top of page

Asset Applicability

Updated: Sep 20, 2023

Defining Asset Applicability is the second step in building an X-Analytics profile.


What you will learn:


The Asset Applicability section collects which asset groups are applicable to the profile. If an asset group is not applicable, then all related risk scenarios are excluded from determining loss exposure, prioritized guidance, and all other results.


Asset Group Definitions

With X-Analytics, there are 11 asset groups:

  1. Server & Applications: This includes critical and non critical servers (including the hosted applications), such as domain servers, web servers, files servers, and DNS servers.

  2. Network: This includes critical and non-critical network equipment, such as routers, firewalls, and switches.

  3. End User Systems: This includes critical and non-critical user assets, such as laptops, desktops, and mobile phones.

  4. Terminals: This includes critical and no-critical terminal assets, such as kiosks, ATMs, and payment terminals.

  5. ICS, SCADA, & OT: This includes industrial control systems (ICS), supervisory control & data acquisition (SCADA), and operational technologies (OT).

  6. Healthcare Devices: This includes critical and non-critical network-based (including wireless) healthcare equipment, such as insulin pumps, heart monitors, and glucometers.

  7. Onboard Systems: This includes systems that are used to control or help navigate airplanes, cars, trucks, trains, and ships.

  8. Critical Internet of Thing (IoT) Devices: This only includes critical internet of thing devices, such as meters, inventory tracking systems, and drones.

  9. Non-Critical Internet of Thing (IoT) Devices: This only includes non-critical internet of thing devices, such as printers, apple TVs, and refrigerators.

  10. Media & Offline Data: This includes all forms of offline data and media, such as paper, USB drives, and removable hard drives.

  11. People: This includes the human element of an organization, such as employees, customers, and contractors.


Asset Group to Residual Risk Grid Association

The selection or deselection of an asset group has a direct association with the X-Analytics residual risk grid.

  • Applicable: If an asset is application, then the corresponding risk scenarios will be represented within the X-Analytics risk grid.

  • Not-Applicable: If an asset is not-applicable, then the corresponding risk scenarios will not be represented within the X-Analytics risk grid. A zero value indicates no representation.


Special Note: X-Analytics does not give you the ability to remove Servers & Applications, Network, or People from the Residual Risk Grid.


Risk Scenario: An X-Analytics risks scenario is the intersection of a threat category with an asset group. There are 110 risk scenarios in the above Residual Risk Grid.



To build asset applicability, please follow the steps below.



Step 1: Specify Which Assets are Applicable

The first Asset Applicability question is intended to capture which asset groups are applicable to the profile.

  • Web Applications: This includes all forms of web applications for production, non-production, and administrative purposes.

    • Purpose: to indicate if the profile contains web applications.

    • Informs: to determine if the Web Application Attack threat category, with the Residual Risk Grid, is applicable. If not applicable, then the entire Web Application Attack column will be zero values.

  • Removable Media: This includes all forms of media and offline data, such as paper, USB drives, and removable hard drives.

    • Purpose: to indicate if the profile contains media & offline data.

    • Informs: to determine if the Media & Offline Data asset group, with the Residual Risk Grid, is applicable. If not applicable, then the entire Media & Offline Data row will be zero values.

  • Onboard Systems: This includes systems that are used to control or help navigate airplanes, cars, trucks, trains, and ships.

    • Purpose: to indicate if the profile contains onboard systems.

    • Informs: to determine if the Onboard Systems asset group, with the Residual Risk Grid, is applicable. If not applicable, then the entire Onboard Systems row will be zero values.

  • Point-of-Sale Systems: This includes any system that stores, processes, and transmits payment data, such as PCI records.

    • Purpose: to indicate if the profile contains point-of-sale systems.

    • Informs: to determine if the PoS Intrusion threat category and Skimmers threat category, with the Residual Risk Grid, are applicable. If not applicable, then the entire PoS Intrusion and Skimmers columns will be zero values.

  • End User Systems: This includes critical and non-critical user assets, such as laptops, desktops, and mobile phones.

    • Purpose: to indicate if the profile contains end user systems.

    • Informs: to determine if the End User Systems asset group, with the Residual Risk Grid, is applicable. If not applicable, then the entire End User Systems row will be zero values.

  • ICS, SCADA, OT: This includes industrial control systems (ICS), supervisory control & data acquisition (SCADA), and operational technologies (OT).

    • Purpose: to indicate if the profile contains ICS, SCADA, and OT.

    • Informs: to determine if the ICS, SCADA, and OT asset group, with the Residual Risk Grid, is applicable. If not applicable, then the entire ICS, SCADA, and OT row will be zero values.

