Elaborating an asset inventory

As you may remember we provide online appointment scheduling and booking solutions through a multi-tennant SaaS solution. So we have 3 basic systems that are hosted at Azure and Amazon: Reflex Appointment , Reflex Room Manager and Reflex Booking. Our customers basically get a login and away they go (with some training of course).

Now in terms of the Risk Assessment Process, my questions are:

1 - Do I define our products as assets? For instance Reflex Appointment as the asset? Or do I consider the Reflex Appointment Application and the Reflex Appointment Database as separate assets? Or am I approaching this incorrectly?

Answer: No. Assets should be defined in terms of processes, information and resources that support them (e.g., hardware, software, network, etc.). So, your second approach (defining as separated assets the application and the database) is more ad equate. This way you can handle security more properly, because:
- Generally, for complex systems, the application and database are managed by different teams, with different people responsible for them
- The knowledge needed to cover both, application and database is quite wide for a single person to master and support risk management correctly (or this person will be very expensive to maintain)

2 - Do I define Azure as an asset? Or do I define the various services we use on Azure as assets? Like Azure Portal, Azure Cloud Services and Azure storage.

Answer: In this case, where all services are outsourced, it may be best if you consider a single asset (Azure's contracts), because this way the organization can have a centralized view of its relationship with the provider.

Thanks, this definitely helps. Another question I have is about threats: One of the obvious threats for an information system is "interruption of service". Is it wise to differentiate on the length of the interruption? For instance "interruption of service for less that 8 hours" and "interruption of service for more than 8 hours". Because the first may result in an acceptable risk, whereas the second is unacceptable.