NIST SP 800-53
Asset Specification
Asset Valuation
File Incident Report
Emergency Contacts
Key Personnel
IT Security Quiz
Tools & Techniques
Contact Us
IT Security Risk Management (ITSRM)
If you have not identified critical assets, you cannot recover from their loss!
Asset Identification information is contained in the
Boundary Scope Master Record (BSMR) which provides a general description of system architecture and functionality.  The BSMR should indicate the operating environment, physical location, general location of users, and partnerships with external organizations/systems.  Also include information regarding any other technical considerations that are important for recovery purposes, such as backup procedures.  Note:  There should be only one (1) BSMR for each system or application.

Boundary Scope Master RECORD
The BSMR contains critical information that summarizes a description of the application or system.  As described in the sample BSMR link (above), this document includes the following:
  • Asset Name and Acronym
  • Asset Type and Criticality
  • Location of Asset Hardware and/or Software
  • Location of Alternate Site
  • Location of Users and Support Teams
  • A Detailed and Comprehensive Description of the Asset
  • Description of Dependent and/or Interconnecting Systems or Applications
  • Business Unit, Operations, and Key Personnel Points of Contact with Contact Information
The BSMR, also, should include any information pertinent to the recovery or relocation of the asset in the event of an incident. Additionally, we have included tools to help document the asset's characteristics and dependencies (Asset Specification) and the asset's value (Asset Valuation).

Common Controls
are controls that are inheritable by one or more organizational information systems.  The organization assigns responsibility for common controls to appropriate organizational officials and coordinates the development, implementation, assessment, authorization, and monitoring of the controls.  The identification of common controls is most effectively accomplished as an organization-wide exercise with the active involvement of the chief information officer, senior information security officer, risk executive (function), authorizing officials, information system owners, information owners/stewards, and information system security officers.  When common controls protect multiple organizational information systems of differing impact levels, the controls are implemented with regard to the highest impact level among the systems.  For example, a common control may address the security of the facility; and, those assets within that facility would call out those protection mechanisms as common controls.

Shared or Hybrid Controls.  Organizations assign a hybrid status to a security control when one part of the control is deemed to be common and another part of the control is deemed to be system-specific.  In the case of a Shared or Hybrid control (i.e., User Identification and/or Identification), the control may be the responsibility of the application as well as the system that supports that application.

System Specific Controls are the primary responsibility of information system owners and their respective authorizing officials.  With respect to System Specific Controls, access to a data base may be restricted by an access control list (ACL) managed by the asset owner.
Security Begins and Ends with You!

  Why You Need Our Product    |    Where Our Product Fits   |   PURCHASE PRODUCT