  • Critical Internet of Things (IoT) Devices: This only includes critical internet of thing devices, such as meters, inventory tracking systems, and drones.

    • Purpose: to indicate if the profile contains critical IoT devices.

    • Informs: to determine if the Critical IoT asset group, with the Residual Risk Grid, is applicable. If not applicable, then the entire Critical IoT row will be zero values.

  • Terminals: This includes critical and no-critical terminal assets, such as kiosks, ATMs, and payment terminals.

    • Purpose: to indicate if the profile contains terminals.

    • Informs: to determine if the Terminals asset group, with the Residual Risk Grid, is applicable. If not applicable, then the entire Terminals row will be zero values.

  • Healthcare Devices: This includes critical and non-critical network-based (including wireless) healthcare equipment, such as insulin pumps, heart monitors, and glucometers.

    • Purpose: to indicate if the profile contains healthcare devices.

    • Informs: to determine if the Healthcare Devices asset group, with the Residual Risk Grid, is applicable. If not applicable, then the entire Healthcare Devices row will be zero values.

  • Non-Critical Internet of Things (IoT) Devices: This only includes non-critical internet of thing devices, such as printers, apple TVs, and refrigerators.

    • Purpose: to indicate if the profile contains non-critical IoT devices.

    • Informs: to determine if the Non-Critical IoT asset group, with the Residual Risk Grid, is applicable. If not applicable, then the entire Non-Critical IoT row will be zero values.




Step 2: Specify Which Assets Contain Web Applications

The second Asset Applicability question is intended to capture which asset groups contain web applications.

  • Servers and Applications:

    • Purpose: to indicate if the servers are hosting web applications.

    • Informs: to determine if the Web Application Attack : Server & Applications risk scenario, with the Residual Risk Grid, is applicable. If not applicable, then the risk scenario will be zero value.

  • Removable Media:

    • Purpose: to indicate if removable media is storing offline web application data.

    • Informs: to determine if the Web Application Attack : Median & Offline Data risk scenario, with the Residual Risk Grid, is applicable. If not applicable, then the risk scenario will be zero value.

  • Onboard Systems:

    • Purpose: to indicate if the onboard systems are hosting web applications.

    • Informs: to determine if the Web Application Attack : Onboard Systems risk scenario, with the Residual Risk Grid, is applicable. If not applicable, then the risk scenario will be zero value.

  • End User Systems:

    • Purpose: to indicate if the end user systems are hosting web applications.

    • Informs: to determine if the Web Application Attack : End User Systems risk scenario, with the Residual Risk Grid, is applicable. If not applicable, then the risk scenario will be zero value.

  • ICS, SCADA, OT:

    • Purpose: to indicate if the ICS, SCADA, or OT systems are hosting web applications.

    • Informs: to determine if the Web Application Attack : ICS, SCADA, OT risk scenario, with the Residual Risk Grid, is applicable. If not applicable, then the risk scenario will be zero value.

  • Critical Internet of Things (IoT) Devices:

    • Purpose: to indicate if the critical IoT devices are hosting web applications.

    • Informs: to determine if the Web Application Attack : Critical IoT risk scenario, with the Residual Risk Grid, is applicable. If not applicable, then the risk scenario will be zero value.

  • Terminals:

    • Purpose: to indicate if the terminals are hosting web applications.

    • Informs: to determine if the Web Application Attack : Terminals risk scenario, with the Residual Risk Grid, is applicable. If not applicable, then the risk scenario will be zero value.

  • Healthcare Devices:

    • Purpose: to indicate if the healthcare devices are hosting web applications.

    • Informs: to determine if the Web Application Attack : Healthcare Devices risk scenario, with the Residual Risk Grid, is applicable. If not applicable, then the risk scenario will be zero value.

  • Critical Internet of Things (IoT) Devices:

    • Purpose: to indicate if the non-critical IoT devices are hosting web applications.

    • Informs: to determine if the Web Application Attack : Non-Critical IoT risk scenario, with the Residual Risk Grid, is applicable. If not applicable, then the risk scenario will be zero value.



Step 3: Specify Which Assets Contain Point-of-Sale Functions

The third Asset Applicability question is intended to capture which asset groups contain point-of-sale functions.

  • Servers and Applications:

    • Purpose: to indicate if the servers have PoS functions.

    • Informs: to determine if the PoS Intrusion : Server & Applications risk scenario, with the Residual Risk Grid, is applicable. If not applicable, then the risk scenario will be zero value.

  • Removable Media:

    • Purpose: to indicate if removable media is storing offline PoS (PCI) data.

