Laws and regulations governing cybersecurity

An asset is anything that has a certain value for a person, organisation or state.

An asset can be a tangible thing (building, computer system, networks, energy, goods, etc.) or an intangible one (information, knowledge, data, programs, etc.) from the point of view of civil law.

However, an asset can also be a quality (e.g. availability and functionality of the system and data, etc.) or a good name, reputation, etc. People (users, administrators, etc.), along with their knowledge and experience, are also an asset from the point of view of cybersecurity.

An ancillary asset is a technical asset, employees and suppliers involved in the operation, development, administration or security of the information and communication system.

A primary asset is information or a service processed or provided by an information and communication system.

“As part of sound information security management, it is important to have an overview of the links and dependencies between primary and ancillary assets.”[1]

As part of asset management, entities are required to:

• establish a methodology for identifying assets,
• establish a methodology for valuing assets,
• identify and record assets,
• determine and record asset guarantors,
• assess and record primary assets in terms of confidentiality, integrity and availability and classify them into individual asset levels,
• determine and record the links between primary and ancillary assets and assess the consequences of the dependencies between primary and ancillary assets,
• assess ancillary assets and take into account the interdependencies between primary and ancillary assets,
• establish and implement the protection rules necessary to secure the various levels of assets,
• lay down permissible uses for the assets and rules for the handling of assets with regard to the level of assets, including rules for the secure electronic sharing and physical transfer of assets,
• determine the method of disposal of data, operational data, information and their copies or disposal of technical data carriers with regard to the level of assets.

In assessing the significance of primary assets, it is mandatory to consider:

• scope and importance of personal data, special categories of personal data or trade secrets,
• scope of legal obligations or other obligations in question,
• scope of breach of internal management and inspection activities,
• damage to public, commercial or economic interests and possible financial losses,
• impacts on the provision of important services,
• scope of the disruption of normal activities,
• impacts on the maintenance of goodwill or the protection of reputation,
• impacts on the safety and health of persons,
• impacts on international relations,
• impacts on users of the information and communication system.