The purpose of Asset Definition and Management is to identify, document, and manage organizational assets during their life cycle to ensure sustained productivity to support organizational services.
Mission success for an organization relies on the success of each service in achieving its mission. In turn, mission assurance for services depends on the availability, productivity, and ultimately the resilience of high-value assets that the service relies upon—people to perform and monitor the service, information to fuel the service, technology to support the automation of the service, and facilities in which to operate the service. Whenever any high-value asset is affected by disruptive events (by the realization of operational risk), the assurance of the mission is less certain and predictable. An organization must be able to identify its high-value assets, document them, and establish their value in order to develop strategies for protecting and sustaining assets commensurate with their value to services.
The Asset Definition and Management process area seeks to establish organizational assets as the focus of the operational resilience management system. High-value organizational assets are identified and profiled (establishing ownership, a common definition, and value), and the relationship between the assets and the organizational services they support is established. The organization also defines and manages the process for keeping the asset inventory current and ensures that changes to the inventory do not result in gaps in strategies for protecting and sustaining assets.
The Asset Definition and Management process area is a higher-order competency that establishes the inventory of high-value organizational assets of all types. The resilience aspects of these assets (and their related services) are addressed in asset-specific process areas as noted in “Related Process Areas” below.
The Asset Definition and Management process area has three specific goals: to inventory assets, associate the assets with services, and manage the assets. To meet these goals, the organization must engage in the following practices:
• Establish a means to identify and document assets.
• Establish ownership and custodianship for the assets.
• Link assets to the services they support.
• Establish resilience requirements (including those for protecting and sustaining) for assets and associated services. (This is addressed in the Resilience Requirements Definition and Resilience Requirements Management process areas.)
• Provide change management processes for assets as they change and as the inventory of assets changes.
• Establish risk management processes to identify, analyze, and mitigate risks to high-value assets. (This is addressed in the Risk Management process area.)
• Establish continuity processes to develop, test, and implement service continuity and restoration plans for high-value assets. (This is addressed in the Service Continuity process area.)
• Monitor the extent to which high-value assets are adequately protected and sustained, and develop and implement adjustments as necessary. (This is addressed in the Monitoring process area.)
The identification, documentation, analysis, and management of asset-level resilience requirements are addressed in the Resilience Requirements Development and Resilience Requirements Management process areas.
The identification, assessment, and mitigation of risks to high-value assets are addressed in the Risk Management process area.
The development, implementation, and management of strategies for protecting people are addressed in the People Management process area.
The development, implementation, and management of strategies for protecting information assets are addressed in the Knowledge and Information Management process area.
The development, implementation, and management of strategies for protecting technology assets are addressed in the Technology Management process area.
The development, implementation, and management of strategies for protecting facility assets are addressed in the Environmental Control process area.
The development and implementation of service continuity plans for high-value assets and their related services are performed in the Service Continuity process area. Service continuity plans describe strategies for sustaining high-value assets and services.
The identification and prioritization of high-value organizational services are performed in the Enterprise Focus process area.
Organizational assets (people, information, technology, and facilities) are identified and the authority and responsibility for these assets are established.
The assets of the organization must be identified, prioritized, documented, and inventoried.
The highest-level concept in the operational resilience management system is a service. Services are defined as the limited number of activities that the organization carries out in the performance of a duty or in the production of a product. Services are the prime resource that the organization uses to accomplish its mission. Each service has a mission that must be accomplished in order to support the organization’s strategic objectives. Failure to accomplish the mission of a service is a potentially serious impediment to accomplishing the organization’s mission.
An important aspect of services is that they are “fueled” by assets—the raw materials that services need to operate.
These assets may or may not be directly owned by the organization. For example, outsourcing of call center functions may mean that the organization does not control the people, information, technology, or facilities that enable the service; however, the organization retains responsibility for the ownership and resilience of the assets. In order to properly determine resilience requirements (and to implement appropriate strategies for protecting and sustaining assets), the organization must define these assets from a service perspective and establish ownership and responsibility for their resilience.
Organizational assets are identified and inventoried.
Success at achieving the organization’s mission relies upon critical dependencies between organizational goals and objectives, services, and associated high-value assets. Lack of performance of these assets (due to disruptive events, realized risk, or other issues) impedes mission assurance of associated services and can translate into failure to achieve organizational goals and objectives. Thus, ensuring the operational resilience of high-value assets is paramount to organizational success.