    • Informs: to determine if the PoS Intrusion : Median & Offline Data risk scenario, with the Residual Risk Grid, is applicable. If not applicable, then the risk scenario will be zero value.

  • Onboard Systems:

    • Purpose: to indicate if the onboard systems have PoS functions.

    • Informs: to determine if the PoS Intrusion : Onboard Systems risk scenario, with the Residual Risk Grid, is applicable. If not applicable, then the risk scenario will be zero value.

  • End User Systems:

    • Purpose: to indicate if the end user systems have PoS functions.

    • Informs: to determine if the PoS Intrusion : End User Systems risk scenario, with the Residual Risk Grid, is applicable. If not applicable, then the risk scenario will be zero value.

  • ICS, SCADA, OT:

    • Purpose: to indicate if the ICS, SCADA, or OT systems have PoS functions.

    • Informs: to determine if the PoS Intrusion : ICS, SCADA, OT risk scenario, with the Residual Risk Grid, is applicable. If not applicable, then the risk scenario will be zero value.

  • Critical Internet of Things (IoT) Devices:

    • Purpose: to indicate if the critical IoT devices have PoS functions.

    • Informs: to determine if the PoS Intrusion : Critical IoT risk scenario, with the Residual Risk Grid, is applicable. If not applicable, then the risk scenario will be zero value.

  • Terminals:

    • Purpose: to indicate if the terminals have PoS functions.

    • Informs: to determine if the PoS Intrusion : Terminals risk scenario, with the Residual Risk Grid, is applicable. If not applicable, then the risk scenario will be zero value.

  • Healthcare Devices:

    • Purpose: to indicate if the healthcare devices have PoS functions.

    • Informs: to determine if the PoS Intrusion : Healthcare Devices risk scenario, with the Residual Risk Grid, is applicable. If not applicable, then the risk scenario will be zero value.

  • Critical Internet of Things (IoT) Devices:

    • Purpose: to indicate if the non-critical IoT devices have PoS functions.

    • Informs: to determine if the PoS Intrusion : Non-Critical IoT risk scenario, with the Residual Risk Grid, is applicable. If not applicable, then the risk scenario will be zero value.



Step 4: Specify Which Assets Have the Ability to Read Magnetic Stripe Data From Payment Cards

The fourth Asset Applicability question is intended to capture which asset groups have the ability to read magnetic stripe data from payment cards.

  • Servers and Applications:

    • Purpose: to indicate if the servers have the ability to read magnetic stripe data from payment cards.

    • Informs: to determine if the Skimmers : Server & Applications risk scenario, with the Residual Risk Grid, is applicable. If not applicable, then the risk scenario will be zero value.

  • Onboard Systems:

    • Purpose: to indicate if the onboard systems have the ability to read magnetic stripe data from payment cards.

    • Informs: to determine if the Skimmers : Onboard Systems risk scenario, with the Residual Risk Grid, is applicable. If not applicable, then the risk scenario will be zero value.

  • End User Systems:

    • Purpose: to indicate if the end user systems have the ability to read magnetic stripe data from payment cards.

    • Informs: to determine if the Skimmers : End User Systems risk scenario, with the Residual Risk Grid, is applicable. If not applicable, then the risk scenario will be zero value.

  • ICS, SCADA, OT:

    • Purpose: to indicate if the ICS, SCADA, or OT systems have the ability to read magnetic stripe data from payment cards.

    • Informs: to determine if the Skimmers : ICS, SCADA, OT risk scenario, with the Residual Risk Grid, is applicable. If not applicable, then the risk scenario will be zero value.

  • Critical Internet of Things (IoT) Devices:

    • Purpose: to indicate if the critical IoT devices have the ability to read magnetic stripe data from payment cards.

    • Informs: to determine if the Skimmers : Critical IoT risk scenario, with the Residual Risk Grid, is applicable. If not applicable, then the risk scenario will be zero value.

  • Terminals:

    • Purpose: to indicate if the terminals have the ability to read magnetic stripe data from payment cards.

    • Informs: to determine if the Skimmers : Terminals risk scenario, with the Residual Risk Grid, is applicable. If not applicable, then the risk scenario will be zero value.

  • Healthcare Devices:

    • Purpose: to indicate if the healthcare devices have the ability to read magnetic stripe data from payment cards.

    • Informs: to determine if the Skimmers : Healthcare Devices risk scenario, with the Residual Risk Grid, is applicable. If not applicable, then the risk scenario will be zero value.

  • Critical Internet of Things (IoT) Devices:

    • Purpose: to indicate if the non-critical IoT devices have the ability to read magnetic stripe data from payment cards.

    • Informs: to determine if the Skimmers : Non-Critical IoT risk scenario, with the Residual Risk Grid, is applicable. If not applicable, then the risk scenario will be zero value.



Step 5: Specify Which Assets Are Associated with Highly Critical Services

The fifth (and final) Asset Applicability question is intended to capture which asset groups have the ability to read magnetic stripe data from payment cards. Unlike the other asset applicability questions, this question is directly associated with the Misappropriation of Services loss category.

  • Web Applications:

    • Purpose: to indicate if web applications are associated with highly critical services.

    • Informs: to determine if the Web Application Attack threat category, with the Misappropriation of Services Residual Risk Grid, is applicable. If not applicable, then the threat column will be zero values for Misappropriation of Services Residual Risk Grid.

  • Network:

    • Purpose: to indicate if the network is associated with highly critical services.

    • Informs: to determine if the Network asset group, with the Misappropriation of Services Residual Risk Grid, is applicable. If not applicable, then the asset row will be zero values for Misappropriation of Services Residual Risk Grid.

  • Removable Media:

    • Purpose: to indicate if removable media is associated with storing data or backups for highly critical services.

    • Informs: to determine if the Median & Offline Data asset group, with the Misappropriation of Services Residual Risk Grid, is applicable. If not applicable, then the asset row will be zero values for Misappropriation of Services Residual Risk Grid.

  • Onboard Systems:

    • Purpose: to indicate if the onboard systems are associated with highly critical services.

    • Informs: to determine if the Onboard Systems asset group, with the Misappropriation of Services Residual Risk Grid, is applicable. If not applicable, then the asset row will be zero values for Misappropriation of Services Residual Risk Grid.

  • People:

    • Purpose: to indicate if the people are associated with highly critical services.

    • Informs: to determine if the People asset group, with the Misappropriation of Services Residual Risk Grid, is applicable. If not applicable, then the asset row will be zero values for Misappropriation of Services Residual Risk Grid.

  • Point-of-Sale Systems:

    • Purpose: to indicate if point-of-sale systems are associated with highly critical services.

    • Informs: to determine if the PoS Intrusion threat category, with the Misappropriation of Services Residual Risk Grid, is applicable. If not applicable, then the threat column will be zero values for Misappropriation of Services Residual Risk Grid.

  • End User Systems:

    • Purpose: to indicate if the end user systems are associated with highly critical services.

    • Informs: to determine if the End User Systems asset group, with the Misappropriation of Services Residual Risk Grid, is applicable. If not applicable, then the asset row will be zero values for Misappropriation of Services Residual Risk Grid.

  • ICS, SCADA, OT:

    • Purpose: to indicate if the ICS, SCADA, or OT systems are associated with highly critical services.

    • Informs: to determine if the ICS, SCADA, OT asset group, with the Misappropriation of Services Residual Risk Grid, is applicable. If not applicable, then the asset row will be zero values for Misappropriation of Services Residual Risk Grid.

  • Critical Internet of Things (IoT) Devices:

    • Purpose: to indicate if the critical IoT devices are associated with highly critical services.

    • Informs: to determine if the Critical IoT asset group, with the Misappropriation of Services Residual Risk Grid, is applicable. If not applicable, then the asset row will be zero values for Misappropriation of Services Residual Risk Grid.

  • Servers and Applications:

    • Purpose: to indicate if the servers are associated with highly critical services.

    • Informs: to determine if the Server & Applications asset group, with the Misappropriation of Services Residual Risk Grid, is applicable. If not applicable, then the asset row will be zero values for Misappropriation of Services Residual Risk Grid.

  • Terminals:

    • Purpose: to indicate if the terminals are associated with highly critical services.

    • Informs: to determine if the Terminals asset group, with the Misappropriation of Services Residual Risk Grid, is applicable. If not applicable, then the asset row will be zero values for Misappropriation of Services Residual Risk Grid.

  • Healthcare Devices:

    • Purpose: to indicate if the healthcare devices are associated with highly critical services.

    • Informs: to determine if the Healthcare Devices asset group, with the Misappropriation of Services Residual Risk Grid, is applicable. If not applicable, then the asset row will be zero values for Misappropriation of Services Residual Risk Grid.

  • Critical Internet of Things (IoT) Devices:

    • Purpose: to indicate if the non-critical IoT devices are associated with highly critical services.

    • Informs: to determine if the Non-Critical IoT asset group, with the Misappropriation of Services Residual Risk Grid, is applicable. If not applicable, then the asset row will be zero values for Misappropriation of Services Residual Risk Grid.



Step 6: Complete the Next Section of the Profile Builder.

For further Profile Build guidance, please return here.

Comments


Commenting has been turned off.
bottom of page