Insurance brokers can sometimes get bogged down in insurance policy language, details, and comparisons of what is covered and what is not. This is important, and one of the critical services insurance brokers provide as it relates to cyber liability.
But it can help to take a step back and look at the big picture. As risk advisors, insurance brokers are most effective when advising clients about how to protect their organization so that it is more resilient and less likely that an insurance policy will be needed or triggered.
In this article, we are going to take a step back and look at how to protect company assets from a big-picture perspective. Protection of company assets is a detailed and time-consuming project, and this article should serve as an introduction to this process, while also highlighting resources that are available to all U.S. based businesses. The method of protecting company assets has been defined in detail in the CERT ® Resilience Management Model, Version 1.2, and work has been done by Carnegie Mellon for the operating arm of the Software Engineering Institute, which is a federal-funded research and development center sponsored by the United States Department of Defense. CERT stands for computer emergency response team.
This article lists four types of assets and four steps in the process of Asset Definition and Management. There are additional steps and a significant amount of other information that can be viewed here. This process requires an organization’s commitment at all levels. This is a Cyber Resilience focused process, but it goes beyond an emphasis on technology and an emphasis on people in technology-based roles.
STEP ONE: DEFINE THE COMPANY ASSETS
These are listed below, as described in the CERT ® Resilience Management Model, Version 1.2:
- People = Individuals who are vital to providing a company’s service. These individuals may be internal or external.
- Information = Information, data, or media that is vital to the services a company provides.
- Technology = A technology component or asset that supports or automates a way that a company provides a service.
- Facilities = Physical real estate assets that a company utilizes to provide a service.
These are simplified definitions. For additional information and free resources, please see the Department of Homeland Services’ Cybersecurity and Infrastructure Security website. Navigate to the link for Cyber Security Assessments for the support you can access to help make your organization more secure.
STEP TWO: RANK ASSETS IN ORDER OF IMPORTANCE
An excellent way to think about this is to determine what key services your company provides and which assets are essential and the most important to provide those services.
STEP THREE: CREATE A PROFILE FOR EACH ASSET
What does the asset do? Who is responsible for it, or who owns it? Who takes care of this asset, or who is its custodian?
For example, see the description published in the CERT Resilience Management Model:
“Asset custodians are persons or organizational units, internal or external to the organization, that are responsible for implementing and managing controls to satisfy the resilience requirements of high-value assets while they are in their care. For example, the customer data may be stored on a server that is maintained by the IT department. In essence, the IT department takes custodial control of the customer data asset when the asset is in its domain. The IT department must commit to taking actions commensurate with satisfying the owner’s requirements to protect and sustain the asset. However, in all cases, owners are responsible for ensuring that their assets are properly protected and sustained, regardless of the actions (or inactions) of custodians.” (i)
As an aside, there are many inter-relationships between the various assets, and these need to be recorded. To truly engage in the CERT ® Resilience Management Model is an investment of time, energy, and significant corporate resources. This article is an introduction to a process that organizations can implement to protect their assets better and thereby position themselves as more resilient to ever-present threats and risks.
STEP FOUR: MANAGE LIFE CYCLES OF THE ASSETS
Assets change constantly, and part of the process of becoming more resilient is determining what triggers or potential triggers can affect high-value assets. As changes occur, priorities for certain assets change and these need to be documented, maintained and acted upon immediately.
Here are some examples from the CERT ® Resilience Management Model of “activators,” which can impinge assets of significant value:
- termination or transferring staff between units or changes in roles and responsibilities amongst the organization
- technology infrastructure changes and configuration
- real estate transactions to add, alter, or change current facilities;
- information alteration or creation;
- service alterations which therefore affect the assets they are reliant upon;
- new assets identified in organizational contracts;
- technology, facility or other asset acquisitions
The processes, as summarized above, of defining assets, ranking assets, creating a profile and organizational chart for each critical asset, and managing the life cycle of each key asset need to be institutionalized within an organization so that the process can be continued and replicated. Part of the institutionalization process includes documentation of the process, documentation of progress, measurement of results and documentation of improvements that have been implemented and tracked.
This is a very detailed process, and this article is intended to be a general introduction so that an interested company can start defining assets and working toward becoming more resilient to threats and attacks, both internal and external. There are resources, and many of them require no initial investment of funds, but to implement the process effectively is a significant investment of time and resources.
Caralli, Richard A., et al. The CERT Resilience Management Model: a Maturity Model for Managing Operational Resilience. Addison-Wesley, 2011.
Material posted on this website is for informational purposes only and does not constitute a legal opinion or medical advice. Contact your legal representative or medical professional for information specific to your legal or medical needs.