Asset Identification and System Characterization
Introduction
In it's simplest form, identifying an asset record need only consist of the most basic of information, for example the DB for the Matrix must be stored on a reliable database like PostGreSQL and this is the first primary instance.
| Hostname | Internal Name | External URL | Data Owner | Data Stored | Project |
|---|---|---|---|---|---|
| PGSQLDBPROD1 | pgsqldbprod1.local | none | tom.anderson | 90's Sim | Matrix v1 |
Asset Identification
However in practice, most likely will be storing their asset identification database in another database like SQLiteDB with a CSV export or if large enough Splunk or a complex process driven environment that uses a business process relationship tool like SAP may use that for their database, or a Microsoft shop may use SharePoint.
Regardless of the method, the completeness of the Asset Identification and System Characterization is paramount to the success of your Threat Modeling exercise.
Items to consider adding to your Asset Identifcation database:
- Hostname
- Internal Name (or VPN name)
- External URL if it is supposed to be on the internet
- Owner of the data used in that system
- The project that is responsible for the system that the data is on
System Characterization
The system characterization can live in the same location as your asset identification, however it is generally a good practice to separate but have a common key between the two so that you can look the host up. A primary key such as the hostname is typically a good starting point. The purpose of the system categorization is influenced by both criticality to business processing, and sensitivity to the business.
Criticality is typically thought of as "What would happen if this suddenly didn't exist anymore?" as a place holder for a cataclysmic event ranging from hurricane to cyber attack or in terse terms the "value" to the organization.
Further, sensitivity includes elements such as trade secrets, financial recorods, human resources records, and not least customer sales records. This sensitivity should take into consideration the value to an attacker as well as what the impact would be to the business if this information should become for sale on a secondary market. Common characterizations include "Sensitive", "Confidential", "Highly Confidential", and "Restricted." While impact values may include "Low", "Medium", "High", and "Critical" taking into account what would happen to business operations if that system or cluster were to become unavailable.
In addition, then building a new system it is best to take that opportunity to populate a contact record for the system in addition to its characterization.
| Hostname | Location | Bus. Contact | Data Owner | Compliance Cont. | EU | Class |
|---|---|---|---|---|---|---|
| PGSQLDBPROD1 | LOC 22 | a.smith | mach80312 | mach051247 | N | R/C |