Asset valuation was not a part of the original SimpleRisk implementation and was added later on. You will notice that, as a result, there is no direct relationship in SimpleRisk between the risk score and the asset valuation. While some might argue (and we would agree) that risk score is a combination of likelihood, impact, and the value of the asset it affects, the fact is that most organizations are struggling with just managing the risks themselves and they are not yet at a point where asset valuation can provide any context. We have integrated into SimpleRisk what we believe is a simplified middle ground where assets can still be valued and used as a factor in determining how to mitigate risks, but it does not inhibit the majority from getting started either.
The key purpose in giving an asset a value isn't so that it can affect the risk score, but rather, so you can use it to determine how to prioritize your mitigations. Thus, SimpleRisk introduces what is effectively a 1-10 scale for valuing an asset. This can be viewed by going to the Configure menu at the top, followed by the Asset Valuation menu on the left side. On this configuration page, you can adjust the currency used for your asset valuations (dollars by default), the default asset valuation (a 5 on the 1-10 scale by default), and adjust the asset valuation range. You can adjust the asset valuation range using either the Automatic option, which will create equal valuation tiers based on your minimum and maximum values, or the Manual option, which allows you to define the values of each of the tiers.
Once you have configured the values for each of the ten tiers, your next step will be to go to the Asset Management menu at the top. This section will be available for any user who has been granted the Allow Access to "Asset Management" menu user responsibility. It provides the user with the ability to do Automated Discovery, which uses a ping and nslookup to discover assets on any IP address that your SimpleRisk instance can communicate with, as well as the ability to manually add, edit, and remove assets. Each asset can be configured with the following values:
- Asset Name
- IP Address
- Asset Valuation (based on the valuation tiers we defined above)
- Asset Details
Customers who have purchased the Import-Export Extra have the additional ability to do a batch import of assets with these values via a CSV file import. This is useful if you have the ability to export an existing list of assets from a vulnerability assessment or asset management tool.
Associating Assets with Risks
You have the ability to associate assets with risks anytime you are submitting a new risk or editing an existing risk. On that form, you will see a field labeled as Affected Assets. Clicking into the Affected Assets field will pop up a box that allows you to enter your assets as a comma-separated list. As you begin typing, or if you click the left or right arrow keys, you will see a dropdown list appear along the bottom of the pop up box with the names of assets that have already been defined in the system. You may select one or more of these assets or you can also define your own asset names that have not yet been entered into the system. If you do enter new assets that have not yet been defined, they should show up in a dropdown list of useable values in the Asset Name field when adding a new asset, as described above. After the new risk has been submitted, or the existing risk has been updated, the assets will be associated with the risk.
Reporting on Risks and Assets
While you can always see the assets associated with a risk just by looking at it, we have created a special report to help you to see these relationships and take actions based on them. The report is available if you click on the Reporting menu at the top, followed by the Risks and Assets menu on the left. The default Risks by Asset view for this report will show you a table for each asset that has been entered into the system, including its value, and a row for each risk that has been associated with the asset. This view is excellent for seeing if there are certain assets that have inherently more risk than others, which could be an indication of the need to upgrade or decommission that asset. There is a Report dropdown at the top left of that page that will allow you to change from the default view to the Assets by Risk view. By switching to this view, you will see a table for each risk that has been entered into the system, including its score, and a row for each asset that is associated with the risk. It will show the valuation for each asset and calculate the cumulative values of each of the associated assets, which is shown as the Maximum Quantitative Loss for the risk. In other words, it will show you the most that you could expect to lose if each of your risks were to happen.
While we realize that this doesn't get you to the RISK = LIKELIHOOD x IMPACT x ASSET VALUE score that some of the more advanced risk management practices may desire, we believe that it is a far simpler approach that accomplishes close to the same thing, while at the same time maintaining SimpleRisk as a platform that doesn't inhibit others from getting started with the basics. If this type of scoring is absolutely a necessity for your organization, then perhaps you should consider one of the bloated, costly, GRC tools out there. If you are looking for simple workflows that get you up and running with your risk management program quickly and with minimal overhead, then SimpleRisk will be an excellent option for you.