Assets
Assets represent valuable resources like data, systems, or processes that need protection, serving as the foundation for risk assessment and control implementation across your organization.
Overview
Assets are organized into Asset Classes, linked with Entitlements for access reviews, and can undergo Reviews similar to risks. Together, they ensure that resources are systematically identified, assessed, and managed with clear accountability and oversight.
Asset Management
Assets connect directly to controls, locations, roles, and risk management activities. Each asset includes detailed fields to describe ownership, classification, and security attributes.
Fields Explained
| Field | Description | Example |
|---|---|---|
Name | Human-readable name of the asset (required) | "AWS" |
Slug | Unique identifier generated from the name (required) | "aws" |
Owner | Relation to a role (defined in Settings) (required) | "CTO" |
Status | Lifecycle status of the asset (required) | "Active", "Retired" |
Parent Asset | Relation to another asset, allowing nested structures | "AWS Cloud Infrastructure" |
Description | Detailed description of the asset | "Amazon Web Services" |
Labels | Free-form tags to group and filter the asset (multiple allowed) | "PII", "Production" |
Asset Class | Relation to an asset class | "Cloud" |
Confidentiality | CIA rating: value between 1–10 | 10 |
Integrity | CIA rating: value between 1–10 | 8 |
Availability | CIA rating: value between 1–10 | 9 |
Controls | Relation to controls that protect the asset | "Access Control Policy" |
Location | Relation to a location (e.g., data center, office) | "Zurich Datacenter" |
Membership | Relation to roles with access to the asset | "Developers" |
Retention Period | Relation to a schedule for access or data retention | "Annual Review" |
Labels
Labels are free-form, color-coded tags you manage centrally under Collections → Labels and attach to an asset to capture cross-cutting groupings the structured fields don't — a data-sensitivity class, an environment (production/staging), an owning team, or a project. An asset can carry any number of labels, and the asset list offers a Labels filter to narrow to everything sharing a tag. The same labels can be applied to risks and vendors, giving you one consistent vocabulary across the product.
CIA Triad in Risk Management
Assets use the CIA Triad to assess security properties:
- Confidentiality: Ensures sensitive information is accessible only to authorized parties.
- Integrity: Ensures information remains accurate, consistent, and unaltered.
- Availability: Ensures information and systems remain accessible when needed.
In risk management, the CIA Triad helps quantify asset criticality and define security requirements. For example, a financial database may have Confidentiality: 10, Integrity: 10, Availability: 8, requiring strong encryption and redundancy.
When an Asset Class is assigned, its CIA ratings combine with the asset’s ratings. The final score is an average of the two, ensuring both the general class properties and the specific asset details influence the result.
About Access Management
Access management ensures that assets are available only to the right people.
- Memberships define which roles have access to an asset.
- Retention periods specify when access should expire or be reviewed.
These connect directly to Access Reviews, allowing organizations to periodically validate who has access to which assets.
Import and Export
Assets can be imported/exported in CSV format:
slug,name,status,ownerId
aws,AWS,ACTIVE,{ownerId}
github,Github,ACTIVE,{ownerId}
slack,Slack,ACTIVE,{ownerId}
datacenter-eu,European Data Center,ACTIVE,{ownerId}Asset Classes
Asset Classes categorize assets with similar security and risk properties, streamlining assessments and standardizing CIA definitions across your organization.
Fields Explained
| Field | Description | Example |
|---|---|---|
Name | Human-readable name of the asset class (required) | "Cloud" |
Slug | Unique identifier generated from the name (required) | "cloud" |
Description | Description of the asset class | "Cloud infrastructure assets" |
Confidentiality | CIA rating for confidentiality (optional, 1–10) | 8 |
Integrity | CIA rating for integrity (optional, 1–10) | 7 |
Availability | CIA rating for availability (optional, 1–10) | 9 |
When applied, the asset class CIA ratings combine with the specific asset’s CIA scores to produce a final average.
Import and Export
Assets classes can be imported/exported in CSV format:
slug,name
cloud,Cloud
vendor,Vendor
hardware,Hardware
software,SoftwareAccess Reviews
Access Reviews validate who has access to which assets through structured onboarding, offboarding, and periodic reviews.
Fields Explained
| Field | Description | Example |
|---|---|---|
Title | Human-readable title of the entitlement review (required) | "Company Review Q3" |
Review Type | Type of review (required) (Onboarding, Offboarding, Periodic Review) | "Periodic Review" |
Coordinator | Relation to a role (required) | "CTO" |
Deadline | Connected to the deadlines feature | "31.08.2025" |
Description | Optional detailed description | "Quarterly access review" |
Target Roles | Relation to roles (multiple allowed) | "Developers, COO" |
Target Employee | Specific user for the review | "Nina Muster" |
Review Types
- Onboarding: Grants access to assets during a new member’s onboarding.
- Offboarding: Revokes access to assets during employee departure.
- Periodic Review: Periodically validates asset access to ensure users have the correct level of access.
During entitlement reviews, assets are displayed in a snapshot view. Each entry can be Approved, Skipped, or Withdrawn. Once completed, the review is locked and can generate a formal report.
Reviews
Each review lists all assets according to the chosen scope. Any changes made during the review are tracked and displayed as diffs, allowing you to compare against the latest version or earlier cycles. A split view can be enabled for easier side-by-side comparison.
Each review item must be explicitly approved. If necessary, items can also be withdrawn. Once all review items are approved, the review can be closed by selecting Finish Review. This locks the review and prevents further modifications.
Reviews also integrate with the Reports feature through Generate Report, allowing you to export finalized review results for audits, compliance evidence, or internal governance tracking.
How is this guide?
Risks
Risks highlight potential threats or uncertainties that could impact your objectives, helping you proactively address vulnerabilities across your policies, controls, or frameworks.
Vendors
Vendors track the third-party suppliers and service providers your organization depends on, so you can score their risk, capture evidence, run questionnaires, and keep assessments on a recurring schedule.