An asset is any resource that has value to the organization and for which risks must be managed. In the system, there are four default asset types: technology, process, person, and environment. Custom asset types can also be created in the Object Types section of the Administration module. Assets are always created within perimeters, and it is not possible to create them directly beneath the object representing the organization in the structure. For details on creating custom asset types, see Chapter 17: Administration -> Customizations -> Object Types.
As there are various sources of risks and the method used to analyze these risks may vary, the system allows an asset to be divided into one or more components. Every asset component can then be analyzed individually, since it will have a set of good practices (known as a “knowledge base”) directly associated with it. An asset’s risks are always obtained by consolidating the risks identified for its components that were analyzed. Similarly, risk metrics can also be consolidated for perimeters where the assets are located. For details on risk metrics, see Chapter 5: Risks -> Risk Metrics.
Assets can be created manually in the system, offline through a spreadsheet, or, in the case of technology assets, imported through an integration task with an external directory or from an inventory in Qualys or NeXpose. For details on importing organizational information through a spreadsheet, see Chapter 3: Organization -> Export/Import. For details on importing technology assets from an external directory or from Qualys or NeXpose inventories, see Chapter 17: Administration -> Integrations -> Integration Tasks.