Asset owners should understand the value of the information, applications and infrastructure they’re responsible for so they can assess the impact of compromise, loss or unavailability.
Your documented assets all have cyber security risks and associated consequences such as reputational damage, financial loss, regulatory penalties, or public endangerment. By assessing the importance of each asset that forms part of your digital service you will be able to:
This should be completed as part of the discovery or requirement gathering phases to ensure the appropriate level of resource is allocated to protecting your assets. The value of the assets should be continuously reviewed and updated whenever new assets are documented so the potential losses from a cyber incident are recorded accurately.
Completing this activity will help you to achieve the outcomes included in the Secure by Design principle to adopt a risk-driven approach.
Your project’s Senior Responsible Owner (SRO), Information Asset Owner (IAO) and service owner should work with those responsible for each asset and security professionals to establish their value.
They may need to consult with business analysts, technical architects and delivery managers for further detail on how assets are used and where the risks may be.
Before you begin to assess your assets, familiarise yourself with the business priorities, security obligations and risk appetite relevant to your service so you can understand the impact of the risk management decisions you make.
Your cyber security risk assessment and management should align with the enterprise risk management framework used by your organisation to ensure cyber risks are managed consistently. Speak with your risk management team and use the impact reference table they provide as the basis for your asset assessment.
This will cross-reference impact categories (such as financial, operational and reputational) with risk ratings (such as from ‘1 - Minor’ to ‘5 - Critical’).
The information is unique to each organisation. For example, a ‘3 - Moderate’ risk in your ‘Financial’ category may be "Regulatory penalties between £100k to £500k”, which may be considered a ‘5 - Critical’ risk in other organisations.
The GOV.UK risk management framework provides a foundation for how to assess, respond to, and monitor risks, including good practice guidance on impact categories and risk scoring scales.
Working through each of your assets, establish the negative consequences to your organisation if they were compromised.
The CIA triad is a useful guiding model to help you assess information security.
Workshops and surveys are the most effective ways to capture this information. Include the relevant people within your team and encourage them to provide insight on what the realistic impact would be if the confidentiality, integrity or availability of each asset was compromised due to a lack or failing of security controls.
Expand your impact reference table to include a summary of your workshops and surveys, describing the impact of loss if your assets were compromised by a cyber attack. Provide details for all of the impact categories for every asset, including the potential financial and reputational damage that may result from a compromise in security. The financial impact may be direct or indirect, and could include the cost of restoring systems and data or the cost of legal and regulatory fines. Reputational impact includes how negative publicity may result in a decline in public trust in your service and a loss of confidence in key stakeholders.
Example asset evaluation entry
- Asset Title: Grant Application Information
- Description: Data fields including; applicant's name, email address, phone number, address
- Confidentiality Rating: 4 - Severe
- Confidentiality Impact: Significant levels of sustained negative publicity, increase in user complaints, loss of confidence by key stakeholders
- Integrity Rating: 3 - Moderate
- Integrity Impact: Moderate loss of management’s ability to effectively govern or operate the organisation
- Availability Rating: 2 - Low
- Availability Impact: Minor loss of management’s ability to effectively govern or operate the organisation
- Highest Business Impact: 4 - Severe
To confirm your evaluation is accurate and complete you should check:
The output of this activity is subjective and based on the experiences and judgement of the stakeholders involved. To create a balanced asset evaluation that those who need to use it can be confident in, it’s important that it’s put together in collaboration with representatives from across the service team.
The asset evaluation sheet should be shared with the team responsible for performing service security risk assessments, as well as your organisation’s information security team. Those responsible for managing service delivery risks and deciding on appropriate security controls should also be made aware of the elements that are relevant to them.
Your Chief Information Security Officer (CISO) and security advisors within your organisation may also need an understanding of the importance of assets to your service to support strategic planning.
This activity is part of the ‘Manage cyber security risks’ stage of Secure by Design, which also includes:
Read the Secure by Design activities
The Secure by Design approach will evolve to reflect the needs of government digital services. Your feedback will help us to improve it.
Last update: 31 January 2024
OFFICIAL