Asset Management

Define and review assets primarily used in Risk and Data Protection programs

  • Episodes23
  • Duration56m 7s
  • LanguagesEN
Episode 1

Introduction to the Asset Module

Quick introduction to the module key capabilities

The Asset module allows you to store and review Assets that will be used for the most part as inputs to your Risks and Data Flows (Data Protection). Assets relate to other modules as well but as "optional" relationships: compliance, exceptions, Etc.

Assets refers to tangible and intangible things that make your organization. Servers, Invoices, Money, Employees, Etc are simple examples of Assets.

Assets are used as input to your Data Protection program. For "data" types of assets you will be able to define their flows (how data is collected, transmitted, etc) and record what protection is in place.

There is an inclination for some people to use this module as an inventory tool, that is not the case in this module. Since Assets are for the most part used to describe or provide context to your Risks, there is no point in describing every single Asset.

  • If your Risk is about patching, you are likely to call the asset “Windows Server” or “Server”, you do not need to list every server in the organization. That list should be kept and maintained by IT.
  • If your Risk is about phishing, you are likely to call the asset “Email Accounts”, you do not need to list every email account as an asset. That list should be kept and maintained by IT.
  • If your Risk is about abuse of privilege in Banking Applications used by your organization, you do not need every bank account or bank system in use.  That list should be kept and maintained by Finance.

The idea that GRC teams can manage the organization wide inventory is probably not realistic given the complexity of managing any kind of inventory and the typical size of GRC teams in respect to the wider organization.

Every Asset will have people associated to them in the form of three roles: 

  • Owner: is typically the person that acquired the asset. In the example of an HR system we would typically assign this to IT or HR.
  • Guardian: is typically the person that looks after the assets making sure it is functioning properly. Again this would likely be IT or HR or both!
  • User: is typically the person that uses the asset, in this case is likely to be HR alone.

The only mandatory role is the "Owner", the other two are optional.

If you do not like these titles, you can use "customizations" (see course) to change them to whatever name you prefer. Customizations allow you to rename, add, hide, and move around fields and tabs in any form and any module.

Each asset on the module will have review records automatically created by eramba based on your review deadlines. Reviews have their own tab at the top, and each document will have a review counter that, if clicked, will automatically redirect you to the review records.

Review records describe when the review was supposed to be done, when it was actually done, by whom (typically the Owner role is automatically assigned) and some description in regards to what was the conclusion of the review.

Like any other module in eramba, each record supports comments and attachments that allow you to record all review interactions (including approvals) by users, making email discussions unnecessary.

In order to help you with the review process you will use extensive configurable notifications (that can trigger emails or REST APIs) that will trigger in x amount of days before and after the expected review of the Asset, or whenever someone writes a comment or attachment for a review.

Like any other module in eramba, powerful filters will allow you to query the system in literally thousands of different ways (e.g., give me all expired Assets, give me all Assets that expire in two weeks, give all Assets used in PCI-DSS that are owned by this person that expire next week).

Filters can be saved and emailed to you automatically at regular intervals in PDF or CSV format, so you do not have to log in to eramba to know what work is ahead of you.

Some people are interested in applying classifications to their assets, in order to group them in certain categories. You can define your own classifications and apply them to your Assets.

Reports also are available as charts. These are shipped with standard reports and let you know visually what is going on. 

You can create your own reports with a report builder based on widgets that you drag and drop into a template. You can use text, tables, filters, and charts that we ship with.

The result will be a graphical report with your desired data. These reports can also be sent over email in PDF format as often as you want, so you don't have to log in to the system.


You will want to flag items based on your own conditions, when an Asset expires, when a review is missing evidence, when an Asset has no linked Risk, when the associated Risks are not Reviewed, etc. We use statuses across all modules to highlight these flags, and we ship with hundreds of them pre-configured for you.

But you can also create your own statuses based on your own conditions, and again, you have access to thousands of possibilities with the status configuration tool.

Every time a status matches (or fails to match) your conditions, a label will be applied to the Assets. You can optionally trigger emails and REST APIs, too. For example, you can notify the Asset owner when the Risk associated miss Reviews. The options are endless, and it is really up to you what level of complexity you wish to use.

Eramba uses web forms to create things, and these forms have been predefined for everyone. The good news is that eramba ships with custom fields on every module, so you can add, hide, rename, and move around fields on the form in almost any way you want.


A user-friendly interface lets you do all of the work without needing to know how to code software.