Use Case Description

Integrate risk management with IT Asset Management (ITAM) to ensure that all assets critical to business support functions and the operation of information systems are identified and managed effectively.

The fields "Related to business critical support functions" and "Important for the operation of information systems" are used for managing essential resources and elements of the physical environment whose security is important for the operation of information systems.

This helps to ensure that essential resources, including critical support functions, services, and systems, are properly identified and managed. It also helps in recognizing elements of the physical environment crucial for the operation of information systems, protecting them from threats and ensuring their availability and security. This structured approach facilitates compliance with NIS2 by enabling comprehensive risk management through ITAM and configuration management.

Example Scenario

Consider a scenario where an organization has a critical database server that stores customer transaction data. This server is essential for business operations and any downtime could lead to significant financial losses and reputational damage. To manage this risk, the server is documented in the Efecte ITAM and assigned a value in the "Related to business critical support functions" attribute.  This attribute highlights the server's critical role and ensures that its risks are continuously monitored and mitigated.

Workflow

1. Review Assets: Review IT assets, including devices, integrations, applications, databases, networks, and SaaS components, and evaluate their importance for the business and information systems.
2. Assign Attributes: Manually assign values to new attributes for each asset, such as "Related to business critical support functions" and "Important for the operation of information systems".
3. Link Assets to Risks: Users can link one or several assets to the risks. The assets can, but do not have to, exist in Efecte.
   1. In case of an asset that does not exist in Efecte, you can use the Risk asset template. 
4. Assess Asset Risks: Evaluate the risks associated with each critical asset.
5. Implement Controls: Apply controls to mitigate identified risks.
6. Monitor and Review: Regularly review asset risks and control effectiveness.

Results

• Comprehensive risk management for all IT assets, especially those critical to business support functions and information system operations.

Benefits

• Ensures all critical IT assets are included in the risk management process.
• Reduces the likelihood of unmanaged risks impacting critical business functions and information systems.