The first step in establishing the operational resilience of assets is to identify and define the assets. Because assets derive their value and importance through their association with services, the organization must first identify and establish which services are of high value. This provides structure and guidance for developing an inventory of high-value assets for which resilience requirements have to be established and satisfied. Inventorying these assets is also essential to ensuring that changes are made in resilience requirements as operational and environmental changes occur.
Establishing criteria for determining the value of services and associated assets is performed in the Risk Management process area. Identifying and prioritizing high-value organizational services are performed in the Enterprise Focus process area.
Each type of asset for a specific service must be identified and inventoried. The following are descriptions of the four asset types.
Organizations may use many practical methods to inventory these assets. Human resources databases identify and describe the roles of vital staff. Fixed asset catalogs often describe all levels of technology components. Facilities and real estate databases have information about high-value physical plant assets. However, bear in mind that internal databases may not cover people, technology, and facilities that are not under the direct control of the organization. In contrast to people, technology, and facilities, less tangible assets such as information and intellectual property may not be identified and regularly inventoried because they are often difficult to describe and bound. For example, a staff member may have information that is critical to the effective operation of a service that has not been documented or is not known to other staff members. This must be resolved in order to properly define security and continuity requirements for these assets.
Typical work products
Subpractices
A common and consistent definition of assets is established and communicated.
Proper description of organizational assets is essential to ensuring a common understanding of these assets between owners and custodians. (The difference between owners and custodians is explained in ADM:SG1.SP3.) A consistent description aids in developing resilience requirements and ensuring satisfaction of these requirements. It defines the boundaries and extent of the asset, which is useful for defining ownership and responsibility for the resilience of the asset. In addition, an asset’s description can be easily communicated within and outside of the organization to facilitate communication of resilience requirements to internal constituencies and external business partners.
At a minimum, all high-value assets (as identified in ADM:SG1.SP1) should be defined to the extent possible. Differences in the level of description are expected from asset to asset, and an organization must decide how much information is useful in facilitating requirements definition and satisfaction. The description of the asset should detail why it is considered to be of high value to the organization. There are some common elements that should be collected, at a minimum, for each asset.
An organization may also choose to document the asset’s resilience requirements as part of the asset profile so that there is a common source for communicating and updating these requirements and so that their association with an asset is established. In addition, strategies to protect and sustain an asset may be documented as part of the asset profile. (Resilience requirements for assets are developed and documented in the Resilience Requirements Development process area.)
There are additional considerations for describing each type of asset.
Typical work products
Subpractices
Be sure to address the entire range of information that should be collected for each type of asset, including at a minimum the owner and the custodian(s) of the asset. Also, include the resilience requirements of the asset as established or acquired by the organization. (Refer to the Resilience Requirements Development process area for more information.)
All information relevant to the asset (collected from the asset profile) should be contained with the asset in its entry in the asset database.
The ownership and custodianship of assets are established.
High-value assets have owners and custodians. Asset owners are the persons or organizational units, internal or external to the organization, that have primary responsibility for the viability, productivity, and resilience of the asset. For example, an information asset such as customer data may be owned by the “customer relations department” or the “customer relationship manager.” It is the owner’s responsibility to ensure that the appropriate levels of confidentiality, integrity, and availability requirements are defined and satisfied to keep the asset productive and viable for use in services.
Asset custodians are persons or organizational units, internal or external to the organization, that are responsible for implementing and managing controls to satisfy the resilience requirements of high-value assets while they are in their care. For example, the customer data in the above example may be stored on a server that is maintained by the IT department. In essence, the IT department takes custodial control of the customer data asset when the asset is in its domain. The IT department must commit to taking actions commensurate with satisfying the owner’s requirements to protect and sustain the asset. However, in all cases, owners are responsible for ensuring that their assets are properly protected and sustained, regardless of the actions (or inactions) of custodians.
In practice, custodianship brings many challenges for asset owners in ensuring that the resilience requirements of their assets are being satisfied. In some cases, custodians of assets must resolve conflicting requirements obtained from more than one asset owner. This can occur in cases where a server contains more than one information asset from different owners with unique and sometimes competing requirements. In addition, custodianship may occur outside of organizational boundaries, as is commonly seen in outsourcing arrangements. In such a case, asset owners must clearly communicate the resilience requirements of their assets to external custodians and must expend additional effort in monitoring the satisfaction of those requirements.
