or requirement gathering phases to ensure the appropriate level of resource is allocated to protecting your assets. The value of the assets should be continuously reviewed and updated whenever new assets are documented so the potential losses from a cyber incident are recorded accurately.
Completing this activity will help you to achieve the outcomes included in the Secure by Design principle to adopt a risk-driven approach.
Who is involved
Your project’s Senior Responsible Owner (SRO), Information Asset Owner (IAO) and service owner should work with those responsible for each asset and security professionals to establish their value.
They may need to consult with business analysts, technical architects and delivery managers for further detail on how assets are used and where the risks may be.
How to assess the importance of your assets
Before you begin to assess your assets, familiarise yourself with the business priorities, security obligations and risk appetite relevant to your service so you can understand the impact of the risk management decisions you make.
Step 1: Source an impact reference table
Your cyber security risk assessment and management should align with the enterprise risk management framework used by your organisation to ensure cyber risks are managed consistently. Speak with your risk management team and use the impact reference table they provide as the basis for your asset assessment.
This will cross-reference impact categories (such as financial, operational and reputational) with risk ratings (such as from ‘1 – Minor’ to ‘5 – Critical’).
The information is unique to each organisation. For example, a ‘3 – Moderate’ risk in your ‘Financial’ category may be “Regulatory penalties between £100k to £500k”, which may be considered a ‘5 – Critical’ risk in other organisations.
The GOV.UK risk management framework provides a foundation for how to assess, respond to, and monitor risks, including good practice guidance on impact categories and risk scoring scales.
Step 2: Determine the impact of asset compromise
Working through each of your assets, establish the negative consequences to your organisation if they were compromised.
The CIA triad is a useful guiding model to help you assess information security.
- Confidentiality – whether the right people are able to access the information
- Integrity – whether the information is uncorrupted and unaltered
- Availability – whether the service is accessible and usable when required
Workshops and surveys are the most effective ways to capture this information. Include the relevant people within your team and encourage them to provide insight on what the realistic impact would be if the confidentiality, integrity or availability of each asset was compromised due to a lack or failing of security controls.
Example confidentiality questions
- What is the sensitivity of the data (based on the Government Security Classifications) and what would the damage be if the information was leaked or stolen?
- What legal and regulatory obligations relate to the asset and what would the fines or penalties be if people got unauthorised access to information?
Example integrity questions
- How would operations be affected if information assets were tampered with, altered or corrupted?
- How would users of the service be affected by inaccurate data, and what might the reputational damage to the organisation be?
Example availability questions
- How would the organisation be negatively affected if assets were unavailable, either temporarily or permanently?
- What would the impact be to users if access to the service was disrupted or if they were unable to access their data?
Step 3: Create an asset evaluation sheet
Expand your impact reference table to include a summary of your workshops and surveys, describing the impact of loss if your assets were compromised by a cyber attack.
Provide details for all of the impact categories for every asset, including the potential financial and reputational damage that may result from a compromise in security.
The financial impact may be direct or indirect, and could include the cost of restoring systems and data or the cost of legal and regulatory fines. Reputational impact includes how negative publicity may result in a decline in public trust in your service and a loss of confidence in key stakeholders.
Example asset evaluation entry
- Asset Title: Grant Application Information
- Description: Data fields including; applicant’s name, email address, phone number, address
- Confidentiality Rating: 4 – Severe
- Confidentiality Impact: Significant levels of sustained negative publicity, increase in user complaints, loss of confidence by key stakeholders
- Integrity Rating: 3 – Moderate
- Integrity Impact: Moderate loss of management’s ability to effectively govern or operate the organisation
- Availability Rating: 2 – Low
- Availability Impact: Minor loss of management’s ability to effectively govern or operate the organisation
- Highest Business Impact: 4 – Severe
To confirm your evaluation is accurate and complete you should check:
- your impact risk ratings are referenced to your enterprise risk management framework and applied consistently with those used in your organisation
- the evaluation has been completed using the most recent list of documented assets – this is a living document and any changes or additions should result in assets being reassessed for impact
- the right people from across the project (including your SRO, SO and IAO) have provided sufficient input
The output of this activity is subjective and based on the experiences and judgement of the stakeholders involved. To create a balanced asset evaluation that those who need to use it can be confident in, it’s important that it’s put together in collaboration with representatives from across the service team.
Step 4: Share the asset evaluation sheet
The asset evaluation sheet should be shared with the team responsible for performing service security risk assessments, as well as your organisation’s information security team. Those responsible for managing service delivery risks and deciding on appropriate security controls should also be made aware of the elements that are relevant to them.
Your Chief Information Security Officer (CISO) and security advisors within your organisation may also need an understanding of the importance of assets to your service to support strategic planning.