I am trying to create a central repository of information assets and group them in Primary Assets and Secondary Assets (i.e related infrastructure, services, libraries etc.) in Eramba. Would like to classify only the Primary assets and not those Secondary. Is there any alternative workflow in place inside Eramba for Secondary Assets? I mean don’t want to enroll them following the normal flow of asset identification (e.g filling out the classification level, ownership, users etc) but just some minor information such as asset name, asset description, asset category and location. Does Eramba already provide a solution for this?
I understand Your problem.
I have a similar problem with managing primary assets in the Eramba.
Currently, I keep a register of information assets in one heap which is not very convenient.
According to the guidance of ISO 27005, it is recommended to divide assets according to the following scheme: B.1 Examples of asset identification B.1.1 General
To perform asset valuation, an organization first needs to identify its assets (at an appropriate level of
detail) . Two kinds of assets can be distinguished: the primary assets:
— business processes and activities;
— information;
the supporting assets (on which the primary elements of the scope rely) of all types:
— hardware;
— software;
— network;
— personnel;
— site;
— organization’s structure.
eramba is not an inventory tool, please do not use eramba for that ! there are far better tools for that purpose, please read: Risk Management - Google Docs
The only reason assets are documented in eramba is to provide context to risks related to them. how you classify them is a personal decision for that you can use the asset module “classification” options OR custom fields.
If you define a classification you will need to apply whatever that classification is (using classifications or custom fields) too all items on the section, there is no “conditional” … apply this classification options to certain assets and not to other assets.
It seems to me reading this that custom fields will most likely be the best way of action in eramba !
What will be your suggestion for GDPR data asset in different business units that might be duplication of asset name that need to be associate with Risk afterwards?
For example, HR and IT Business Unit have same data asset and need to be associate with Risk.
Like those asset listed like software, server and laptop might have other risks too.Need to associate them to a risk eventually.
Do not get carried away with excessive detail of assets, if they are all subject to the same type of threats, group them into one object.
Also group the business functions.
agreed, we recommend keeping things simple by grouping asset (or as mentioned anything else including bu, control, etc) class.
the only reason an asset is documented in eramba is because a risk will be linked to it. so documenting assets that wont have risks associated is probably an indication that work is put on something that wont yield.
the other day i watched a documentary about a solo sailor that did many circumnavigation in a simple boat, he brilliantly mentioned: is very easy to build something complex, is very difficult to build something simple.
we strongly believe that in eramba…too much idealisation with very little yield !
Agreed but how about we have hundreds of business unit cause we are a large organization.
We can say that our entities are the business units, which sites and locations all around the world.
We also need to associate those assets to the business units. How to make it happen?
For example, in 1 country we have 3 sites and each site will have a group asset. How we can simplify and group the asset that associated to more than 10 business units? We have server, laptop, and employee data or software being used by 100 business units that we covered.
I’m not sure the size of the company changes much the objective. A laptop has risks (stolen, lost, etc), the laptops are the same in a large or small organisation. Not sure i would let size intimidate a simpler approach.
Bare in mind eramba has no clue about “geographies”, bu’s are business units that go or not across borders. Human Resources in an organisation is one organisation no matter if the organisation operates in 10 countries, i’m assuming they all use similar assets and processes otherwise they probably are different BUs.
Sales in my company is the same in Uk or US. If an organisation has for some reason a geographical importance, create a BU per geography. Sales-UK , Sales-USA … now im not sure that will fly to be honest.
I might not understand your question, but a laptop is a laptop no matter if the user is in Sales, HR or is a C-Level or if he/she sits in India or Australia. In that case you create the asset laptop and associate it to all BUs that use a laptop (presumedly all).
At some point i think you should consider purchasing consulting services !
