Page 186 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 186
An important step in risk analysis is to appraise the value of an
organization’s assets. If an asset has no value, then there is no need to
provide protection for it. A primary goal of risk analysis is to ensure
that only cost-effective safeguards are deployed. It makes no sense to
spend $100,000 protecting an asset that is worth only $1,000. The
value of an asset directly affects and guides the level of safeguards and
security deployed to protect it. As a rule, the annual costs of
safeguards should not exceed the expected annual cost of asset loss.
When the cost of an asset is evaluated, there are many aspects to
consider. The goal of asset valuation is to assign to an asset a specific
dollar value that encompasses tangible costs as well as intangible ones.
Determining an exact value is often difficult if not impossible, but
nevertheless, a specific value must be established. (Note that the
discussion of qualitative versus quantitative risk analysis in the next
section may clarify this issue.) Improperly assigning value to assets
can result in failing to properly protect an asset or implementing
financially infeasible safeguards. The following list includes some of
the tangible and intangible issues that contribute to the valuation of
assets:
Purchase cost
Development cost
Administrative or management cost
Maintenance or upkeep cost
Cost in acquiring asset
Cost to protect or sustain asset
Value to owners and users
Value to competitors
Intellectual property or equity value
Market valuation (sustainable price)
Replacement cost
Productivity enhancement or degradation
