Ask the Expert

Resources for conducting an Information Asset Analysis

I would like to complete an Information Asset Analysis so that our company can establish: (1) What systems exist in some 40+ locations, (2) Who are the owners/custodians of these systems, (3) Whether these systems are accessed by other systems/remote users and (4) What security controls exist to safeguard electronic patient health information.

This is step one in organizing an enterprise security program. Can you please help me identify methodologies, forms, documents that would be useful in conducting such an analysis?

Requires Free Membership to View

I would recommend taking a look at the OCTAVE methodology. This is a methodology established by the CERT Coordination Center that stands for Operationally Critical Threat, Asset and Vulnerability Evaluation. It is a framework/approach for performing your own information risk assessments. Check out for more information.

There's also an excellent book that goes into even more detail on OCTAVE that you might benefit from titled "Managing Information Security Risks: The OCTAVE Approach" by Christopher J. Alberts and Audrey J. Dorofee.

For more information on this topic, visit these other resources:
  • Executive Security Briefing: Explaining the risk management process
  • Best Web Links: Security Policy & Infrastructure

    This was first published in June 2004

  • There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: