Adding and managing IT assets in the Asset Manager
Every IT asset your organization owns comes with a different set of risks and liabilities. With the IT Risk Management (previously ITRMBond) workflow, you can record key information about each asset and calculate risk criticality and asset value scores for it. Then, you can use these scores to prioritize your organization's risks and create your risk mitigation plans accordingly.
What kinds of assets can I add?
There are four categories of assets you can assess in IT Risk Management (previously ITRMBond):
- Hardware e.g., servers, laptops, cell phones
- Software e.g., operating systems, applications
- Cloud e.g., virtual servers
- Information systems interacting elements within a single system; e.g., payroll software, the servers the data is stored on, and the sensitive data itself
The workflows for these assets are all the same, but because these different categories of assets require different types of information (e.g., a piece of hardware has a location, but a cloud environment doesn't), each category has some different attributes you need to fill out.
After adding each of these above assets, the workflow is the same. Each asset needs to be registered, categorized, and then assessed for risk criticality. Then, your organization can decide the best methods to prioritize and mitigate those risks.
For more information about assets, see Overview of Asset Manager
1. Add an IT asset into the Asset Manager
In the Asset Manager, you can keep track of your IT assets and record key pieces of information about each one.
Example
Scenario
You are an IT Risk Program Manager tasked with creating a new IT security and compliance program for your organization. You have a lot of assets to address, but you decide to start with one of the most important assets in your risk management toolbox — your organization's laptops.
Process
Help topic Working with assets in Asset Manager
You open the Asset Manager app. You select the IT Asset - Hardware asset type, click Add IT Asset - Hardware, enter the name: Laptop and save it.
Result
IT Risk Management (previously ITRMBond) saves your laptop asset in Asset Manager and automatically assigns it the Draft status.
2. Register the asset
After creating a draft of your asset, you can add additional information and advance the asset through the IT risk management workflow. When you register an asset, you enter pieces of critical information about it, and then approve it to be added to your IT Asset Manager.
Example
Scenario
Now that you have added your laptop asset, you want to register the asset so you can enter further information about it and start assessing its risk.
Process
In the Details tab, you enter all the information you have about the laptop, including its name, business owner, reference ID, and description, which are all required to register the asset. You save the asset, and then in the visual workflow at the top of the page, you click Register. After validating that your asset has all the required details, the status becomes Registered.
Result
Your laptop has all the required information and is registered as an active asset in your organization.
3. Categorize the asset
Now that you have your assets added and registered in Asset Manager, you can assess their criticality and use those scores to categorize them. You can choose to either provide a single Criticality Level score, or let Diligent One calculate criticality based on three values: the Confidentiality Impact, Integrity Impact, and Availability Impact levels.
When categorizing an asset, you have two options: you can send a questionnaire to a technical or business owner, and have Asset Manager automatically categorize the asset based on their responses; or if you have the asset's criticality information, you can enter the scores yourself.
Example
Scenario
To assess the criticality of your laptop on your own, you know that you need to know three things about it:
- Confidentiality Impact level
- Integrity Impact level
- Availability Impact level
You're not entirely sure what these scores should be, so you decide to send your colleague, who is the business owner for your laptop, a questionnaire to fill out.
Process
In the visual workflow at the top of the page, you click Categorize, and then click Launch Criticality Assessment. In the Send questionnaire panel, you enter your colleague's name and send the questionnaire to them. After they enter their responses, Diligent One automatically populates the responses in the questionnaire. The risk scores (Confidentiality, Integrity , and Availability) are calculated and populated in the Details tab. Refresh the page if you don't see the changes.
You do a quick check to verify that the risk categorizations look correct. Then, in the visual workflow, you click Score. IT Risk Management (previously ITRMBond) automatically calculates the Criticality Level (for more information, see Understanding categorization scores). Refresh the page if you don't see the changes. In the visual workflow, you click More options 
and then Approve. The asset's status becomes Categorized.
Result
You have successfully quantified the risk levels associated with your laptop and have taken advantage of Diligent One's automated processes to categorize the laptop based on the risks associated with it. Now, it's easier to envision creating a plan and a priority list for remediating those risks among all the other assets your organization owns.
Understanding categorization scores
If you use questionnaire responses to calculate the criticality for your asset, two Workflow robots work together to calculate the criticality level you see in your asset: the IT Asset Categorization and CIA Criticality Scoring robots.
Note
Because response weightings and impact level boundaries are configurable, the examples in this section may not match the calculations you see in your organization. For more information, see Viewing your organization's calculations in Robots.
1. Calculating categorization scores
Each question in the criticality assessment belongs to either the Confidentiality, Integrity, or Availability category, and is used to calculate the Confidentiality Impact, Integrity Impact, or Availability Impact levels respectively. The response to a question in the Confidentiality category, for example, only affects the calculation for the Confidentiality Impact level, and not the Integrity Impact or Availability Impact levels.
