Asset Management

The Asset module allows you to store and review Assets that will be used, for the most part, as inputs to your Risks and Data Flows (Data Protection). Assets relate to other modules as well but as "optional" relationships: compliance, exceptions, etc.

Assets refers to tangible and intangible things that make your organisation. Servers, Invoices, Money, Employees, etc. are simple examples of Assets.

Assets are used as input to your Data Protection program. For "data" types of assets you will be able to define their flows (how data is collected, transmitted, etc.) and record what protection is in place.

Although some people may want to use this module as an inventory tool, that is not how this module should be used. Since Assets are, for the most part, used to describe or provide context to your Risks, there is no advantage to describing every single Asset.

• If your Risk is about patching, you are likely to call the asset “Windows Servers” or “Servers”.  You do not need to list every server in the organisation. That list should be kept and maintained by IT.
• If your Risk is about phishing, you are likely to call the asset “Email Accounts”.  You do not need to list every email account as an asset. That list should be kept and maintained by IT.
• If your Risk is about abuse of privilege in Banking Applications used by your organisation, you do not need to list every bank account or bank system in use.  That list should be kept and maintained by Finance.

The idea that GRC teams can manage the organisation wide inventory is probably not realistic given the complexity of managing any kind of inventory and keeping it up to date.  The typical size of GRC teams in respect to the wider organisation is normally such that the management and updating of corporate inventories is best left to the departments responsible for each type of asset.

Every Asset will have people associated with them that can usually be categorised into one of three roles: 

• Owner: is typically the person that acquired the asset. In the example of an HR system we would typically record IT or HR as the owner of this type of asset.
• Guardian: is typically the person that looks after the assets making sure they are functioning properly. For an HR system this would likely be IT or HR or both!
• User: is typically the person that uses the asset. In this case is likely to be HR alone.

The only mandatory role is the "Owner", the other two are optional.

If you do not like these titles, you can use "customisations" (see course) to change them to meet your requirements. The customisation feature allows you to rename, add, hide, and move fields and tabs in any form and any module.

Each asset recorded in the module will have review records automatically created by eramba based on your review deadlines. Reviews have their own tab at the top of each page and each document will have a review counter that, if clicked, will automatically redirect you to the review records.

Review records describe when the review was supposed to be done, when it was actually carried out, by whom (typically the Owner role is automatically assigned) and a description of the conclusion of the review.

Like any other module in eramba each record supports comments and attachments that allow you to record all review interactions (including approvals) by users, making email discussions unnecessary.

In order to help you with the review process you will use extensive configurable notifications (that can use emails or REST APIs) that will trigger a number of days before or after the expected review of the Asset, or whenever someone writes a comment or attachment for a review.

Like any other module in eramba filters allow you to query the data in the system in thousands of different ways (e.g., display all expired Assets, display all Assets that expire in two weeks, display Assets used in PCI-DSS that are owned by a particular person that expire next week).

Filters can be saved and the contents of the filter emailed to you automatically at regular intervals in PDF or CSV format so you do not have to log in to eramba to know what work is ahead of you.

For those interested in applying classifications to their assets in order to group them in certain categories you can define your own classifications and apply them to your Assets.

Reports also are available as charts. The software is shipped with standard reports to let you know visually what is going on.

You can create your own reports with the report builder using widgets that you drag and drop into a template. You can use text, tables, filters and chart elements to build the report.

These reports can also be sent by email in PDF format as often as you want so you don't have to log in to the system.

 

Items can be flagged based on your own set of conditions, e.g.

• when an Asset expires,
• when a review is missing evidence,
• when an Asset has no linked Risk,
• when the associated Risks are not Reviewed, etc.

Assets can be flagged using statuses, and this feature is available across all modules.  There are hundreds of statuses pre-configured for you.

You can also create your own statuses based on your own conditions and, again, you have access to thousands of possibilities with the status configuration tool.

Every time a status matches (or fails to match) your conditions, a label will be applied to the Assets. You can optionally trigger emails and REST APIs too. For example you can notify the Asset owner when the Risks associated with them miss Reviews. The options are endless and it is really up to you what level of complexity you wish to use.

The web forms used to create these things in eramba can be customised using the custom fields option available in every module.  You can add, hide, rename and move around fields on the form in almost any way you want.

 

A user-friendly interface lets you do all of the work without needing to know how to code software.