Scribd
Upload
19 views15 pages

Asset Criticality Analysis

The document outlines a method for identifying and prioritizing critical assets within an organization's information systems to enhance risk management and decision-making. It introduces the Draft NIST IR 8179: Criticality Analysis Process Model, which includes a structured approach to analyze assets at various levels, from program to component. The process is designed to be flexible and integrate with existing practices without duplication.

Uploaded by

Veena Hingarh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views15 pages

Asset Criticality Analysis

The document outlines a method for identifying and prioritizing critical assets within an organization's information systems to enhance risk management and decision-making. It introduces the Draft NIST IR 8179: Criticality Analysis Process Model, which includes a structured approach to analyze assets at various levels, from program to component. The process is designed to be flexible and integrate with existing practices without duplication.

Uploaded by

Veena Hingarh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

Identifying Critical

Assets for Risk


Management

Celia Paulsen
Disclaimer: "The identification of any
commercial product or trade name is
included solely for the purpose of providing
examples of publicly-disclosed events, and
does not imply any particular position by the
National Institute of Standards and
Technology."
Problem
• Technology
– Interconnected
– Sophisticated
– Integral
• Complex SDLC
Ecosystem
• Evolving Threats
• Constant Change
• $$$
Image by Andy Lamb: https://www.flickr.com/photos/speedoflife/6924482682
Draft NIST IR 8179: Criticality
Analysis Process Model
• Method for identifying and prioritizing
information systems and components
– Increase understanding of the
organization’s IT/OT (and other) assets
– Better decision making
• risk management
• project management
• acquisition, maintenance, and upgrade
– Informed distribution of finite resources
Not Another…
• Failure Mode Effects and Criticality Analysis
(FMECA)
• Business Continuity Planning
• FIPS Level / Classification
• Framework (RMF, CSF, etc.)

LEVERAGES AND INFORMS EXISTING


PRACTICES – NOT DUPLICATING IT
Reading the Model

ID
Name
Description
Inputs
Outputs
Roles & (Process only)
Responsibilities
Methods (Sub-process only)
Related
Processes
Criticality Analysis Process
A. Define & Scope

B. Program-Level C. System-Level D. Component-Level


Analysis Analysis Analysis

E. Traceback
Process A: Define & Scope
• Define:
– Who
– When
– How

• Tailor if needed for


each analysis
Process B: Program-Level Analysis
1. Goals, assumptions,
constraints, etc.
2. Activities
3. Dependencies
4. Operating States
5. Baseline Criticality
Levels
Process C: System/Subsystem-
Level Analysis
1. Scope
2. Functions
3. Dependencies
4. Operating States
5. Baseline Criticality
Level
Process D: Component/
Subcomponent-Level Analysis
1. Scope
2. Functions
3. Diagram
4. Operating States
5. Baseline Criticality
Levels
Process E: Traceback
1. Identify connections
& dependencies
2. Identify Existing
Controls
3. Review Impact of
Operating States
4. Apply Risk Info
5. Final Criticality Level
Things to Note
• Iterates throughout
• Analyses are hierarchical
– Multiple hierarchies of systems (of systems of
systems of systems of systems)
– begin at a high level and repeat at a lower level
until desired detail is reached
• FLEXIBLE
– Meant to work with existing processes, not to
replace or duplicate
• Finalize in December/January
Related Work
• Cyber-Supply Chain Risk Management
csrc.nist.gov/scrm
• FISMA
csrc.nist.gov/Projects/Risk-Management
• Cybersecurity Framework
www.nist.gov/cyberframework
Questions?

Celia Paulsen
Security Engineering and Risk Management Group
National Institute of Standards and Technology
[email protected]

You might also like