Inventoried IT and OT assets are prioritized based on defined criteria that include importance to the delivery of the function

Prioritization of assets is important for many cybersecurity and operational activities, such as incident response, risk management, threat management, and cybersecurity architecture planning. There are multiple approaches for asset prioritization: forced ranking (sequential list), tiered ranking (e.g., all assets dealing with the flow of gas are tier 1, assets related to efficiency and monitoring are tier 2, and non-critical functions such as public relations and marketing are tier 3). Tiers should be based on defined criteria, such as importance of the asset to the function (e.g., safety, criticality of the asset to the delivery of the function, scarcity of the asset, how dependent other assets are on this asset) or the sensitivity of the data stored or processed by the asset. Prioritizations should be documented and ideally be agreed on by all involved stakeholders. They also should be communicated throughout the organization for use in incident response, risk management, and other relevant activities. As an example, virtualized assets may present increased risk due to issues such as asset sprawl and their unique characteristics (ease of capturing snapshots and storage of dormant virtual machines as files) and thus may pose higher risk to the function. Whatever approach is used, the importance of the asset to the delivery of the function should be one of the prioritization criteria used.

Related Practices · Input From: Implementing ASSET-1a provides input that may be useful for implementing this practice. · Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: ASSET-1c, ASSET-1d.