How to identify and categorise your assets
If you don't know exactly what you are trying to protect, where it lives and why it is important to the company, then you are probably doing it wrong.
This is why with Brainframe you get the tools to manage this efficiently, independent of the tools used in the organisation you are trying to protect.
Step 1 - Asset identification & classification
To get started you'll need to document and understand what assets exist, here are some examples
Online & offline Backups
End user authentication data (e.g. Firebase, Cognito, Auth0, ...)
End user data
Source code repositories (e.g. Github, Gitlab, ...)
Intellectual property (e.g. patents, certifications, hardware design/blueprints, ...)
Documentation (e.g. Atlassian Confluence, OneNote, ...)
IoT devices at your customer under your control
Employees & their data
Local or cloud based infrastructure (e.g. databases, Web servers, ...)
Network infrastructure (e.g. Routers, Switches, Firewalls, ...)
Company provided workstations
Brand and trademarks
Product marketing material
Originals of contracts/certifications
Communication (e.g. Email, internet connection, ...)
These can be identified by doing some simple meeting/workshops with the different head of department, technical leads and management, and you asking the right questions:
Who is the "Asset owner"? (responsible for the asset)
What are known opportunities to protect the asset? (e.g. specific effort on this asset will result in more sales)
How do you classify these assets? (Public, confidential, sensitive, ...)
On which "Medium" do thes assets live? (e.g. Data center, database, server, vault, ...),
Who are the stakeholders that might be impacted might anything happen to these assets? Examples: Government, Emergency Services, Employees, Competitors, Legislators & regulators, Data subjects (People behind the data, e.g. patients), End users (Users of our products/services), Sales prospects (potentials users of our services), Research partners, Development teams (Digital, firmware, hw), Marketing (influencers, external platform), Retailer (sales of our products), Shareholders, External auditors/accreditors, Distributors, GDPR Supervisory authority, Board of directors, Product quality & compliance (product quality), Insurers, Infrastructure critical suppliers, Strategic business suppliers
What are the security requirements for these assets (Confidentiality - impact on security breach, integrity - impact on corruption, availability - how long can they be offline/unavailable - RTO/RPO)
What are known risk scenarios to the assets?
What are potential threat actors to the asset?
- What administrative measures are already in place for this asset?
- What technical measures are already in place for this asset?
- What risk around this asset are you willing to accept?
Step 2 - Document your assets
The proper documentation of the information collected during these sessions can be done using the "Meeting notes" document type in Brainframe. Once you gathered all the data you can start creating the actual assets in the form of "Digital asset" or "Physical asset" document which comes we pre-configured templates
As you can see below, document types can have linked document types. We pre-configured the digital/physical asset with "Risks" and "Stakeholder/interested party" document type. This allows you to immediately create or link with existing documents from your workspace.
Step 3 - Put your assets where they make sense
All documents and folders created in Brainframe can live in multiple places at the same time. This means that if you have a document that describes your digital asset, you can put it in a folder where all your assets live together, but you can also "link" them to another folder (e.g. specific to a product). No matter where you change something to the content of the document, it will immediately be up to date in all other places, giving you and your collaborators an easy and effective way to always find back the information.
Let's say we want to make this "Customer profile data" document that currently only exists in "Features (Product 1)" folder, also live "AWS Cognito":
Then you would click this move/link button on the item:
Indicate you only want to link (not move), then type the name of a folder that already exists, and link click on the found result
Now the data lives in both places
Step 4 - Manage your asset
Now that your assets have been identified and classified, you will want to create a life cycle around these assets (with a custom Kanban) or simply have a central workbench view (Todo doing done) giving you a quick overview on all your assets and their state in one place.
To do this, simply add your asset to the workbench:
If the "Asset management" checklist does not yet exist, you can create a dedicated checklist by clicking the "Create checklist" button
Then enter a name for your checklist, and select default Kanban type (todo/doing/done). You can also create more complex custom Kanban if your prefer.
Now assign your asset document to the new checklist you just created
When doing this, it will ask you in which state of the Kanban you want your document to start:
Giving you a nice workflow overview in the workbench
Remember, the workbench only shows items from the currently selected folder in your knowledge base. This is really practical if you have very complex structures, allowing you to select a specific Product X folder, which then only shows the assets related to that product. Or you select your inbox, which then shows all assets in you whole knowledge base.