Asset Tagging as a potential ‘Risk Mitigation Tool’

Before diving into the subject of ‘Asset Tagging’ and its purposes as a risk mitigation tool we first need to understand the broader context of potential business risks. Companies in general are consciously aware of the many internal and external threats they could encounter that could harm their business continuity.

RISKS

The real question here is how many companies reviewed and assessed their potential risks and implemented the proper remediation plans and tools to address worst case scenario’s. The figure below illustrates some of the internal and external factors that could impact business continuity.

INTERNAL RISKS | EXTERNAL RISKS

Structured Approach

We want to focus on both the internal and external technological risks from a cybersecurity perspective and how ‘Asset Tagging’ could support companies in better understanding their business process risks when exposed to exploitable cyber security vulnerabilities supporting these processes.

Building a model to determine business process risks involves several steps, including identifying the core business processes, identifying potential risks, assessing their impact and likelihood, and implementing a monitoring and mitigation framework. Here’s a structured approach to create this model.

With ‘Asset Tagging’ we only focus on the following steps that include:

  • 1

    Identify the core business processes and their owners

  • 2

    Identify the core business process flows for each core business process

  • 3

    Identify all IT, OT & IoT assets supporting these business process flows

  • 4

    Identify per asset in these flows their potential risk based on the combination of probability & impact (rating Low-0 to High-5).

  • 5

    Configure your ASM platform leveraging the asset risks ratings to build your reporting dashboards and to prioritize your patch management tools

  • 6

    Regularly review your core processes and their supporting IT, OT & IoT assets

So ‘Asset Tagging’ is a process to identify for each core business process flow the supporting IT, OT and IoT assets and the overall business process owner(s) (no RACI matrix needed). Each supporting assets risk can then be rated (0 to 5) based on the impact and likelihood ratings (both also 0 to 5). The combined score works through the whole sequence of the business process flows. The figure below illustrates the basic concept.

RISK IDENTIFICATION

Process  Procurement

Risk Supplier Failure

Category Operational

RISK ASSESMENT

Impact 4 (high)

Likelyhood 3 (mid)

Priority High

MITIGATION

Priotorise Procurement

Consent Supplier Failure

Ececute Operational

MONITORING

Vulnerabilities Exploitable on key assets

Frequency Monthly

The figure below illustrates the overall mechanism to inform board members about potential cyber security vulnerabilities that could potentially impact their business process continuity.

Netboss_Internal_Risks_versus_External_Risks_mapping

Asset Tagging is not only a mechanism to inform board members about potential business processes at risk or to enrich the CISO from a SoC perspective – it is really a mechanism to start automating the remediating actions on exposed key asset vulnerabilities to mitigate the overall impact on their business continuity. Asset Tagging helps companies to better understand their business process risks in real-time.