Assets

Performing asset assessments

title: Performing asset assessments description: Learn how to conduct business impact analyses and set recovery metrics for assets in Tidal Control sidebar_position: 3

Performing asset assessments

Why asset assessments are important

Asset assessments help you to:

  • Identify and prioritize critical business resources
  • Better assess risks based on actual impact
  • Establish recovery plans with realistic objectives
  • Demonstrate compliance for frameworks like ISO 27001 and SOC 2
  • Support budget decisions with objective data
Tip

Perform assessments for all assets that are important to your business operations. Start with the assets that most people and processes depend on.

Opening asset assessment

Navigating to the assessment

  1. Go to the Assets page via the main menu
  2. Click on an asset to open the details
  3. Select the "Assessment" tab
  4. Fill in the CIA-triad and the rating will be automatically set
  5. Optionally also fill in recovery metrics to make these requirements known
Clicking on asset assessment

What you see in the Assessment tab

The Assessment screen shows:

  • Impact categories - CIA-triad assessments (Confidentiality, Integrity, Availability)
  • Overall impact assessment - Automatically calculated based on highest individual score
  • Recovery metrics - RTO, RPO, MAO and MASL settings

Business Impact Analysis (CIA-triad)

Assessing Confidentiality

Evaluate how sensitive the information is that this asset contains or processes:

1. Public

  • Information that can be freely shared
  • For example: company website, public documents

2. Low

  • Internal information without major consequences if leaked
  • For example: meeting notes, general procedures

3. Confidential

  • Sensitive business information with possible competitive advantage
  • For example: strategic plans, customer data

4. Strictly confidential

  • Very sensitive information with serious consequences if leaked
  • For example: personal data, financial data, legal documents

Assessing Integrity

Determine how important accuracy and completeness of the data is:

1. Negligible

  • Small errors have no business impact
  • For example: decorative website elements

2. Low

  • Errors cause minor inconveniences
  • For example: newsletter template, internal wiki

3. Medium

  • Errors lead to operational problems
  • For example: inventory system, customer service tools

4. High

  • Errors have serious consequences for business operations
  • For example: financial administration, production database

Assessing Availability

Assess how critical it is that the asset remains available:

1. Negligible

  • Outage has no direct business impact
  • For example: archive system, old reports

2. Low

  • Temporary outage is acceptable
  • For example: HR portal, internal tools

3. Medium

  • Outage disrupts business processes
  • For example: email system, office applications

4. High

  • Outage stops critical business activities
  • For example: production systems, payment processing
Info

Overall impact assessment: Tidal automatically calculates the total impact based on the highest individual assessment. If Confidentiality = 2, Integrity = 4, and Availability = 3, then the overall impact = 4.

Setting recovery metrics

Recovery Time Objective (RTO)

What is RTO? RTO defines how quickly a system must be technically recovered after an incident.

Setting via dropdown:

  • 30 minutes - For critical real-time systems
  • 3 hours - For important business systems
  • 18 hours - For daily operational tools
  • 3 days - For weekly or monthly processes
  • 5 days or more - For non-critical systems
Tip

Setting realistic RTO: Choose an RTO that is technically feasible with your current infrastructure and budget. Too ambitious objectives lead to wrong expectations.

Recovery Point Objective (RPO)

What is RPO? RPO specifies how much data loss is acceptable during an incident.

Practical choices:

  • 1 hour or less - For information that cannot be lost
  • 1 day - Acceptable for most business data
  • 1 week - For data that doesn't change often
  • 1 month - For less critical information that changes infrequently
  • 2 months or more - For archive or backup data

Maximum Acceptable Outage (MAO)

What is MAO? MAO indicates the maximum time that a business process can function without this asset.

Business perspective:

  • 1 hour - Business stops immediately upon outage
  • 5 hours - Short period with manual workarounds
  • 1 day - One workday bridgeable
  • 5 days - Temporary outage doesn't lead to major problems
  • 1 week or more - Longer period without major problems
Warning

MAO vs RTO difference: MAO is how long the business can survive, RTO is how long technical recovery takes. MAO must always be greater than RTO to remain realistic.

Minimum Acceptable Service Level (MASL)

What is MASL? MASL specifies the required uptime percentage for normal business functioning.

Availability levels:

  • 100.00% - Must always be available
  • 99.99% - About 1 hour outage per year
  • 99.90% - About 10 hours outage per year
  • 99.00% - About 8 hours outage per month
  • < 98% - More than 16 hours outage per month

Completing the assessment

Saving the assessment

  1. Fill in the CIA scores - The rating updates directly
  2. Check your settings - Ensure RTO < MAO and other logic is correct
  3. Click "Update" to save your assessment
  4. Status is updated - Asset now shows the correct impact level

Reviewing the assessment

When to review:

  • During major changes to the asset (functionality, users, criticality)
  • Annually as part of risk assessment cycle
  • After incidents that provide new insights
  • During compliance audits or reviews

Review process:

  1. Open the Assessment tab of the asset
  2. Check current scores against actual business situation
  3. Adjust scores where necessary
  4. Update recovery metrics based on new infrastructure/processes
  5. Save changes and document reasons for adjustments
Info

Recovery metrics often not applicable: Recovery metrics only need to be filled in for business resources that require a high degree of availability.

Best practices for asset assessments

Ensuring consistency

Use comparable assets as benchmark:

  • Compare similar systems within your organization
  • Apply consistent criteria for impact levels
  • Document your considerations for future reference

Involve the right stakeholders:

  • Asset owners - Know daily usage and business impact
  • IT teams - Understand technical recovery capabilities
  • Business owners - Can assess business continuity

Realistic objectives

Balance ambition with feasibility:

  • Not all assets need 99.99% uptime
  • Higher availability means higher costs
  • Focus first on the most critical assets

Test your assumptions:

  • Perform disaster recovery tests to validate RTOs
  • Check backup procedures for RPO realization
  • Measure actual recovery times during incidents
Tip

Start simple: Begin with rough assessments for all assets, then refine the most critical ones later. A global assessment is better than no assessment.

Next steps

After completing asset assessments you can:

  • Perform risk assessments based on this impact data
  • Improve continuity plans with realistic recovery time objectives
  • Implement control measures proportional to asset criticality
  • Generate compliance reports with accurate impact classifications
Next
Troubleshooting & FAQ