Asset valuation is the process of determining the fair market value of an asset, which is one of the first priorities of risk management. The asset value can be determined from the asset replacement value or either what the asset provides to the organization or the cost to recover the asset. The value can also be determined using a combination of both values.
After the value of the assets has been determined, then their importance can be prioritized. If an asset is worth $1,000, it may require one level of protection. If another asset is worth $1 million, that asset may require another level of protection.
This section introduced assets and activities related to risk assessment.
Only the assets that are within the boundary of the risk assessment should be evaluated. Scope creep occurs when assets outside the scope of the risk assessment are evaluated, a process that results in wasted time and resources.
The value of an asset can be viewed from different perspectives:
Several elements need to be considered when determining the value of any asset. These include:
Access and availability refers to how and when the asset needs to be available. Some assets need to be available 24 hours a day, 7 days a week. Other assets need to be available only Monday through Friday during business hours. The more available the asset needs to be, the greater are the risks related to outages.
For example, a web server is used to sell products over the Internet. Customers may access the website at any time, but, if the website is not operational when the customer tries to access it, the company loses a sale. Moreover, a customer may have been lost.
With this in mind, the risk assessment needs to consider the risks associated with this website going down at any given time, which includes how to perform maintenance on the system without taking the website down. Maintenance includes performing backups of the data and keeping the system up to date.
The web server may be one of many servers in a web farm, or it may be one of several web servers in a failover cluster. Both configurations allow a single server to go down while the website continues to function, but, if a single server is run, an outage can be catastrophic.
On the other hand, a system could have a file server that is used only internally by employees when they are at work between 8:00 a.m. and 5:00 p.m., Monday through Friday. This schedule allows extensive time for performing backups or other maintenance when employees are not at work.
The functions of a service-providing system should be considered when determining the asset’s value. Of particular importance is how the functions are performed, manually or through automation.
For example, the value of email in an organization is being evaluated. The email system could have several elements, including a spam filter. Studies report that as much as 90 percent of the email sent through the Internet is spam. Spam filters will eliminate some of this spam with a goal of not eliminating any valid emails.
A spam filter that filters out as much as 30 percent of the spam provides a significant reduction in unwanted email with a high assurance that valid email won’t be filtered. Figure 6-3 shows an email server with a spam appliance added to filter spam. In the figure, all email is routed from the Internet through the spam appliance. The appliance filters some of the spam and sends the rest of the email to the email server.
With this in mind, what is the value of the spam filter? It uses an automated process, so the value is simply the value of the appliance. If it breaks or malfunctions, it can be replaced.
However, some spam filters require much more interaction, such as dedicated technicians who are constantly viewing the filtered spam to ensure it doesn’t include any valid emails. These technicians could be adding valid email source addresses to whitelists and known spammers to blacklists.
An email whitelist is a list of approved email addresses or domains. For example, [email protected] could be added to the whitelist to ensure any email from this address is never marked as spam. The xyz.edu domain could also be added to ensure email from anyone in that domain is not marked as spam. Addresses added to a blacklist are automatically marked as spam.
When calculating the value of the manually managed spam appliance, the work done by the administrator also needs to be considered. The value of the asset may be higher if additional labor and expertise are needed to initially configure it as well as manage it.
Hardware assets are any assets that can be physically touched, which include computers, such as laptops, workstations, and servers. Hardware assets also include network devices, such as routers, switches, and firewalls.
A wide range of values exist among the devices. A simple desktop PC can cost less than $500. However, a high-end server can cost tens of thousands of dollars.
Software assets include both the operating systems and the applications. The operating system is what allows the computer to operate; an operating system could be a Microsoft system, such as Windows 10 or Windows Server 2016, or it could be a UNIX or Macintosh system.
Applications allow tasks to be performed. For example, Microsoft Word is an application that allows documents to be created and edited. Similarly, Oracle is a server-level application used to manage databases.
Operating systems and applications can also have a wide range of costs. For example, the operating system and applications for a desktop PC can range in the hundreds of dollars. However, the operating system and applications for a server can easily range in the thousands of dollars.
Personnel assets need to be valued. An organization that is able to retain personnel often has fewer problems than an organization with a high turnover rate. An organization can do specific things to retain valued personnel.
For example, organizations have different levels of benefit packages, which might include different types of insurance, such as health, dental, and life, or retirement plans, such as matching 401(k) contributions. Many organizations also take additional steps to increase the morale and working environment of their employees.
The steps taken to retain employees are often dependent on how much they are valued. When IT administrators have the high level of knowledge required to keep a network running in good order, they have a high value to the organization.
Data and information assets can have different levels of value depending on the data. Most organizations will take steps to identify the classification of data. For example, an organization could identify the following data classifications:
Other items to consider when valuing assets are the facilities and supplies needed to run the business. This information is needed when calculating the company’s insurance needs.
Insurance is one of those items that a business always wants to have but never wants to use. It provides a layer of protection if the company suffers a loss. However, the loss is rarely painless. Even if the insurance company covers the loss, the process is difficult.
Some organizations may realize that one of their facilities is so important that it needs redundancy. In this case, redundancy is another site that can perform the same functions. The four types of alternate sites are:
The type of alternate site chosen depends on the value of the primary location. The supplies that will be stored there need to be considered to ensure the alternate location can perform the same type of work. Of course, an alternate location may not be necessary at all.