Let’s have a look at how to identify and describe the assets that matter
For these assessments your assets are those things that are valuable to you.
<img src=”Assets - Money.png” align=”center” width=30% />
They might be:
…or anything else that would cost you or harm you if they were:
Bricked: deleted, hidden, disabled, denied, destroyed. Leaving your mobile phone in your washing is likely to turn it into an expensive brick.
Nicked: copied, seen, derived, inferred.
Tricked: replaced, subverted, deceived.
Think about what each asset is used for, and so what impact there would be on you if any of the above happened.
For example you might have a work mobile phone that you use to reach your customers. If it is bricked then you will immediately lose not only any customer numbers on it, but if you call on a different number they will not recognise it is yours. If it is nicked you have the same problem, but also the chance that whoever stole it runs up your bill or starts calling around your customers being a nuisance. It may be tricked by someone spoofing the telephone number and pretending to be you.
Some of these will matter more to you than others.
Just some ideas to help you create your list; valuable assets might be:
Research & Development data and activity
Academic research data
IP, such as product formulas or blueprints
Salaries, bonus structures and other sensitive finance
Client or customer lists and payment structures
Business goals, strategic plans and marketing tactics
Political strategies, affiliations and communications
Military or business intelligence
Just like a school attendance register, your asset register should list the assets that are present.
There will likely to be lots of these, so start with the major ones. We have provided a starter [Asset Register][assets/AssetsRegisterGuide.md] to help you; this can look a bit overwhelming at first, but it’s just a list a bit like this:
| Asset | Uses | Nicked | Bricked | Tricked |
|---|---|---|---|---|
| What Thing… | ..is used by who to do what? | If it is stolen then what can someone find out from it? | If you can’t use it, what are you also unable to do? | What false information on it might lead to problems? |
…with some drop-down selections to help you grade which impacts are more serious than others.
These grades come from the NIST Risk Framework so are reasonably well established, but as usual don’t get too buried in the detail
Don’t forget that your assets are often supplied by other people, and often made of various components that have been supplied by even more other people. These
Knowing who uses your assets for what will help you understand:
What are the consequences of the asset being affected? These will likely be different for different kinds of effects. If you don’t have good security on your mobile then having it stolen could be much worse than running over it with a car.
For each effect (ie nick, brick and trick) work out:
Typically you will measure the commercial impact in time or money, but in your case you might want to use other measures such as harm, time, reputation, delays to a goal, and so on.