Day 10 - GRC Practical Lab 02

Today, I am continuing on with applying my NIST and ISO learnings into practical labs.

I will share my completed assignments in a stand-alone portfolio page.

Today’s assignment falls under NIST’s Identify function, where I build an Asset Inventory for the fictional company CyberSolutions.

Through this exercise I have learnt to practically identify an organisation’s assets, ranging from a public-facing website to its internal messaging tool (i.e. MS Teams)

One area I want to delve deeper on is the weighting given to the asset’s organizational importance outside of highly sensitive confidential information.

Based on my research the importance is based on the following:

What data does it rely on to function (what data would be harmful if they went into the wrong hands
what systems would cause major disruption if they went offline
what applications do employees need everyday?
which tools keep the organisation secure?
Any third-party vendors that handle the organisation’s data and/or provide critical services?

What would happen if this asset was compromised (breach of customer financial records) loss of trust, financial/regulatory penalties
Would daily operations be affected if this asset went offline
Does this asset hold sensitive or regulated data
Is this asset crucial for cybersecurity defences

The above questions were helpful in sifting between an organization’s assets and critical assets, below is my completed asset inventory.

Asset Name	Category	Description	Impact Level	Responsible Team
Customer Financial Records	Data	CyberSolutions' database for customer financial records	High	IT Security
Employee Payroll Information	Application	CyberSolutions database for employee payroll	High	HR
Archived Customer Support Data	Data	Customer Support Historial data	High	IT Security
Internal Financial Reports	Data	Internal Financial Reports	High	IT Security
Customer Relationship Management (CRM) Database	Data	CRM Database	High	IT Security
Customer Support Knowledge Base	Data	Knowledge Base Data	Medium	IT Security
Internal HR System	Application	Employee Records Database	High	HR
Document Management System for Sensitive Files	Application	Sensitive Files Database	High	IT Security
Office Communication Chat Tool	Application	Company-wide internal instant messaging	High	IT Security
Internal Email System	Application	Company-wide internal communications tool	High	IT Security
Anti-Virus Software	Security Tool	Anti-Virus Security Tool	High	IT Security
Network Firewall	Security Tool	Internal Network Barrier	High	IT Security