IT Security, Policy and Standards, Risk Assessment and Management, Operational, Management, and Technical Controls

Home

BSMR

NIST SP 800-53

Asset Specification

Asset Valuation

File Incident Report

Emergency Contacts

Key Personel

IT Security Quiz

Tools & Techniques

SECURITY WEB SITES
ASSET IDENTIFICATION
If you have not identified critical assets, you cannot recover from their loss!

OVERVIEW
Information for this section is contained in the Boundary Scope Master Record (BSMR) from the Risk Management section which provides a general description of system architecture and functionality. The BSMR should indicate the operating environment, physical location, general location of users, and partnerships with external organizations/systems. Also include information regarding any other technical considerations that are important for recovery purposes, such as backup procedures. Note: There should be only one (1) BSMR for each system or application.

Boundary Scope MasteR RECORD
The BSMR contains critical information that summarizes a description of the application or system. As described in the sample BSMR link (above), this document includes the following:

Asset Name and Acronym
Asset Type and Criticality
Location of Asset Hardware and/or Software
Location of Alternate Site
Location of Users and Support Teams
A Detailed and Comprehensive Description of the Asset
Description of Dependent and/or Interconnecting Systems or Applications
Business Unit, Operations, and Key Personnel Points of Contact with Contact Information

The BSMR, also, should include any information pertinent to the recovery or relocation of the asset in the event of an incident. Additionally, we have included tools to help document the asset's characteristics and dependencies (Asset Specification) and the asset's value (Asset Valuation).

COMMON CONTROLS vs. SHARED CONTROLS vs. SPECIFIC CONTROLS
Common Controls are controls that are inheritable by one or more organizational information systems. The organization assigns responsibility for common controls to appropriate organizational officials and coordinates the development, implementation, assessment, authorization, and monitoring of the controls. The identification of common controls is most effectively accomplished as an organization-wide exercise with the active involvement of the chief information officer, senior information security officer, risk executive (function), authorizing officials, information system owners, information owners/stewards, and information system security officers. When common controls protect multiple organizational information systems of differing impact levels, the controls are implemented with regard to the highest impact level among the systems. For example, a common control may address the security of the facility; and, those assets within that facility would call out those protection mechanisms as common controls.

Shared or Hybrid Controls. Organizations assign a hybrid status to a security control when one part of the control is deemed to be common and another part of the control is deemed to be system-specific. In the case of a Shared or Hybrid control (i.e., User Identification and/or Identification), the control may be the responsibility of the application as well as the system that supports that application.

System Specific Controls are the primary responsibility of information system owners and their respective authorizing officials. With respect to System Specific Controls, access to a data base may be restricted by an access control list (ACL) managed by the asset owner.

Why You Need Our Product | Where Our Product Fits | PURCHASE PRODUCT