What is an asset?  An asset is anything that’s valuable, but usually this means:

  • Data (such as PII)
  • Software
  • IT components 
  • Intellectual property
  • Brand
  • Reputation
  • Real estate/facilities

Resources are another term for asset.  Assets and resources are valued in two ways:

  • Qualitative – characterized in a “classification” such as confidential, proprietary
  • Quantitative – value is shown monetarily

Note: asset value drives the classification, which drives the security, in other words, the monetary value or the data classification will help in deciding what security controls are applicable, chosen, and ultimately applied.  

What are materials? Materials are the expendable items that go into finished products; things like ink and paper that go into newspapers.

What are supplies? Supplies are the expendable items that go into the administrative support of creating finished products – you can also view supplies as items related to business administration rather than product creation. For example, supplies would be the ink and paper used in the office staff’s workspace, but not for the newspaper itself.

Materials and supplies differ from assets in that they would most likely not appear in the asset inventory and receive a classification; i.e. they are less important “assets”.

Here’s a fun mnemonic for this: let’s assume you work in a moonshine factory. The phrase to memorize is “Supplies for staff, materials for mash”.

Classification is the process of assigning security tags, labels, or markings to assets, such as top secret (confidential), proprietary (company restricted), sensitive (company confidential), or public – this helps to determine the security level of each asset. The asset should have a value assigned before being classified.

Asset inventory is a helpful tool to help organizations identify, locate, and classify their assets.  The components of an asset inventory might include the following:

  • Asset name
  • Asset location
  • Asset value
  • Asset owner
  • Asset classification
  • Annual cost of maintenance
  • Projected lifespan of the asset
  • Protection level required

The asset classification process consists of five steps:

  1. Create an Asset Inventory
  2. Assign Ownership
  3. Classify (Based on Value)
  4. Protect (Based on Classification)
  5. Assess and Review

To memorize the asset classification process, think of CACPA that rhymes with “Cat Paw.”

There is an asset protection process that is similar but consists of three simpler steps:

  1. Identify, locate, and Value
  2. Classify (based on value)
  3. Protect (based on classification)

You can think of this as three letters, VCP = Value, Classify, and Protect.  Notice how each step relies on the prior step.  

Step 1 is self explanatory, however step 2  is where Ownership is determined.  Ownership is an important concept, as the owner is the best position to understand the value of the asset.  The owner’s responsibility is to classify the assets they own. The owner is also ultimately accountable for the asset’s protection, thus Accountability becomes an important concept for the exam.  Therefore, the owner must have adequate knowledge about the asset including regulations, business expectations, customer expectations, and the owner must use consistent classification methods.

Label is a method of labeling, or indicating the classification level of the asset.  Examples:

  • Stamping a physical device or document with “top secret” 
  • Renaming a file with “sensitive” in the filename, or certain server types with “federal” in the nomenclature
  • Putting “confidential” in the subject line of an email 

Step 3 is where a Baseline, or Minimum Security Requirements are established for each classification.

Media marking is the same as labeling, tagging, or marking.  Labeling/marking/tagging can be useful for a lot of reasons.  One of them is to help the effectiveness of an enterprise content management system (ECMS).  ISC2 mentions that ECMS should be paired with data loss prevention to adequately mitigate the risks that surround intellectual property.

Kiosk service points are mentioned in Domain 2, which are remote assets that can process transactions, such as automated teller machines (ATM), and point of sale devices (at stores for purchasing with credit/debit cards). These assets typically don’t store transaction information themselves, but rather the applications that support them.

Tangible assets have a physical existence. You can touch them, such as computer servers, land, or buildings.

Intangible assets don’t really have a physical existence. These could be ideas, reputations, undocumented agreements, but typically would be data, and software.