fbpx

CIMSNex User Guides

System Guides

System Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

Information Assets to Service Mapping is a fundamental component of the AMSS (Andy Management System Suite) that enables organizations to effectively manage and track their assets across the entire lifecycle. It provides a comprehensive view of all assets, including hardware, software, equipment, and infrastructure, along with their associated attributes, locations, and relationships. By mapping and managing assets, organizations can optimize resource allocation, improve asset utilization, and enhance operational efficiency. This tutorial provides a brief description of the fields for mapping Assets used in the delivery of the services:

  1. Asset ID: This field represents the unique identification code or number assigned to the asset. It helps in linking the asset mapping to a specific asset within the business service. Demo-ASS-09062023445: This is an example of an Asset ID, showcasing the format and structure of the identification code.

  2. Date: This field captures the date when the asset mapping is created or updated. It helps in tracking the currency of the asset information.

  3. Business Service ID: This field captures the identification code or name of the business service to which the asset belongs. It provides context and linkage between the asset and the service.

  4. Asset Category: This field categorizes the asset based on its type or classification. It helps in organizing and classifying assets for easier management.

  5. Asset Name: This field represents the name or title of the asset. It provides a clear identification of the asset within the system.

  6. Location: This field captures the physical or virtual location where the asset is located. It helps in tracking the whereabouts of the asset.

  7. Ownership Level: This field indicates the level of ownership or responsibility for the asset. It could be owned by the organization, a specific department, or an individual.

  8. Asset Owner: This field captures the name or designation of the person or department responsible for owning and managing the asset. It helps in assigning accountability for the asset.

  9. Relationship: This field describes the relationship or connection between the asset and other entities within the system. It could include relationships with other assets, processes, or business services.

  10. Security classification: This field indicates the security level or classification assigned to the asset. It helps in determining the level of protection and access control required for the asset.

  11. Asset Version: This field represents the version or revision number of the asset, particularly applicable to software or documentation assets.

  12. Asset Status: This field indicates the current status or condition of the asset. It helps in tracking the lifecycle of the asset, including active, retired, or decommissioned status.

  13. Support: This field captures information related to the support or maintenance arrangements for the asset. It could include details about the support team or service level agreements (SLAs).

  14. Attachment: This field allows for attaching any relevant files or documents related to the asset mapping, such as asset specifications or maintenance records.

  15. Additional Details: This field provides space for any additional information or details regarding the asset mapping that may be relevant or important to note.

System Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

After completing a business impact assessment, the next step is to complete a strategies and solutions for response to the disruptions in the services or dependencies. Below is a brief description of the fields for mapping strategies to the business impact and dependencies assessments where users will identify and select to map required strategies to the impact assessment. For detailed planning of the selected strategies, complete the business Continuity planning linked to the strategies to setup appropriate measures that mitigate risks and enhance the resilience of the overall system.

System Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

Information Security Risk Assessment is a critical process that helps organizations identify, analyze, and mitigate potential risks to their information assets and systems. By conducting a thorough assessment based on ISO 27005, organizations can proactively identify vulnerabilities, evaluate the impact and likelihood of risks, and implement appropriate controls to safeguard their sensitive information. This tutorial is about Conducting and compelting an Information Security Risk Assessment using the system with the brief description of the fields as below.

  1. ISRA ID: This is a unique identifier for the Information Security Risk Assessment (ISRA) being conducted. It helps track and reference the assessment when needed.

  2. Date: Specify the date when the assessment is being conducted or documented.

  3. Asset ID: Provide the identifier of the specific service asset that is being assessed for information security risks. This could be a system, application, database, network, or any other relevant asset.

  4. Vulnerability: Describe any known vulnerabilities or weaknesses associated with the asset. Identify potential areas of concern that could be exploited by threats.

  5. Threats: Identify and describe the potential threats or risks that could exploit the vulnerabilities of the asset. Consider internal and external threats, such as unauthorized access, data breaches, malware attacks, etc.

  6. Risk: Summarize the overall risk associated with the asset, considering both vulnerabilities and threats. Provide a general description of the potential negative impact or consequences of the identified risk.

  7. Risk Impact: Assess the potential impact or severity of the risk on a scale of Very low-1, low-2, moderate-3, high-4, and very high-5. Evaluate the extent to which the risk can adversely affect the confidentiality, integrity, or availability of the asset or the organization's operations.

  8. Risk Likelihood: Evaluate the likelihood or probability of the risk occurring on a scale of Very low-1, low-2, moderate-3, high-4, and very high-5. Consider factors such as the existence of controls, historical incidents, threat landscape, and other relevant information.

  9. Risk Rating: Calculate the risk rating by multiplying the risk impact and risk likelihood values. This helps determine the overall risk level and prioritize mitigation efforts.

  10. Risk Ranking: Assign a rank or priority to the risk based on its rating. This can be a numerical or descriptive ranking system, indicating the level of attention or importance given to the risk.

  11. Risk Owner: Identify the individual or department responsible for managing and mitigating the identified risk. This could be a specific role within the organization, such as an information security officer or a risk management team.

  12. Risk Treatment: Choose an appropriate treatment option for addressing the identified risk. The options can include Avoid, Retain, Reduce, or Transfer/Share. These options represent different strategies for managing or mitigating the risk.

  13. Reason for Retaining: If the risk treatment option chosen is "Retain," provide a brief explanation or justification for the decision to accept or retain the risk rather than implementing further measures to mitigate it.

  14. Additional Description: Provide any additional details or information relevant to the risk assessment or specific risk being evaluated. This can include contextual information, impact analysis, or any other relevant factors.

  15. Organizational Control: Describe the organizational controls or measures in place that contribute to managing or mitigating the identified risk. These can include policies, procedures, governance frameworks, or any other organizational-level controls.

  16. People Control: Specify the people-related controls or measures in place to address the identified risk. This could include training programs, awareness campaigns, access control policies, or any other controls related to human factors.

  17. Physical Control: Describe the physical controls or measures implemented to address the identified risk. This can include security systems, surveillance, access controls, or any other physical safeguards in place.

  18. Technological Control: Specify the technological controls or measures employed to manage the identified risk. This could include firewalls, encryption, intrusion detection systems, backup systems, or any other technological safeguards.

  19. Specific Treatment: Outline the specific treatment actions or measures that will be implemented to manage or mitigate the identified risk. Provide details of the steps, resources, and timelines involved in the treatment plan.

  20. Attachment: If applicable, indicate any attached files or documents relevant to the risk assessment.

  21. Additional Details: Provide any additional information, comments, or observations regarding the risk assessment, mitigation efforts, or any other relevant aspects.

USER GUIDES

Image
SIMPLIFYING IMPLEMENTATION OF ISO STANDARDS, providing specialized guidance through reliable Expert Knowledge and Software to help you obtain and maintain your ISO certification.

More Links

FEATURED STANDARDS

ISO 27001 - Information Security

ISO 20000 - IT Service Management

ISO 22301 - Business Continuity

ISO 9001 - Quality Management

ISO 45001 - Health & Safety

ISO Compliance Software
Integrate . Mantain . Comply

Search