Page 666 - StudyBook.pdf
P. 666

650    Chapter 11 • Operational and Organizational Security: Incident Response

                 Other elements of an organization that should be identified as assets are furni-
             ture, tools, office supplies, and other components of the business. Even though
             these are fairly low priority items when compared to the others, their loss could
             seriously jeopardize a company.
                 Tagging and inventorying assets allows you to identify what assets are at risk, so
             you can develop plans to protect, recover, and replace them.Tagging assets involves
             putting a numbered sticker or barcode on each asset.The tags should have a
             number that is then documented in an asset log.The log should describe the asset,
             and provide such information as the tag number, description of the asset, serial
             number, and other information relevant to the equipment. Not only can this inven-
             tory be used to identify risks, it can also be used to make insurance claims and
             replace equipment in the case of a disaster.
                 When identifying assets, the value and importance of each should also be deter-
             mined.Value refers to the actual monetary worth of an item, while importance
             refers to the impact the asset will have on the company if it is lost. Determining
             the value and importance is essential, as it will be used to determine which assets
             require added protection from risks.
                 To calculate value, look at the current depreciated value of assets. Equipment
             and certain other assets drop in value each year they are used. and are less valuable
             the longer they are used.This is the same principal as when purchasing a car.When
             a new car is driven off the lot, it becomes a used vehicle and is less valuable.As the
             years go by, wear and tear on the car depreciate it further.This same principle also
             applies to other assets owned by a company.
                 The cost of replacing an item can also be used to determine the value of an
             asset.When considering critical systems that have been in service for a number of
             years, the depreciated value may have decreased to the point that it has no value
             under this calculation. For example, an e-commerce business may have been using
             the same server for the past six years, and the value depreciated by 25 percent per
             year. Does this mean that the Web server has no value to the organization and
             should not be considered in determining objects at risk? No. Because the server is
             vital to business operations, it would need to be replaced immediately if it was
             damaged or destroyed.To determine the value of an asset, the cost of this replace-
             ment must be determined and used in the calculations.
                 Data is another asset that may be difficult to assess, as it may have no monetary
             value but is essential to the company’s ability to function.While a value could be
             determined based on the cost of having programmers recreate a program from
             scratch and employees reenter the data, this may not provide an accurate assess-
             ment. For example, the secret recipe for a certain fried chicken could be typed into



          www.syngress.com
   661   662   663   664   665   666   667   668   669   670   671