ABSTRACT
This chapter discusses how an asset can only be labeled “critical” if it provably underwrites some aspect of the organization’s core functionality. It introduces the process for creating a rigorous set of protection requirements for just those assets that directly enable organizational mission. Prioritization of information assets is a process that rightfully belongs within scope of risk management and takes place after the organization has completed vulnerability and risk assessments that have identified specific information assets as likely candidates for loss. Asset cyber-resilient requirements are defined by each individual asset owner. Software can range from business process specific applications to operating systems or cybersecurity controls protection and detection utilities. The three roles that are involved in configuration sustainment are those of the asset user, the asset custodian, and the asset owner. Access restrictions for change represent the enforcement side of configuration management. Configuration change control is a process for filtering changes for assets, policy, and procedure through a managed process.
