5.2 Identify Assets and Relative Priorities
Asset identification is the first activity in each knowledge elicitation workshop. During this activity, participants focus on the information-related assets they use in their jobs. From our experience of watching people learn how to perform the evaluation, we have singled out asset identification as a critical success factor for analysis teams. If you collect good information about assets in this activity, you lay the foundation for a successful and meaningful evaluation.
We call OCTAVE an asset-driven evaluation because assets are used to focus all subsequent activities. Assets guide the selection of devices and components to evaluate in phase 2, and the risk mitigation plans that you develop in phase 3 focus on protecting your organization's most critical assets. So it's important to get this activity right and gather as much meaningful information about assets as you can. If you allow participants to identify assets that are too broad or assets not relevant to information security, you will have trouble with later activities and will have to revisit this important activity.
What Is an Asset?
Before we explore how to conduct step 1, we need to define what we mean by the term "asset." An asset is something of value to the enterprise [Hutt 95]. In general, information technology assets combine logical and physical assets and can be grouped into the following categories:
An information security risk evaluation must focus on an organization's information-related assets. Note that each asset category is linked to information in some way. To differentiate between these types of assets and others that might be important to an organization, we refer to assets in the above categories as "information-related assets." Table 5-2 describes additional considerations for each category.
Note that the asset categories are contextual for any organization and must be defined in order for a meaningful evaluation to be conducted. You can tailor the list by adding or deleting categories to meet your organization's needs.
Step 1: Brainstorm a List of Assets
To conduct step 1, ask the participants to think about assets that they use in their jobs. Recall the five categories of assets that you are considering (information, systems, software, hardware, and people). You are trying to get the participants to identify assets that they use to help the organization meet its mission and business objectives. You start asset identification by specifically asking the participants the following question: What are your important assets?
As the participants are brainstorming assets that they use, you might find it necessary to focus the conversation. Consider using the following types of follow-up questions:
Remember that the point of this activity is for the participants to identify assets that they use to help the organization meet its mission and business objectives. Some facilitators might be tempted to start by explicitly identifying the mission of the organization and using that as a common reference point for the participants. However, this could also lead to confusion among the participants.
For example, think about a knowledge elicitation workshop with the information technology staff at MedSite. From their perspective, the mission of MedSite is to deliver quality health care to patients. If you start by identifying the organization's mission, you might bias the IT staff members' views of assets. They would likely identify assets such as patient-identifiable information and medical records. However, this is not the information with which they work on a daily basis. They maintain the infrastructure that enables doctors and nurses to work with patient-identifiable information and medical records. Thus, you would want them to identify specific assets that are related to their work on the infrastructure.
The lead facilitator must play an active role in helping participants identify assets. For example, when a participant identifies a system as an asset, what is the asset that is really being identified? Is the information on the system the asset? Is an application or service on the system the asset?
Assets that are identified should be unique, specific, meaningful, and related to information technology in some way. A common pitfall is that participants will identify assets that have no relation to information or information technology, for example, a business process, a piece of physical equipment, or facility that has no link to the organization's computing infrastructure (e.g., the building that houses the organization).
A second pitfall is identifying assets that are too general in nature. For example, participants often start off by saying, "Our systems and our people are our two most important assets." To which systems and which people are they referring? How do those assets relate to information security? The facilitator must always keep the group focused on information-related assets.
Let's examine what the senior managers at MedSite identified as their important assets. At MedSite, the senior managers had a lively discussion about assets. Figure 5-2 shows the assets that were recorded by the scribe. The asterisk (*) by an asset indicates that the managers identified it as an important asset. (See step 2 of this activity for more details on important assets.)
Table 5-3 provides additional context about the senior managers' assets. The managers focused on assets that they use. Items such as provider credentials and the financial system, FRKS, were not identified by other groups, because they are uniquely important to senior managers. Appendix A summarizes all assets identified during processes 1 to 3. As you review that appendix, take a look at the assets identified by each organizational level for similarities and differences.
At this point in processes 1 to 3 the participants will have identified a number of assets that they use on a regular basis.
Step 2: Select Important Assets
In this step the participants select the assets they consider most important. We recommend limiting the number of assets that participants can select to five. If too many assets are carried forward, later analysis activities can become more time-consuming and difficult. Requiring participants to select important assets also provides you with insight into the participants' perspectives that you might not otherwise have had.
Ask the participants to consider the following questions:
Document the important assets and the rationale for their selection.
The senior managers at MedSite selected their important assets. An asterisk (*) by an asset in Figure 5-2 denotes that it is important. Note that the senior managers selected only four important assets. Figure 5-3 shows the managers' rationale for selecting the important assets.
This step concludes the first activity of processes 1 to 3. In the next activity you will identify scenarios that describe how participants believe their important assets are being threatened.