F7_ASID Asset Identification Viewpoint
Domain | Aspect | Maturity |
---|---|---|
Functional | Safety & Security | proposed |
Purpose
The Asset Identification viewpoint defines the assets that must be taken into account in the risk analysis. This is the first step of the risk management process according to DIN EN ISO/IEC 27005:2024-05.
Applicability
The Asset Identification Viewpoint supports the activity “Identifying and describing information security risks” [§7.2.1] within the “Information security risk assessment process” according to DIN EN ISO/IEC 27005:2024-05. It contributes to the Asset-based approach which identifies threat scenarios regarding assets and their vulnerabilities.
This viewpoint also supports the approach of the “Risk management process” according to ISO 15288 [§6.3.4] by enabling the definition of the context of the Risk Management process.
Supported Processes
Supported Information Items
Presentation
Stakeholder
Concern
Exposed Concepts
The Diagram shows the concepts exposed by the viewpoint, and related concepts if necessary.
The Table shows the concepts exposed by the viewpoint, and related concepts if necessary.
Concept | Documentation |
---|---|
Security Context Element | An abstract element representing a Security Context Element. Base class for specific kinds of Security Context Elements. |
Asset | Asset Definition in ISO 27005, Chapter „Identifying and describing information security risks“ [§7.2.1] (Page 17): „An asset is anything that has value to the organization and therefore requires protection.“ Asset Definition NIST SP 800-160v1r1 „The Concept of Assets“ [§3.4] Page 16: „An asset is an item of value. There are many different types of assets. Assets are broadly categorized as either tangible or intangible. Tangible assets include physical items, such as hardware, computing platforms, other technology components, and humans. Intangible assets include humans, firmware, software, capabilities, functions, services, trademarks, intellectual property, data, copyrights, patents, image, or reputation.“ |
Security Objective | The Security Objectives are defined as the CIA-Triad (Confidentiality, Integrity, Availability) (Synonym: Security Attribute, Security Propaty) FIPS PUB 199 - Standards for Security Categorization of Federal Information and Information Systems: "The FISMA defines three security objectives for information and information systems: CONFIDENTIALITY “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec. 3542 ] A loss of confidentiality is the unauthorized disclosure of information. INTEGRITY “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…” [ 44 U.S.C., Sec. 3542] A loss of integrity is the unauthorized modification or destruction of information. AVAILABILITY “Ensuring timely and reliable access to and use of information…” [44 U.S.C., S EC. 3542 ] A loss of availability is the disruption of access to or use of information or an information system." |
Tangible Resource | tangible & intangible resources are types of Assets. The NIST SP 800-160v1r1 - Engineering Trustworthy Secure Systems describes them following: „There are many different types of assets. Assets are broadly categorized as either tangible or intangible. Tangible assets include physical items, such as hardware, computing platforms, other technology components, and humans. Intangible assets include humans, firmware, software, capabilities, functions, services, trademarks, intellectual property, data, copyrights, patents, image, or reputation.“ |
Intangible Resource | tangible & intangible resources are types of Assets. The NIST SP 800-160v1r1 - Engineering Trustworthy Secure Systems describes them following: „There are many different types of assets. Assets are broadly categorized as either tangible or intangible. Tangible assets include physical items, such as hardware, computing platforms, other technology components, and humans. Intangible assets include humans, firmware, software, capabilities, functions, services, trademarks, intellectual property, data, copyrights, patents, image, or reputation.“ |
SDK is Asset in Security Context | |
SF is Asset in Security Context | System Functions are intangible resources of the System. intangible resources are types of Assets. The NIST SP 800-160v1r1 - Engineering Trustworthy Secure Systems describes them following: „There are many different types of assets. Assets are broadly categorized as either tangible or intangible. Tangible assets include physical items, such as hardware, computing platforms, other technology components, and humans. Intangible assets include humans, firmware, software, capabilities, functions, services, trademarks, intellectual property, data, copyrights, patents, image, or reputation.“ |
Security Context | The Security Context describes all internal and external elements, boundaries, interconnections and assumptions that referes to the security of a system or an asset. DIN ISO 31000:2018-10 defines: "The context of the risk management process should be derived from an understanding of the external and internal environment in which the organisation operates and should reflect the specific environment of the activity to which the risk management process is applied." |
Realization of exposed Concepts
The Diagram shows the realization of exposed concepts.
The Table shows the realization of exposed concepts.