This section provides orientation on managing assets, available through the Organization module.
An asset is any resource that has value to the organization with risks that need to be managed. In the system, assets are classified by type: technology, process, person, environment, and any custom types created in the Object Types section of the Administration module. An organization’s assets can be represented through an organizational structure, where they are hierarchically arranged so that they can be associated with other system objects.
In addition to assets, objects that form the organizational structure include the organization itself and perimeters. The organization represents a company, agency, or corporation and is the root object of the structure. Perimeters, on the other hand, are physical or logical boundaries of the organization that allow assets to be better organized in the structure. These can be created immediately beneath the object representing the organization, and sub-perimeters can be created within perimeters. Assets, in turn, are always created within perimeters, and they cannot be created directly beneath the object representing the organization.
As there are various sources of risks and the method of analyzing these risks may require different specialists and different knowledge bases, the system allows an asset to be divided into one or more components. Every asset component can then be analyzed individually, since it will have a set of good practices (known as a "knowledge base") directly associated with it. Further ahead, we will see that risk is not analyzed for an asset directly but rather for its components. Each asset may have several components, but an asset component can only belong to a single asset. An asset’s risks are always obtained by consolidating the risks identified for its components that were analyzed. Similarly, risk metrics can also be consolidated for perimeters where the assets are located. For further details on risk metrics, see Chapter 5: Risks -> Risk Metrics.
An asset component is associated with a knowledge base when it is created, which contains good practices (controls) used to measure risks. Just as there are various types of assets, there are also different types of knowledge bases.
Although the system allows asset components and knowledge bases to be freely associated regardless of the type, as a general rule, the type of knowledge base should be compatible with the type of asset. For example, a person-type asset component should, in general, be associated with a person-type knowledge base; a technology-type asset component should be associated with a technology-type knowledge base; and so on.
The figure below summarizes the relationships between perimeters, assets, asset types, asset components, knowledge bases, and knowledge base types.
It is important to note that the organizational structure is not a complete "property inventory". Not all the organization’s assets need to be registered, only those for which risks need to be managed.