Читать книгу (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide - Mike Chapple - Страница 86

An asset-based or asset-initiated risk analysis starts with inventorying all organizational assets. Once that inventory is complete, a valuation needs to be assigned to each asset. The evaluation or appraisal of each asset helps establish its importance or criticality to the business operations. If an asset has no value, there is no need to provide protection for it. A primary goal of risk analysis is to ensure that only cost-effective safeguards are deployed. It makes no sense to spend $100,000 protecting an asset that is worth only $1,000. Therefore, the value of an asset directly affects and guides the level of safeguards and security deployed to protect it. As a rule, the annual costs of safeguards should not exceed the potential annual cost of asset value loss.

When the cost of an asset is evaluated, there are many aspects to consider. The goal of asset valuation is to assign to an asset a specific dollar value that encompasses tangible costs as well as intangible ones. Determining an exact value of an asset is often difficult if not impossible, but nevertheless, a specific value must be established in order to perform quantitative mathematical calculations. (Note that the discussion of qualitative versus quantitative risk analysis later in this chapter may clarify this issue; see the “Risk Assessment/Analysis” section.) Improperly assigning value to assets can result in failing to properly protect an asset or implementing financially infeasible safeguards. The following list includes tangible and intangible issues that contribute to the valuation of assets:

 Purchase cost

 Development cost

 Administrative or management cost

 Maintenance or upkeep cost

 Cost in acquiring asset

 Cost to protect or sustain asset

 Value to owners and users

 Value to competitors

 Intellectual property or equity value

 Market valuation (sustainable price)

 Replacement cost

 Productivity enhancement or degradation

 Operational costs of asset presence and loss

 Liability of asset loss

 Usefulness

 Relationship to research and development

Assigning or determining the value of assets to an organization can fulfill numerous requirements by

 Serving as the foundation for performing a cost/benefit analysis of asset protection when performing safeguard selection

 Serving as a means for evaluating the cost-effectiveness of safeguards and countermeasures

 Providing values for insurance purposes and establishing an overall net worth or net value for the organization

 Helping senior management understand exactly what is at risk within the organization

 Preventing negligence of due care/due diligence and encouraging compliance with legal requirements, industry regulations, and internal security policies

If a threat-based or threat-initiated risk analysis is being performed, then after the organization inventories threats and identifies vulnerable assets to those threats, asset valuation takes place.