So to clarify, in your example of asset categories if I have a grouped assets under application software (licensed) , I can perform my risk assessment based on this group if the threat and vulnerabilities applies to the group of assets.
So in my inventory of assets, all I need to do is complete the table with the same information I used in the risk assessment table:
ID
Asset category
Name of asset
Asset owner
Asset description
1
Applications and databases
application software (licensed)
IT
Licenced application software.
Would this be sufficient or would I need to list all licenced software?
Answer:
Yes, you are right, in your risk assessment you can have a group of assets (type software) and identify threats and vulnerabilities that applies to it (threats and vulnerabilities related to software), but in your case, I think that it will be better if you have 2 different groups of assets: Applications and Databases, because risks can be different. Only if after performing the risk assessment you see that they have the same risk, you can consider integrate them in an unique group.
Finally, keep in mind that additionally, in accordance with intellectual property legislation, you must to have a inventory of your licensed software.
Comment as guest or Sign in
Jan 12, 2016