Another question I have is regarding the server portion of the risk register, which is found, for instance, in IT and communication equipment. How should this part be defined from a general standpoint? We have added several assets that were relevant to our organization; for example, we have added AWS Infrastructure, Google Infrastructure, Office IT Infrastructure, and Microsoft Infrastructure. Would you kindly help us with this? Therefore, do we need to define this as an infrastructure as a whole or do we need to add different assets that are applicable to the organization?
Another issue is that third-party off-the-shelf applications are available for software and databases in a Risk Register. Since we use third-party programs like Phabricator, Microsoft Office 365, container hosts, virtual machines, containers, Jenkins, and virtual machines (Windows), we must decide whether to define each one specifically or to categorize them in general terms with a single category as Infrastructure. Could you please explain to me how we should define?
Could you kindly let me know if we need to define different categorized products with Assets and then specify with the vulnerabilities associated to that specific asset in the Risk register for internally developed software?