The owner of each high-value asset is established in order to define responsibility and accountability for the asset’s resilience and its contributions to services. Accordingly, owners are responsible for developing and validating the resilience requirements for high-value assets that they own. They are also responsible for the implementation of proper controls to meet resilience requirements, even if they assign this responsibility to a custodian of the asset.
The identification, documentation, analysis, and management of asset-level resilience requirements are addressed in the Resilience Requirements Development and Resilience Requirements Management process areas.
In some cases, the organization may group a set of assets together into a service and identify an owner of the service. This aggregation often is more practical when there are many assets in an organization and protection and sustainment strategies at the asset level would not be practical.
The organization should also, to the extent possible, identify relevant custodians for each high-value asset. Custodians take custodial care of assets under the direction of owners and are usually responsible for satisfying the asset’s resilience requirements on an operational basis. Identifying the custodians of high-value assets also helps to identify the operational environment of the assets where risks may emerge and where continuity plans would have to be implemented.
Typical work products
Subpractices
If the asset is connected to more than one service, be sure this is noted as part of the asset profile.
All information relevant to the asset (collected from the asset profile) should be contained with the asset in its entry in the asset database.
The relationship between assets and the services they support is established and examined.
The relationship between assets and the services they support must be understood in order to effectively develop, implement, and manage resilience strategies that support the accomplishment of the service’s mission. Associating assets to services helps the organization to determine where critical dependencies exist, to validate resilience requirements, and to develop and implement commensurate resilience strategies.
Assets are associated with the service or services they support.
To provide a service-focused review of operational resilience, the assets collected in the development of the asset inventory must be associated with the services they support. This helps the organization view resilience from a service perspective and to identify critical dependencies that are essential to determining effective strategies for protecting and sustaining assets.
Establishing criteria for determining the relative value of services and associated assets is performed in the Risk Management process area. Identifying and prioritizing high-value organizational services are performed in the Enterprise Focus process area.
Typical work products
Subpractices
A list of high-value services is created in the Enterprise Focus process area. Assets can be associated with services in this practice, but it is best to have a validated list of services to which assets are associated. (Refer to the Enterprise Focus process area for more information.)
Instances where assets support more than one service are identified and analyzed.
Because services traverse the organization, and because there are shared assets and resources that many services depend upon, it is important to identify these dependencies to ensure that they are addressed during the development of resilience requirements and in the development of strategies to protect and sustain assets and their related services.
When dependencies result in a shared environment for an asset, consideration must be given to the effects that this situation will have on the satisfaction of resilience requirements at the service level. For example, if resilience requirements are set for a facility and more than one service is performed in that facility, the requirements for protecting and sustaining the facility must be sufficient to meet the needs of both services that share the facility. By identifying these potential conflicts early, an organization can actively mitigate them (by revising requirements or other actions) before they become an exposure that affects the operational resilience of the affected services.
Typical work products
Subpractices
This practice may require the organization to revisit existing resilience requirements and revise them where necessary. It may also necessitate changes in current strategies for protecting and sustaining existing assets. (Refer to the Resilience Requirements Management process area for more information about managing change to resilience requirements. Refer to the Controls Management and the Service Continuity process areas for managing changes to strategies for protecting and sustaining services and their supporting assets.)
The life cycle of assets is managed.
Changes to high-value assets may require commensurate changes in resilience requirements and the strategies that organizations deploy to ensure that these assets are adequately protected and sustained. In fact, managing changes to the operational environment (i.e., through keeping accurate inventories of assets and services and their requirements) is an essential activity for managing and controlling operational resilience. The organization must actively monitor for changes that significantly alter assets, identify new assets, or call for the retirement of assets for which there is no longer a need or whose relative value has been reduced. The objective of this goal is to ensure that the organization’s scope for operational resilience management remains known and controllable.
The criteria that would indicate changes in an asset or its association with a service are established and maintained.
(This practice is complementary to specific practice RRM:SG1.SP3 in Resilience Requirements Management.)
In order to identify changes to high-value assets that could affect their productivity and resilience, the organization must have a set of criteria that are consistently applied. These criteria must cover all assets—people, technology, information, and facilities. Changes in assets must be translated to changes in resilience requirements—either the requirements are altered or rewritten, or in the case where the asset is eliminated (for example, when vital staff leave the organization), the requirements are retired.
Owners of high-value assets must have knowledge of these criteria and be able to apply them in order to identify changes that must be managed.
