1/ managers/business analysts use the interface in order to:
- define assets and business process and their intrinsic values;
- classify these assets according to ISO27005 guidelines
2/ the application calculates asset values taking into an account:
- the intrinsic value of the asset defined in step 1;
- the values of other assets depending on this asset;
- the values of business processes using the asset.
The concept of an “asset” derived from ISO 27005
An asset can be a :
- a business process or activity;
- a supporting asset such as a server or a network device.
Hi Marc Chisinevski ,
This is very nice application to manage the assets & inventory. Just now i have been installed this application in my machine & its working fine.
I want more information on asset & business objects in this application. Please provide me help on how to assess the risk after adding the asset & business entries with examples if available.
Once again thanks a lot for such good application in open source
Thanks & Regards
First, please have a look at the class diagram at http://sourceforge.net/projects/assetmng/files/assetmng/v1.0/Logical_View__Class_Diagram.JPG/download.
Then, if you've not already done so, I suggest you refer to annex B of ISO/IEC 27005:2008.
A good approach would be:
1/ start by identifying and classifying your assets:
Business processes and activities:
Processes whose loss or degradation make it impossible to carry out the mission of the organization
Processes that contain secret processes or processes involving proprietary technology
Processes that, if modified, can greatly affect the accomplishment of the organization's mission
Processes that are necessary for the organization to comply with contractual, legal or regulatory
Vital information for the exercise of the organization's mission or business
Personal information, as can be defined specifically in the sense of the national laws regarding privacy
Strategic information required for achieving objectives determined by the strategic orientations
High-cost information whose gathering, storage, processing and transmission require a long time and/or involve a high acquisition cost
Supporting assets (IT infrastructure, personnel, Subcontractors / Suppliers / Manufacturers, applications etc.)
2/ Evaluate your assets intrinsic value, i.e without taking into account the value of the business processes and other assets that depend on it.
These intrinsic values should then be manually input in the assetmng application.
Possible criteria used to determine an asset’s value :
replacement or re-creation cost
value of an organization’s reputation
costs incurred due to the loss of confidentiality, integrity and availability as the result of an incident
cost incurred due to repudiation or lack of accountability as the result of an incident
3/ Identify dependencies
The more relevant and numerous the business processes supported by an asset, the greater the value of this asset.
The more relevant and numerous the other assets supported by an asset, the greater the value of this asset.
Using the assetmng application, you can:
- associate business processes with assets and
- define which assets are supported by other assets
- generate and view graphs showing these dependencies
"IS0 27005 example:
if a business process is relying on the integrity of certain data being produced by a programme,
the input data of this programme should be of appropriate reliability.
Moreover, the integrity of information will be dependent on the hardware and software used for its storage and processing.
Also, the hardware will be dependent on the power supply and possibly air conditioning."
The values of assets on which other assets are dependent may be modified in the following way:
- If the values of the dependent assets (e.g. data) are lower or equal to the value of the asset considered
(e.g. software), its value remains the same
- If the values of the dependent asset (e.g. data) is greater, then the value of the asset considered (e.g.
software) should be increased according to:
- The degree of dependency
- The values of the other assets
An organization may have some assets that are available more than once, like copies of software
programmes or the same type of computer used in most of the offices. It is important to consider this fact
when doing the asset valuation. On one hand, these assets are overlooked easily, therefore care should be taken to identify all of them; on the other hand, they could be used to reduce availability problems.
4/ Once your organisation defines and adopts an algorithm to calculate asset values taking into account dependent business processes and assets (step 3),
You can easily modify the graph generation script provided with the application to implement it.
For more details on Incident Impact Assessment and Risk Assessment, please refer to ISO/IEC 27005:2008.
Please do not hesitate to contact me for additional information.
Thanks for quick reply. I understood the scenario now.
I have some other quires related to this app. I unable to find the graphs in my admin site. Please guide me that where can i see the graphs. Second one is, can add other assets like laptops, networking device...etc. Right now i am able to add servers only.
You'll just to add an asset as described on page 10 of Asset_Management_and_Risk_Assessment___Functional_and_Technical_Specifications___plus_Linux_installation.pdf.
For laptops, network devices etc. you should choose "Supporting asset" in the "Asset type" dropdown list.
Graph generation is not integrated in the UI, you'll have to launch the list_assets_and_BPs.py script manually. It generates a graph of server and assets depending on each server.