Feature - Asset Parent / Child definition

When you create an asset you do so for the purpose of documenting:

  • a risk (asset risk or third party risk)
  • data flow analysis

related, but not mandatory:

  • account review
  • compliance analysis
  • incidents

assets obviously relate to other assets, a laptop has software and software handles data. there you go, three assets. in the scope of the features mentioned above, the relationship of this assets can be used to implicitly say if the parent asset is affected then the child assets are or might be affected too.

this was highlighted before by a german guy (@shuzhe.yang) but unfortunately i can not find the post. maybe he can! this topic was raised to me by @mario.walter too but more in the form of a bug.

if we would allow users to define parent/child relationships in between assets (which is complicated to keep updated in my opinion and unless we find a very good user interface hard to visualise) how would be use that in eramba for the benefit of the features in scope:

mandatory:

  • a risk (asset risk or third party risk)

i create a risk and select an asset that has a parent or a child, eramba warns and allows you to “click” on the modal were another modal opens and you can see those relationships and decide if you add the other items to the risk or not?

  • data flow analysis

i have a “Data asset” which i want to analyse in terms of data flows - same as before eramba will inform me that there are related relationships?

We are open to do this but i want to visualise the long picture not just relating assets so we can see that relationship. in eramba we are cautios of making the software complicated to use (which is already) without a very clear application.

1 Like

I’ve been working on solving this with the current “flat” related assets feature this week with a more complex client that has a number of things going on. What I’m finding is that there’s a need to have different asset models depending on what the asset is due to how relationships are configured across the other modules.

For example - if I am trying to represent a client’s SaaS application that they sell (and, if they have several that they sell), there can be many components that make up each - it can relate a Host/OS/Infrastructure environment (i.e. Linux servers, Windows servers, containers, etc.), a database environment (RDS database, SQL Server, etc.), users of the application (important to be able to link to account reviews), customer data assets (customer data in the application), offices that work on the application, internal data assets (source code), then each of those components can also have users (i.e. database users, infrastructure users, etc.).

Each of those components may relate to third parties, but currently those can’t be directly linked (i.e. RDS database for Application 1 can’t link to AWS as a related third party → have to then link via a third party risk).

Some of the use cases for this model would be to assist a helpdesk in determining the correct approver for user access to a particular asset. For example, if they know that the request is related to application 1, then can drill down and see that Infrastructure requires approver A, while application access requires approver B.

Of course, this is only one asset model that can be represented - there’s no shortage of other scenarios that can be built out for other asset “classes”.