Typical work products
Ensure that these criteria are commensurate with the organization’s risk tolerances.
Changes to assets are managed as conditions dictate.
(This practice is complementary to specific practice RRM:SG1.SP3 in Resilience Requirements Management.)
Organizational and operational conditions are continually changing. These changes result in daily changes to the high-value assets that help the organization’s services achieve their missions. For example, the following are common organizational events that would affect high-value assets:
• staff changes, including the addition of new staff members (either internally or externally), the transfer of existing staff members from one organizational unit to another, and the termination of staff members
• changes to information such as the creation, alteration, or deletion of paper and electronic records, files, and databases
• technology refresh, such as the addition of new technical components, changes to existing technical components, and the elimination or retirement of existing technology
• facilities changes, such as the addition of new facilities (whether owned by the organization or an external business partner), alteration of existing facilities, and the retirement of a facility
Besides the addition of new assets, this practice also addresses changes to the description or composition of an asset. For example, if an asset takes an additional form (such as when a paper asset is imaged or an electronic asset is printed), this must be documented as part of the asset description to ensure that current protection and sustainment strategies align properly and provide coverage across a range of asset media. Assets may also change ownership, custodianship, location, or value—all of which must be updated to ensure a current asset profile and inventory.
In addition, whenever assets are eliminated (for example, a server is retired or vital staff members leave the organization), owners of those assets must ensure that their resilience requirements are either eliminated (if possible) or are transferred and updated to the assets that replace them. Doing this is especially critical when assets are shared between services and have common resilience requirements.
Subpractices
Update asset resilience requirements, asset protection strategies, and plans for sustaining assets as necessary.
Update service level agreements (SLAs) with custodians if necessary to reflect commitment to changes.
Refer to the Generic Goals and Practices document in Appendix A for general guidance that applies to all process areas. This section provides elaborations relative to the application of the Generic Goals and Practices to the Asset Definition and Management process area.
The operational resilience management system supports and enables achievement of the specific goals of the Asset Definition and Management process area by transforming identifiable input work products to produce identifiable output work products.
Perform the specific practices of the Asset Definition and Management process area to develop work products and provide services to achieve the specific goals of the process area.
Elaboration:
Specific practices ADM:SG1.SP1 through ADM:SG3.SP2 are performed to achieve the goals of the asset definition and management process.
Asset definition and management is institutionalized as a managed process.
Establish and maintain governance over the planning and performance of the asset definition and management process.
Refer to the Enterprise Focus process area for more information about providing sponsorship and oversight to the asset definition and management process.
Subpractices
Elaboration:
Elaboration:
Establish and maintain the plan for performing the asset definition and management process.
Elaboration:
The plan for performing the asset definition and management process is created to ensure that an accurate inventory of assets is developed and maintained and can form a foundation for managing operational resilience. Developing and maintaining an asset inventory may be challenging because most organizations have a significant number of assets. Thus, the plan must address how the inventory will be taken and maintained at various levels of the organization. For practicality, most organizations may take inventory at an organizational unit level and have a method or tool to aggregate the inventory at an enterprise level.
Subpractices
Elaboration:
Special consideration in the plan may have to be given to the organization’s approach for taking an initial inventory of assets (developing the asset inventory baseline) and for maintaining the asset inventory. The plan should address who is responsible for creating and maintaining the inventory and how ownership and custodianship are determined (or assigned). The plan should also include provisions for how the inventory is to be reconciled and how inventory duplication is resolved.
Provide adequate resources for performing the asset definition and management process, developing the work products, and providing the services of the process.
Subpractices
Elaboration:
The diversity of asset types (people, information, technology, facilities) requires that staff members assigned to the asset definition and management process have appropriate knowledge of the assets being inventoried and the services with which they are associated.
Refer to the Organizational Training and Awareness process area for information about training staff for resilience roles and responsibilities.
Refer to the Human Resource Management process area for information about acquiring staff to fulfill roles and responsibilities.
Elaboration:
Considerations for funding the asset definition and management process should extend beyond the initial development of the asset inventory to the maintenance of the inventory. Initial costs may be higher if the organization does not have a formal or usable asset baseline to serve as a foundation.
Refer to the Financial Resource Management process area for information about budgeting for, funding, and accounting for asset definition and management.
