Asset identification and testing approach #13
-
|
I need advice on how to classify the security and network “assets” of a device so that tests required by standard EN 18031-1 can be defined and executed. Background:
Questions:
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Hello @bin-to-hex,
Regarding open ports, I would not regard them as assets since they don't fit any of the definitions as is. Rather, I would declare their respected network service exposed over that port as network/security function. Note The standards don't dictate the level of granularity when documenting assets. Since the number of assets declared affects the documentation & testing effort (e.g., for each asset type there can be multiple Decision Trees to document) we recommend trying to group assets where possible. Taking again the firewall as example, its config files could be grouped as one security parameter as long as they all have the same access control(s), are stored on the same storage and are communicated over the same communication mechanism.
I hope this helps you, do not hesitate if there's anything unclear. |
Beta Was this translation helpful? Give feedback.
Hello @bin-to-hex,
You can refer to our articles on security/network/privacy assets available on our website. We propose our interpretation of the definitions of assets and a pragmatic approach on the thought process to adopt to identify them. We know that classification of assets is a challenge in the industry currently, and consensus is still to be found across industry players. See the TIC Council's paper From Testing to Policy (https://www.tic-council.org/publications).
For the firewall example, we include this example already in our article on security assets. At a minimum, I would list out the following security function and parameters: