We have an application inventory outside eramba. Maybe ones or twice a week there are changes to the list.
New applications are coming in others are deleted.
How do you best ensure that eramba are showing the right asset inventory?
When an system developer add a new application to the inventory list he had to make a risk assessment of that application right away, therefor we need to have this application showing up in eramba.
How do you do that?
(PS: the same “problem” I have with the process list outside eramba.
eramba “asset identification” module is not meant to be used as an asset inventory, for that purpose there are other tools which do a wonderful work (you seem to have one of those)
refer to this piece of the risk management doc: https://docs.google.com/document/d/1hZ-IVSkad_ohaFcxrM-qN2hDxUrhdHvUX17H4HzRih8/edit#heading=h.3scnhhg7hzni
if you still want to keep a sync (you are eventually duplicating a database, something i cant really recommend) then you will need to use APIs to keep those two in sync…not sure is worth the effort?
we had in mind a module to keep track app security aspects as vulnerabilities scans, patching ,etc but never really go to do it as other priorities ruined our hopes…(our every second day here at eramba)
I am afraid we need to make some kind of API. We need at least to be able to show assets that are linked to processes. It should be all the assets (when not linked to an process why then have the asset at all ).
We need to report what assets are linked to high risk processes, and reverse what processes are linked to high risk assets.
@sge I’ve always taken the approach of creating asset classes. By enumerating the classes of assets within the environment it enables threat modeling and uses a process of decomposition to logically identify groups of assets which share a common threat profile.
bare in mind processes are not linked to anything except bussiness risks, so what can be done is:
- assets link to business units , not processes (i recommend assets groups as stated above rather than individual assets)
- risks link to assets (asset risk management) and from that relationship you can derive what business has what risk and what asset
Doc for risk mgt:
The api connectivity can be done, is just a bit of software!
New user to Eramba, looking for additional guidance on the subject of Assets within Eramba. Outside of sge requirements, how are other folks classifying and/or adding assets to Eramba? I am not looking for Eramba to be a complete asset list, so I am curious how long time users are doing this. Per matthew.dovie’s comment/image, what “layer or Classes” are folks using?
We have the same issue and have decided to link to business applications.
We sync these currently through web hook and api add / update requests to service now which is the source of truth for asset (business application) information.
We are also thinking where a high level infrastructure asset is associated ITGC then we create generic Asset.
Looking for further comments.
i can tell you automated sync (creation, edition, deletion) does not work for %98 of the organisations i have seen in the last 10 years while running this project in particular those with one or two people running grc.
is like expecting accounting for a company would work by automating bank feeds and matching expesnes. it just does not work, at some point you need human labour and that for most is too small to match whatever data automation you have in place.