Each response in the criticality assessment questionnaire has a weighting assigned to it. System Admins with Professional User subscriptions can customize each response weighting in the IT Asset Categorization Workflow robot.
This robot calculates a score for the questionnaire based on the highest possible score for each question:
- For questions that only allow a single response, the highest possible score is the highest weighting of all possible responses to the question.
- For questions that allow multiple responses, the highest possible score is the sum of all weightings of all possible responses to the question.
Example
Your colleague is answering this question: What type of information or data is stored, processed, or transmitted by this asset? The question accepts multiple responses.
The available responses and their respective weightings are as follows:
| Response | Weighting |
|---|---|
| Employee information (PII) | 3 |
| Customer information (PII) | 3 |
| Financial information | 1 |
| Proprietary information | 1 |
| IT Infrastructure information - Confidential | 3 |
| IT Infrastructure information - Encrypted | 1 |
| None of these data types apply | 0 |
Your colleague selects Financial information and IT Infrastructure information - Confidential.
- The total score for this question is 4 ( 1 + 3 = 4 ).
- The highest possible score for this question is 12 ( 3 + 3 + 1 + 1 + 3 + 1 + 0 = 12 ).
Because this question in the Confidentiality category, the response weightings for this question count towards the asset's Confidentiality Impact Level only. They don't have an effect on the Integrity Impact or Availability Impact levels.
2. Assigning an impact level
For each of the Confidentiality Impact, Integrity Impact, and Availability Impact levels, IT Risk Management (previously ITRMBond) calculates the final questionnaire score as follows: categorization score = ( sum of all response weights / sum of all highest possible question scores ) * 100%.
Then, the Workflow robot takes that percentage score and compares it with the impact level boundaries defined for your organization, which you can customize in the robot. The impact level corresponding with the range the percentage score falls into appears in your asset.
Finally, when you click Score in the visual workflow, the CIA Criticality Scoring Workflow robot uses one of two methods to determine the asset's overall Criticality Level:
- High Water Mark Uses the highest of the Confidentiality Impact, Integrity Impact, and Availability Impact levels as the overall Criticality Level. This is the default method.
- Mode Uses the most frequently occurring criticality level between the Confidentiality Impact, Integrity Impact, and Availability Impact levels as the overall Criticality Level. If all three levels are different, the method uses the highest of the three levels instead.
Example
After completing the questionnaire:
- The sum of the response weightings your colleague selected in the Confidentiality question category is 7.
- The sum of the highest possible scores for all questions in the Confidentiality category is 20.
The final Confidentiality questionnaire score is 35% ( ( 7 / 20 ) * 100 = 35 ).
In your organization, scores between 20% and 40% are assigned the Low criticality level. Therefore, Low appears in the Confidentiality Impact level field for the IT asset. The robot repeats this process to calculate the asset's Integrity Impact and Availability Impact levels, using the questions that belong to each of those categories.
When you click Score in the visual workflow, the CIA Criticality Scoring Workflow robot looks at the three impact levels recorded in the asset:
- Confidentiality Impact level Low
- Integrity Impact level Medium
- Availability Impact level Low
Because the robot is set to use the High Water Mark method, and the highest of the three levels is Medium, Medium appears in the asset's overall Criticality Level field.
Viewing your organization's calculations in Robots
System Admins with Professional User subscriptions can view the response weightings and impact level boundaries your organization uses to calculate the above scores using these steps:
- Open the Robots app.
- From the dashboard in Robots, select Workflow Robots.
- Click the robot that contains the script you want to view.
- In the upper-right corner of the robot, click Development to switch to development mode.
- In the Script versions tab, select the version of the script that you want to view.
-
Click Edit script.
Result The Robots script editor opens with the script. For more information, see Python and HCL scripting in Robots.
If you need assistance finding the robots that contain your customizations, or customizing your organization's calculations to meet your needs, contact support or your Diligent representative.
4. Reassess the asset
If you ever need to reassess your asset's criticality, you can move your asset backwards in the process at any time.
Example
Scenario
A year after you first add the laptop to the Asset Manager, your company is the target of a data breach. Hackers are able to bypass your firewall and access sensitive information on your laptop.
You know this breach presents a big change to how you have to assess risks associated with your laptop: it's crucial that your organization finds out why the breach happened and how to prevent another one from happening in the future. You need to go into the existing information you have recorded about your laptop and raise its criticality score so you can make a new risk mitigation plan for your laptop.
Process
In the visual workflow, you click Reassess Criticality. The laptop's status becomes Pending Categorization again.
This time, you have more information about the laptop than when you first entered it into Asset Manager. Instead of sending your colleague a questionnaire for a second time, you decide to enter the overall Criticality Level score on the Details tab as Critical and click Save changes. Then, you click More options and click Approve.
Result
The laptop now reflects the current levels of risk it presents to your organization after the data breach.
What's next?
After adding and assessing your asset, so you can identify the risks associated with it and then move onto mitigating those risks. See Adding and managing IT risks and controls in the Risk Manager for more information.
