Information system or related resources necessary for the organisation to function properly and achieve the objectives proposed by its management.
(Source: Magerit)
An asset is, generally speaking, something that the organisation has or uses and which, if lost or damaged, would cause damage to the organisation.
More information
This is the valuation assigned to the asset according to its criticality and taking into account the five dimensions of security:
- confidentiality: what damage would be caused if it were known by those who should not know?
- integrity: what damage would be caused if it were damaged or corrupted?
- availability: what harm would be caused by not having it or not being able to use it?
- authenticity: what harm would be caused if it were forged or counterfeited?
- traceability: what harm would be caused by not knowing who accesses what data?
Asset valuation
Assets can be valued in two dimensions. On the one hand:
- Quantitative valuation: When we talk about quantitative value, we are talking about the increase in expenses plus the loss of profit resulting from the materialisation of the threat. We can calculate this value by determining the income that is reduced and the costs derived from the incident.
- Qualitative valuation: This consists of ordering the value on a scale that relativises the value of each thing using certain thresholds and homogeneous criteria: relativising between dimensions, sharing/combining analyses carried out separately and uniformity of knowledge.
On the other hand:
- Domain Valuation: A security domain is the set of assets subject to a single policy. Once the domains and the dependencies between them have been identified, their valuation is calculated, this being the highest of all the assets in the system, for each of the five security dimensions.
- Valuation of dependencies: The dimensions of the essential assets are valued and through the establishment of these dependencies, PILAR determines the value of all the assets of the system.
Once the assets have been identified and assessed, the next step is to identify the threats we face in terms of probability (preventive measures) and impact (reactive measures).
The CORE of PILAR is the catalogue of threats and the association between each threat and the assets that would be affected should that threat materialise. By default, PILAR associates a probability and a degradation of the asset per threat but it is open to the user to adjust these values since it is the user himself who best knows the characteristics of his system.
More information
The impact of a hazard is measured in terms of the degradation of the affected assets, where degradation is understood as the loss of value due to the materialisation of the hazard.
Degradation can be affected by aggravating factors (increasing the impact) or mitigating factors (decreasing the impact).
PILAR allows:
- select aggravating and mitigating factors to characterise a system in more detail
- select and set the degree of application (in %)
- specify the degree to which the aggravating or mitigating factor affects the system
If an asset is vulnerable, the threat leads to an incident.
More information
Safeguards are means to combat threats. They can address organisational, technical, physical or personnel management aspects.
In PILAR, safeguards can be assessed by domain or by asset. The assessment consists of assigning a maturity level [to the associated process] to the safeguard.
More information