5.2 Identify Assets and Relative Priorities

Asset identification is the first activity in each knowledge elicitation workshop. During this activity, participants focus on the information-related assets they use in their jobs. From our experience of watching people learn how to perform the evaluation, we have singled out asset identification as a critical success factor for analysis teams. If you collect good information about assets in this activity, you lay the foundation for a successful and meaningful evaluation.

We call OCTAVE an asset-driven evaluation because assets are used to focus all subsequent activities. Assets guide the selection of devices and components to evaluate in phase 2, and the risk mitigation plans that you develop in phase 3 focus on protecting your organization's most critical assets. So it's important to get this activity right and gather as much meaningful information about assets as you can. If you allow participants to identify assets that are too broad or assets not relevant to information security, you will have trouble with later activities and will have to revisit this important activity.

What Is an Asset?

Before we explore how to conduct step 1, we need to define what we mean by the term "asset." An asset is something of value to the enterprise [Hutt 95]. In general, information technology assets combine logical and physical assets and can be grouped into the following categories:^[1]

^[1] This list was created using information in the following references: [Fites 89], [BSI 95], [Hutt 95], and [Caelli 91].

• Information— documented (paper or electronic) data or intellectual property used to meet the mission of an organization

• Systems— information systems that process and store information (systems being a combination of information, software, and hardware assets and any host, client, or server being considered a system)

• Software— software applications and services—such as operating systems, database applications, networking software, office applications, custom applications, etc.—that process, store, or transmit information

• Hardware— information technology physical devices—such as workstations, servers, etc.—that normally focus solely on the replacement costs for physical devices

• People— the people in an organization who possess unique skills, knowledge, and experience that are difficult to replace

An information security risk evaluation must focus on an organization's information-related assets. Note that each asset category is linked to information in some way. To differentiate between these types of assets and others that might be important to an organization, we refer to assets in the above categories as "information-related assets." Table 5-2 describes additional considerations for each category.

Table 5-2. Considerations for Asset Categories

Asset Category	Considerations
Systems	Systems assets constitute the broadest of the asset categories, representing a grouping of information, software, and hardware assets. Most people think of a system as a whole; they don't break it down into its components. Because of this, systems assets are often identified during an information security risk evaluation.
Information	Information assets are intangible in nature and are closely linked to systems assets. Systems store, process, and transmit the critical information that drives organizations. Thus, when an organization creates strategies and plans to protect its systems assets, it is also protecting its critical information (as well as its software and hardware assets). Don't forget that some information assets are represented physically (on paper, fiche, etc.).
Software	When people identify software assets, you should try to determine whether they mean software applications or services or are actually referring to systems. For example, when someone identifies a software application, such as a database application, you should determine whether he or she believes that the software or the database system is the important asset. In many cases the person will be looking at the asset more broadly and will be referring to the database system (which includes the information). In another example, the participants might identify office automation software (word-processing applications, spreadsheet applications, etc.) as assets. Here, they are likely to be referring to the applications, not to systems.
Hardware	When people identify hardware assets, you should try to determine whether they mean physical hardware or are actually referring to systems. For example, if some one identified personal computers as an asset, you should determine whether he or she believes that the PC hardware or the PC host (system) is the important asset. Often the person will be referring to the PC as a systems asset.
People	People assets are a special case. When people are identified, it is because of some special skill that they have or because of a service that they provide. When people are identified as assets, determine whether there are related assets that may be more appropriate to identify. For example, identify a key system that they use or a type of information that they provide for others to use.

Note that the asset categories are contextual for any organization and must be defined in order for a meaningful evaluation to be conducted. You can tailor the list by adding or deleting categories to meet your organization's needs.

Step 1: Brainstorm a List of Assets

To conduct step 1, ask the participants to think about assets that they use in their jobs. Recall the five categories of assets that you are considering (information, systems, software, hardware, and people). You are trying to get the participants to identify assets that they use to help the organization meet its mission and business objectives. You start asset identification by specifically asking the participants the following question: What are your important assets?

As the participants are brainstorming assets that they use, you might find it necessary to focus the conversation. Consider using the following types of follow-up questions:

• Are there any other assets that you are required to protect (e.g., by law or regulation)?

• What related assets are important?

• What about _____________ makes it an asset?

• Have you considered your entire organization? What other assets do you use?

