Do you know what organizational assets you need to protect? Is it only your IT assets?
Are you unclear where to start?
These are the first questions in developing an asset protection strategy. All that is needed is an understanding
of your business and some time to develop an outline.
RISK MANAGEMENT METHODOLOGY
The Carnegie Mellon Risk Management Methodology (RMM) (which the NCSS CARES questionnaire is based
upon) lists asset definition and management as the first step in a cyber secure business strategy. It is
recommended you identify the organizational assets (people, information, technology, facilities) and assign
responsibility of those assets in order to protect them appropriately.
Once organizational assets are defined, the next step is to define the relationship between these assets and the
high value services they support. It requires a process be established that examines and validates this relationship
through periodic reviews. Lastly, it requires your organization to maintain and sustain an inventory of these assets
and high value services. It is important to keep this information up to date and modified when events change.
STEP 1: INVENTORY
Inventory – create an inventory of your people – not just your employees, but your suppliers and partners; the data
you need to run your business; the technology assets you need (computers, servers – the entire infrastructure); and
the facilities needed to house and operate your business.
STEP 2: HIGH VALUE SERVICES
Listing of High Value Services – create a list of high value services that keep your business functioning – logistics,
financial, service delivery, assembly, manufacturing. Define what are the key services you need – those services that
if lost, delayed or compromised would impact your business.
STEP 3: MAPPING
Mapping – create a mapping of people, data, technology and facilities to the high value services they support. Define
the relationship between these assets and the high value services. Validate the relationship through periodic reviews.
As an example, if the supplier for your medical equipment changes, and this supplier has been identified as key
personnel, have you updated your mapping relationships? Did you review the contract with the new medical supplier
to determine if anything has changed that would affect your service delivery? Leveraging your people to take
responsibility for certain high value services and keeping the critical information current is key to protecting your assets.
STEP 4: INVENTORY PLAN
Inventory Plan – a plan is only useful if it is kept current and up-to-date. Schedule an annual inventory and mapping
exercise to ensure that the protection mechanisms you employ support valid assets. A good rule of thumb – once a year.
STEP 6: CONTINUITY PLAN
Continuity Plan – A sound business strategy includes continuity plans. For all your high value services that depend on
critical people, data, technology and facilities, you will need a contingency plan in place in the event any of these assets
is compromised. See our “How-to-Guide” to develop a Continuity Plan.
Inventory of Organizational People, Data, Technology, Facilities
Listing of High Value Services
DID YOU KNOW?
THE NUMBER ONE PREVENTION METHOD TO COMBAT RANSOMWARE --- HAVE A BACKUP AND RECOVERY PLAN
Download a PDF of this fact sheet.
Still have questions, need help?
Contact us at our “Ask-an-Expert” service, email@example.com or visit us at the link below.
©2018 National Cybersecurity Society, All Rights Reserved
JOIN THE NCSS
Become a member of The National Cybersecurity Society today and learn more about how to protect your business
from a cyber attack.
About The National Cybersecurity Society
The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity education,
awareness and advocacy to small businesses. The NCSS provides cybersecurity education tailored to the needs of
the small business owner; helps small businesses assess their cybersecurity risk; distributes threat information to
business owners so that they will be more knowledgeable about the threats facing their business; and provides advice
on the type of services needed to stay safe online.
How2-Know-What-to-Protect-FINAL.pd.pdf 1,014.6 K