Page 667 - StudyBook.pdf
P. 667

Operational and Organizational Security: Incident Response • Chapter 11  651

                 a single document, making its value seem almost worthless. However, since the
                 entire company is based on the recipe, losing this data could bankrupt the business.
                 For this reason, the importance of an asset must be considered.
                    Determining the importance of an asset is often speculative, and generally
                 involves assigning a weight (sometimes called a metric) to each asset.The weight of
                 the asset is based upon the impact a loss will have on the company. For example,
                 while a network router may have little monetary value, the loss of the router could
                 take out parts of the network, preventing people from doing their work.This makes
                 the weight of importance higher.When creating the inventory of assets, a column is
                 included on the sheet where a value can be assigned based upon the importance of
                 that equipment.This value is on a scale of 1 to 10, with 10 having the highest
                 importance.
                    The information gathered through asset identification can be used in priori-
                 tizing which assets should be dealt with first in an incident, and where policies and
                 procedures need to be created.As mentioned above, to calculate value, look at the
                 current depreciated value of the assets. Equipment and certain other assets of
                 importance are also used in other aspects of risk management, as will be seen in the
                 following sections.



                 TEST DAY TIP
                      Assets and risks may come not only in the form of objects, but also in
                      the form of people. Humans are also a resource, and may provide dis-
                      tinctive skill sets. They can also be the cause of major problems, such as
                      theft or malicious damage to equipment and data. When answering
                      questions dealing with risks and assets, do not forget that people are an
                      important component of both topics.




                 Risk Assessment


                 Although you have gathered a considerable amount of data to this point, you will
                 need to analyze this information to determine the probability of a risk occurring,
                 what is affected, and the costs involved with each risk.Assets have different risks
                 associated with them, and you need to correlate different risks with each of the
                 assets inventoried in a company. Some risks will impact all of the assets of a com-
                 pany, such as the risk of a massive fire destroying a building and everything in it,
                 while in other cases, groups of assets will be effected by specific risks.



                                                                              www.syngress.com
   662   663   664   665   666   667   668   669   670   671   672