Not logged in - Login
View History

Information Security Assets/Resources

Assets are a hierarchy that must be allocated to a division. Assetsmust be defined, and should follow a hierarchical classification scheme. The default categories are: Equipment, Information, Peoples, Premises, Suppliers and Technology. Each of these can then be further expanded on to allow assets to be grouped together e.g. ‘Technology’ could be split into ‘Hardware’ and ‘Software’.

Assets should be defined before starting the BIA. This ensures that all activities pick assets from the same list. If an asset is initially missed, this can be added during the BIA. However, only an organisation administrator can add assets at this point.

Creating a New Asset

There are two ways to create a new asset. Either:
  • Click ‘Create New Asset/Resource’ from the resource hierarchy sidebar (Organisation > Assets / Resources)
  • Navigate to the asset type and then click ‘New Child Asset/Resource’ i.e. to create a new ‘People’ asset, click ‘People’ within the hierarchy and then select ‘New Child Asset/Resource’ from the sidebar.

Either approach will open the same ‘Assets/Resource form’.

BC Details

There are additional fields which need to be defined when an organisation is using the Abriska business continuity BIA module. Descriptions of each of these additional fields are provided below.

  • Multiple - Selecting 'yes' for this variable will mean that when activities specify that they use this resource, activities will need to indicate how many resources they use. When resources are flagged as ‘Multiple’ they will be highlighted with an asterisk on the hierarchy.
  • Limited - If a resource is flagged as a ‘Multiple’, there will be an additional option to flag this resource as ‘Limited’. This implies that there are a restricted number of these resources within the organisation and getting a replacement or adding to this number would be difficult.
  • Limited Number - If ‘Limited’ is set to 'yes', this allows the number of resources owned by the organisation to be set.
  • Recovery Point Objective (RPO) - This indicates that the resource contains information and any activity using this resource needs to enter the RPO.

Changing a resource from multiple to singular or vice versa can lead to possible issues if the BIA has been started. Refer to the following to understand the implications.
  1. Multiple -> Singular: If an activity has already indicated that this resource is used, then a number of resources will have been allocated to this activity. In making this modification, this multiple information will be lost.
  2. Singular -> Multiple: Each activity which has indicated that this resource is used will have been allocated one resource. In making this modification, ………………….

Resource Dependencies

Abriska has been designed to model relationships between resources. If one resource requires another resource for it to be operationally functional, this relationship can be represented within Abriska. As an example, if a web server relies on a database server, this relationship can be represented and risks that affect the dependent database server will be linked through to the web server. The relationship is one way therefore the user only selects the resources that a particular resource requires. In the above example, the database server is independent of the web server and so would not be linked to these risks.

To add these relationships, click on ‘View Resource Dependencies’ OR 'View Dependent Resources' on the resource form. The former option will show all resources that the selected resource depends on whilst 'View Dependant Resources' displays the reverse relationship - resources that are dependent on the selected resource.

Warning: If a resource is unlinked from another resource, this relationship is deleted within the database.

Resource Attributes

If Abriska is being used to conduct ISO 27001 compliant risk assessments, the option will be available to assess resource attributes. These attributes are used to ‘value’ a resource in terms of its ‘Confidentiality, Integrity and Availability’. These values can be defined by clicking ‘Resources’ from the organisation homepage and then clicking ‘View Attributes’. For each attribute that is identified, a value must be defined for each resource that is loaded into Abriska. These values can either be defined directly against the resource, or can be inherited based on the relationships that have been setup within the resource structure.
Resource Attribute Inheritance

Within the diagram above, the ‘Sensitive Document’ depends on the ‘Application’, which depends on the ‘Database’. If a value is specified for Confidentiality, Integrity and Availability for the ‘Sensitive Document’, then the ‘Application, ‘Database’ and ‘Server’ will inherit these values. To view a status of all of the resources within the organisation, click on “Resource Attribute Hierarchy” within the main resources list.

Deleting a Resource

When a resource not used by any activities, is not linked to other resources, or used within a risk assessment, the ‘Delete Resource’ button will appear on the resource form.

Warning: As no linked data will exist for the resource, this delete is a firm delete operation.