Remember that the point of this activity is for the participants to identify assets that they use to help the organization meet its mission and business objectives. Some facilitators might be tempted to start by explicitly identifying the mission of the organization and using that as a common reference point for the participants. However, this could also lead to confusion among the participants.

For example, think about a knowledge elicitation workshop with the information technology staff at MedSite. From their perspective, the mission of MedSite is to deliver quality health care to patients. If you start by identifying the organization's mission, you might bias the IT staff members' views of assets. They would likely identify assets such as patient-identifiable information and medical records. However, this is not the information with which they work on a daily basis. They maintain the infrastructure that enables doctors and nurses to work with patient-identifiable information and medical records. Thus, you would want them to identify specific assets that are related to their work on the infrastructure.

The lead facilitator must play an active role in helping participants identify assets. For example, when a participant identifies a system as an asset, what is the asset that is really being identified? Is the information on the system the asset? Is an application or service on the system the asset?

Assets that are identified should be unique, specific, meaningful, and related to information technology in some way. A common pitfall is that participants will identify assets that have no relation to information or information technology, for example, a business process, a piece of physical equipment, or facility that has no link to the organization's computing infrastructure (e.g., the building that houses the organization).

A second pitfall is identifying assets that are too general in nature. For example, participants often start off by saying, "Our systems and our people are our two most important assets." To which systems and which people are they referring? How do those assets relate to information security? The facilitator must always keep the group focused on information-related assets.

Let's examine what the senior managers at MedSite identified as their important assets. At MedSite, the senior managers had a lively discussion about assets. Figure 5-2 shows the assets that were recorded by the scribe. The asterisk (*) by an asset indicates that the managers identified it as an important asset. (See step 2 of this activity for more details on important assets.)

Table 5-3 provides additional context about the senior managers' assets. The managers focused on assets that they use. Items such as provider credentials and the financial system, FRKS, were not identified by other groups, because they are uniquely important to senior managers. Appendix A summarizes all assets identified during processes 1 to 3. As you review that appendix, take a look at the assets identified by each organizational level for similarities and differences.

Table 5-3. Description of Senior Management Assets

Asset	Description
Patient information data system (PIDS)	PIDS is a database containing most of the important patient information at MedSite. Role-based access (e.g., appointment scheduler, pharmacist, lab technicians, providers) is required to access PIDS. ABC Systems, an IT contracting organization, maintains PIDS for MedSite.
Paper medical records	Complete patient records are recorded on paper. If a record is lost, there's no way to re-create it. Patients can hand-carry their paper medical records within the facility.
Email	MedSite's email system is a standard system. Email is used extensively by all staff members at MedSite. It most likely contains some sensitive information (e.g., patient information, financial information, personal information).
Providers' credentials	These are the credentials of MedSite's medical personnel.
Internet connectivity	MedSite's staff members access research and medical sites on the Internet as part of their day-to-day tasks. The link to MedSite's ISP is important for providing access to those sites.
Medical logistics system (MLS)	MLS tracks supplies, property, and equipment. In addition, all orders are entered in this system.
Financial record-keeping (FRKS)	FRKS contains all of the insurance records, billing records, and payment system schedules, as well as related financial information.
Emergency care data system (ECDS)	ECDS is essential to the efficient operation of emergency rooms. It is used to maintain and update patient records and billing related to emergencies, but it is not used to provide patient-related information during emergency care. It is also representative of systems that are linked to PIDS but maintained by the local staff.
Personnel management system	Personnel Management System contains demographics, work histories, assignments, skills, and disciplinary records.

At this point in processes 1 to 3 the participants will have identified a number of assets that they use on a regular basis.

Step 2: Select Important Assets

In this step the participants select the assets they consider most important. We recommend limiting the number of assets that participants can select to five. If too many assets are carried forward, later analysis activities can become more time-consuming and difficult. Requiring participants to select important assets also provides you with insight into the participants' perspectives that you might not otherwise have had.

Ask the participants to consider the following questions:

• From the assets that you have identified, which are the most important?

• What is your rationale for selecting these assets as important?

Document the important assets and the rationale for their selection.

The senior managers at MedSite selected their important assets. An asterisk (*) by an asset in Figure 5-2 denotes that it is important. Note that the senior managers selected only four important assets. Figure 5-3 shows the managers' rationale for selecting the important assets.

This step concludes the first activity of processes 1 to 3. In the next activity you will identify scenarios that describe how participants believe their important assets are being threatened.