devguard

Assets

Assets represent valuable resources like data, systems, or processes that need protection, serving as the foundation for risk assessment and control implementation across your organization.

Overview

Assets are organized into Asset Classes, linked with Entitlements for access reviews, and can undergo Reviews similar to risks. Together, they ensure that resources are systematically identified, assessed, and managed with clear accountability and oversight.

Asset Management

Assets connect directly to controls, locations, roles, and risk management activities. Each asset includes detailed fields to describe ownership, classification, and security attributes.

Fields Explained

FieldDescriptionExample
NameHuman-readable name of the asset (required)"AWS"
SlugUnique identifier generated from the name (required)"aws"
OwnerRelation to a role (defined in Settings) (required)"CTO"
StatusLifecycle status of the asset (required)"Active", "Retired"
Parent AssetRelation to another asset, allowing nested structures"AWS Cloud Infrastructure"
DescriptionDetailed description of the asset"Amazon Web Services"
LabelsFree-form tags to group and filter the asset (multiple allowed)"PII", "Production"
Asset ClassRelation to an asset class"Cloud"
ConfidentialityCIA rating: value between 1–1010
IntegrityCIA rating: value between 1–108
AvailabilityCIA rating: value between 1–109
ControlsRelation to controls that protect the asset"Access Control Policy"
LocationRelation to a location (e.g., data center, office)"Zurich Datacenter"
MembershipRelation to roles with access to the asset"Developers"
Retention PeriodRelation to a schedule for access or data retention"Annual Review"

Labels

Labels are free-form, color-coded tags you manage centrally under Collections → Labels and attach to an asset to capture cross-cutting groupings the structured fields don't — a data-sensitivity class, an environment (production/staging), an owning team, or a project. An asset can carry any number of labels, and the asset list offers a Labels filter to narrow to everything sharing a tag. The same labels can be applied to risks and vendors, giving you one consistent vocabulary across the product.

CIA Triad in Risk Management

Assets use the CIA Triad to assess security properties:

  • Confidentiality: Ensures sensitive information is accessible only to authorized parties.
  • Integrity: Ensures information remains accurate, consistent, and unaltered.
  • Availability: Ensures information and systems remain accessible when needed.

In risk management, the CIA Triad helps quantify asset criticality and define security requirements. For example, a financial database may have Confidentiality: 10, Integrity: 10, Availability: 8, requiring strong encryption and redundancy.

When an Asset Class is assigned, its CIA ratings combine with the asset’s ratings. The final score is an average of the two, ensuring both the general class properties and the specific asset details influence the result.

About Access Management

Access management ensures that assets are available only to the right people.

  • Memberships define which roles have access to an asset.
  • Retention periods specify when access should expire or be reviewed.

These connect directly to Access Reviews, allowing organizations to periodically validate who has access to which assets.

Import and Export

Assets can be imported/exported in CSV format:

assets.csv
slug,name,status,ownerId
aws,AWS,ACTIVE,{ownerId}
github,Github,ACTIVE,{ownerId}
slack,Slack,ACTIVE,{ownerId}
datacenter-eu,European Data Center,ACTIVE,{ownerId}

Asset Classes

Asset Classes categorize assets with similar security and risk properties, streamlining assessments and standardizing CIA definitions across your organization.

Fields Explained

FieldDescriptionExample
NameHuman-readable name of the asset class (required)"Cloud"
SlugUnique identifier generated from the name (required)"cloud"
DescriptionDescription of the asset class"Cloud infrastructure assets"
ConfidentialityCIA rating for confidentiality (optional, 1–10)8
IntegrityCIA rating for integrity (optional, 1–10)7
AvailabilityCIA rating for availability (optional, 1–10)9

When applied, the asset class CIA ratings combine with the specific asset’s CIA scores to produce a final average.

Import and Export

Assets classes can be imported/exported in CSV format:

asset-classes.csv
slug,name
cloud,Cloud
vendor,Vendor
hardware,Hardware
software,Software

Access Reviews

Access Reviews validate who has access to which assets through structured onboarding, offboarding, and periodic reviews.

Fields Explained

FieldDescriptionExample
TitleHuman-readable title of the entitlement review (required)"Company Review Q3"
Review TypeType of review (required) (Onboarding, Offboarding, Periodic Review)"Periodic Review"
CoordinatorRelation to a role (required)"CTO"
DeadlineConnected to the deadlines feature"31.08.2025"
DescriptionOptional detailed description"Quarterly access review"
Target RolesRelation to roles (multiple allowed)"Developers, COO"
Target EmployeeSpecific user for the review"Nina Muster"

Review Types

  • Onboarding: Grants access to assets during a new member’s onboarding.
  • Offboarding: Revokes access to assets during employee departure.
  • Periodic Review: Periodically validates asset access to ensure users have the correct level of access.

During entitlement reviews, assets are displayed in a snapshot view. Each entry can be Approved, Skipped, or Withdrawn. Once completed, the review is locked and can generate a formal report.

Reviews

Each review lists all assets according to the chosen scope. Any changes made during the review are tracked and displayed as diffs, allowing you to compare against the latest version or earlier cycles. A split view can be enabled for easier side-by-side comparison.

Each review item must be explicitly approved. If necessary, items can also be withdrawn. Once all review items are approved, the review can be closed by selecting Finish Review. This locks the review and prevents further modifications.

Reviews also integrate with the Reports feature through Generate Report, allowing you to export finalized review results for audits, compliance evidence, or internal governance tracking.

How is this guide?

On this page