1
00:00:01,190 --> 00:00:08,060
Let's talk about asset selection and what constitutes asset selection we can see here in front of as

2
00:00:08,150 --> 00:00:15,770
examples of assets that we've talked about like files accounts financial information emails identity

3
00:00:15,830 --> 00:00:23,240
etc. These are good examples of things that might be valued assets.

4
00:00:23,570 --> 00:00:29,760
These then relate to privacy anonymity and pseudo anonymity as we've discussed.

5
00:00:29,900 --> 00:00:37,470
The assets have security controls possible vulnerabilities threats and adversaries.

6
00:00:37,970 --> 00:00:44,560
How we define what our assets will depend on the entity you are trying to protect.

7
00:00:44,750 --> 00:00:53,480
So beyond information data accounts devices You may also want to assign things like functions departments

8
00:00:53,780 --> 00:00:59,160
processes and other such things as assets to because these things of value too.

9
00:00:59,270 --> 00:01:03,200
And if they are exploited there is an undesirable impact.

10
00:01:03,200 --> 00:01:09,170
So for example if the entity you're trying to secure is a banking application and you are the security

11
00:01:09,170 --> 00:01:15,080
architect the log in function for that banking app might be considered an asset.

12
00:01:15,110 --> 00:01:20,390
The logging function would have security controls like import validation.

13
00:01:20,390 --> 00:01:29,480
It would have threats like hackers series if you're operating a business the financial or sales department

14
00:01:29,480 --> 00:01:34,740
could be an asset with its own special security controls threats and adversaries.

15
00:01:34,910 --> 00:01:42,710
Another example in a business the process of say how people are dealt with when they resign and leave

16
00:01:42,710 --> 00:01:45,400
the organization could be considered an asset.

17
00:01:45,500 --> 00:01:52,910
This relieving process having the security control for example of making sure that people's credentials

18
00:01:52,910 --> 00:01:55,280
are removed out of the business system.

19
00:01:55,280 --> 00:02:02,330
A very important process and people leave something that is often forgotten in businesses information

20
00:02:02,660 --> 00:02:03,430
and data.

21
00:02:03,560 --> 00:02:08,540
As we've discussed can also be a way to categorize something as an asset.

22
00:02:08,540 --> 00:02:14,990
So data is often assigned as an asset in some way and that data can often be assigned a classification

23
00:02:14,990 --> 00:02:19,460
like secret confidential sensitive or public and so on.

24
00:02:19,460 --> 00:02:26,300
So there are degrees to which security controls need to be applied to the asset based on its classification

25
00:02:26,750 --> 00:02:33,890
how granular you are with assets will depend on the entity being protected within the security industry.

26
00:02:33,890 --> 00:02:40,130
Different organizations provide different recommendations for assigning assets and this assignment of

27
00:02:40,190 --> 00:02:47,670
assets is usually done in the early stages of what is called The risk assessment process or a risk assessment.

28
00:02:47,750 --> 00:02:53,060
The further information if you want has done more about risk assessments you can look at places like

29
00:02:53,060 --> 00:03:00,650
sabse ISO particularly ISO twenty seven thousand five and the information security forum or just do

30
00:03:00,650 --> 00:03:06,180
a search for information security risk assessments and you can see what you find there.

31
00:03:06,230 --> 00:03:12,230
But essentially we're talking about asset selection and really you want to pick the assets that make

32
00:03:12,230 --> 00:03:18,560
sense to you and with experience that will guide you in the end to what are the best assets based on

33
00:03:18,560 --> 00:03:21,160
the entity that you're trying to protect.