Quartz 4

High-Value Asset Identification

2 min read

A High-value asset (HVA) is any information or system that is critical to an organization’s operations, reputation, or compliance requirements. If any of these assets were destroyed or compromised, it would have a serious impact on the business operations of the organization. Due to the nature of these assets, they are often a prime target for hackers and, therefore, must be identified and protected at all costs.

Some examples of high-value assets include:

  • Customer data - This can include Personal Identifiable Information (PII) such as names, addresses, phone numbers and email addresses.

  • Intellectual property - Company secrets, recipes, and other proprietary company information.

  • Authentication systems - Passwords, MFA systems, and biometrics are examples of authentication systems.

  • Financial systems - Anything to do with the financial aspects of the organization, such as what system is used to handle business transactions.

  • Critical infrastructure - Servers, network systems, and cloud services are all examples of critical infrastructure.

  • Regulatory compliance data - Many organizations must stay in compliance with regulatory agencies. For example, medical organizations need to remain in compliance with HIPAA.

The Cybersecurity and Infrastructure Security Agency (CISA) has created the following recommendations for identifying and securing high-value assets:

  • An organization-wide HVA governance team should be established. This team will be responsible for identifying high-value assets and handling remediation and incident response.

  • Identify and prioritize high-value assets. Most HVAs will fall under one of two categories:

    • Information value of the data the system processes.

    • Mission essential functions that the organization needs to accomplish its goals.

  • Consider the interconnectivity and dependence of different high-value assets. For example, if the authentication system for an HVA relies on Active Directory, then the AD system must also be classified as an HVA.

  • HVAs should be prioritized based on criticality and mission importance.

  • Assessments should be based on the HVA prioritization.

  • Any identified vulnerabilities should be remediated quickly.

The pentester needs to be aware of what is considered a high-value asset, as these should be prime targets for testing as long as it falls within the original scope of work.

attackprioritization

Graph View