Elaboration:
Developing and maintaining the asset inventory may require tools, techniques, and methods that allow for asset documentation and profiling, reporting, and updating on a regular basis. The need for these tools may be greater if the asset inventory is developed across many organizational units and must be aggregated at the enterprise level. Tools should provide for proper and secure change control over the asset database and should limit access to the asset baseline. The asset inventory database should be searchable and expandable to include additional information such as documentation of associated services and the asset’s resilience requirements.
Assign responsibility and authority for performing the asset definition and management process, developing the work products, and providing the services of the process.
Elaboration:
Specific practice ADM:SG1.SP2 describes the use of human resources databases to identify roles of vital staff to aid in determining high-value people assets and calls for describing roles rather than actual persons who perform the role. Specific practice ADM:SG3.SP1 discusses the effects of changes in roles. These descriptions of roles specific to the definition and management of high-value people assets should not be confused with assigning the roles, responsibilities, and authorities necessary to perform the asset definition and management process.
Refer to the Human Resource Management process area for more information about establishing resilience as a job responsibility, developing resilience performance goals and objectives, and measuring and assessing performance against these goals and objectives.
Subpractices
Elaboration:
Responsibility and authority for creating the asset inventory baseline may differ from responsibility and authority for maintaining the asset inventory and performing change control processes.
Elaboration:
Refer to the External Dependencies Management process area for additional details about managing relationships with external entities.
Train the people performing or supporting the asset definition and management process as needed.
Refer to the Organizational Training and Awareness process area for more information about training the people performing or supporting the process.
Refer to the Human Resource Management process area for more information about creating an inventory of skill sets, establishing a skill set baseline, identifying required skill sets, and measuring and addressing skill deficiencies.
Subpractices
Elaboration:
Elaboration:
Place designated work products of the asset definition and management process under appropriate levels of control.
Elaboration:
ADM:SG3.SP2 specifically addresses the change control process over assets and the asset inventory. However, other work products of the asset definition and management process must also be managed and controlled.
The tools, techniques, and methods used to capture and maintain the asset inventory should be employed to perform consistent and structured version control over the inventory to ensure that information is current, accurate, and “official.” The tools, techniques, and methods can also be used to securely store the asset inventory, to provide access control over inquiry, modification, and deletion, and to track version changes and updates.
Identify and involve the relevant stakeholders of the asset definition and management process as planned.
Elaboration:
Several ADM-specific practices address the involvement of owners and custodians as key stakeholders in the asset definition and management process. For example, ADM:SG1.SP3 calls for establishing ownership and custodianship for all high-value assets and making sure owners and custodians understand their responsibilities, as well as their relationship with one another. ADM:SG3.SP1 requires that asset owners have knowledge of asset change criteria, including possible changes in asset ownership and custodianship.
Elaboration:
Monitor and control the asset definition and management process against the plan for performing the process and take appropriate corrective action.
Refer to the Monitoring process area for more information about the collection, organization, and distribution of data that may be useful for monitoring and controlling processes.
Refer to the Measurement and Analysis process area for more information about establishing process metrics and measurement.
Refer to the Enterprise Focus process area for more information about providing process information to managers, identifying issues, and determining appropriate corrective actions.
Subpractices
Elaboration:
Elaboration:
Elaboration:
Discrepancies result when assets are acquired, modified, or retired but not reflected accurately in the asset inventory. Assets form the foundation for operational resilience management because they are the target of strategies required to protect and sustain services. To the extent that the asset definition and management process results in inventory discrepancies, the organization’s overall ability to manage operational resilience is impeded.
Objectively evaluate adherence of the asset definition and management process against its process description, standards, and procedures, and address non-compliance.
Elaboration:
Review the activities, status, and results of the asset definition and management process with higher-level managers and resolve issues.
Refer to the Enterprise Focus process area for more information about providing sponsorship and oversight to the operational resilience management system.
Asset definition and management is institutionalized as a defined process.
Establish and maintain the description of a defined asset definition and management process.
Establishing and tailoring process assets, including standard processes, are addressed in the Organizational Process Definition process area.
Establishing process needs and objectives and selecting, improving, and deploying process assets, including standard processes, are addressed in the Organizational Process Focus process area.
Collect asset definition and management work products, measures, measurement results, and improvement information derived from planning and performing the process to support future use and improvement of the organization’s processes and process assets.
Elaboration:
Establishing the measurement repository and process asset library is addressed in the Organizational Process Definition process area. Updating the measurement repository and process asset library as part of process improvement and deployment is addressed in the Organizational Process Focus process area.