Rethinking IT Asset Valuation, Risk Assessment and Control Implementation

Rethinking IT Asset Valuation
Author: Shemlse Gebremedhin Kassa, CISA, CEH
Date Published: 20 June 2023

Risk management and evaluation are critical to every enterprise’s strategic planning for information security. Any risk presented, whether by business processes, people, physical infrastructure, or information systems, must be assessed. A security risk evaluation should include assessing the asset’s value to predict the impact and consequence of any damages. But professionals often face challenges when attempting to give assurance to organizations on asset valuation, risk management and control implementation practices. This is due to the nonexistence of clear, universally accepted models and procedures. Fortunately, there are several proposed simple, applicable models herein for professionals to use to measure and manage assets, risk and controls implementation in their organizations.

Asset Identification, Valuation and Categorization

Identification, valuation and categorization of information systems assets are critical tasks of the process to properly develop and deploy the required security control for the specified IT assets (e.g., data, their container). Organizations or individuals able to implement security for assets by using this model must first identify and categorize the organization’s IT assets that need to be protected in the security process.

Mapping an information asset (such as data) to all its critical containers leads to the technology assets, physical records and people that are important to storing, transporting and processing the asset.1 The map of information assets is used to determine all information assets that reside on a specific container. In addition, the value of a container depends on the data that are processed and transported (through the network) or stored (reside) within that specific container. Security audits should assess how the data or information are processed, transferred and stored in a secure manner.2

Risk Assessment and Management

The risk assessment comprises the qualitative assessment and quantitative measurement of individual risk, including the interrelationship of their effects. Risk management constitutes a strategy to avoid losses and use available opportunities or, rather, opportunities potentially arising from risk areas.3 Oftentimes no single strategy can address all IT asset risk areas, but rather, a balanced set of strategies usually provides the most effective solutions. Once the risk areas are identified, they can be evaluated as acceptable or not. If the risk is acceptable, no further actions are required other than communicating and monitoring the risk, but if the risk is not acceptable, it must be controlled through 4 separate options of prevention and/or mitigation measures:

  1. Reduce the impact.
  2. Reduce the likelihood.
  3. Transfer the risk (to insurance or a subcontractor).
  4. Avoid the risk. (Temporarily distancing the target from the threat summarizes the potential impact definitions for the security objectives.)
Oftentimes no single strategy can address all IT asset risk areas, but rather, a balanced set of strategies usually provides the most effective solutions.

Conclusion

The first step toward information security planning and security control implementation is to manage the risk and valuation of an organization’s IT assets. Objectively measuring concepts such as vulnerability, threat, risk impact, mitigated risk and implemented control of an asset can be the most difficult part of the process. This is because a lack of uniformity on subjective judgments during the rating selection (high, low, medium) and the quality and accuracy of the results are highly dependent on the assessors’ professional experience. The models described here can minimize error and introduce uniformity of activities and process results carried out by different individuals and their organizations.

Editor’s Note

This article is excerpted from an article that was published in the ISACA® Journal. Read the full article, “IT Asset Valuation, Risk Assessment and Control Implementation Model,” in vol. 3, 2017, of the ISACA Journal.

Endnotes

1 Caralli, R. A.; J. F. Stevens; L. R. Young; W. R. Wilson; “Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process,” Carnegie Mellon University, Pittsburgh, Pennsylvania, USA, May 2007
2 Olivia, “Difference Between Information System Audit and Information Security Audit,” DifferenceBetween.com, 16 April 2011
3 Foroughi, F., “Information Asset Valuation Method for Information Technology Security Risk Assessment,” Proceedings of the World Congress on Engineering 2008, vol. I

Shemlse Gebremedhin Kassa, CISA, CEH

Is a systems and IT auditor for United Bank S.C. and a security consultant for MASSK Consulting in Ethiopia. He has a multidisciplinary academic and practicum background in business and IT with more than 10 years of experience in accounting, budgeting, auditing, controlling and security consultancy in the banking and financial industries. Kassa is highly motivated and engaged in IT security projects and research, and he strives to update current systems and IT audit developments to keep up with the dynamically changing world and ever-increasing challenge of cybercrimes and hacking. He has published articles in local and international journals including the ISACA Journal.