Page 1035 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1035
highest value and identifies controls to mitigate risks to these assets.
The value of an asset is more than just the purchase price. For
example, consider a web server hosting an ecommerce site that is
generating $10,000 a day in sales. It is much more valuable than just
the cost of the hardware and software. If this server fails causing the
ecommerce site to become unavailable, it would result in the loss of
revenue from direct sales and the loss of customer goodwill.
Customer goodwill is one of many intangible aspects that
represent the actual value of an asset.
Knowing the asset value also helps with cost-benefit analysis, which
seeks to determine the cost-effectiveness of different types of security
controls. For example, if an asset is valued at hundreds of thousands
of dollars, an effective security control that costs $100 is justified. In
contrast, spending a few hundred dollars to protect against the theft of
a $10 mouse is not a justifiable expense. Instead, an organization will
often accept risks associated with low-value assets.
In the context of access control attacks, it’s important to evaluate the
value of data. For example, if an attacker compromises a database
server and downloads a customer database that includes privacy data
and credit card information, it represents a significant loss to the
company. This isn’t always easy to quantify, but attacks on Equifax
provide some perspective. (See the sidebar “Data Breaches at
Equifax.”)
Data Breaches at Equifax
Equifax, a consumer credit reporting agency, suffered several
attacks in 2017. It reportedly suffered a major breach of its
computer systems in March 2017. While Equifax didn’t report any
data breaches from this attack, some analysts indicate that
attackers probably installed some remote access tools (RATs) to
