Identifying the assets,
What am I trying to protect?
Part of a risk analysis involves identifying all things that need to be protected. Some things are obvious, like the various pieces of hardware or cardholder data. Others are apt to be overlooked, such as people who actually have access to the systems. It is essential to list all things that could be affected by a security problem or potential threat. A list of categories should include:
1. Data. Stored online, archived off-line, backups, audit logs, databases, in transit over a communication media, during execution, and during delivery (physical or otherwise) This can include cardholder data, merchant specific data, ACH files, contract information, rate information, contact information, etc.
2. Supplies. Paper, forms ribbons, magnetic media.
3. Hardware. Including CPUS, keyboards, terminals, terminal servers, routers, firewalls, disk drives, communication lines, printers, personal computers and laptops. This should include not only the hardware used for actual processing, but also the hardware used to view data and access the data. This might also include hardware systems used for access to the facilities and systems (to-kens or smart cards).