Content uploaded by Mark Brett
Author content
All content in this area was uploaded by Mark Brett on Feb 15, 2021
Content may be subject to copyright.
DOI: 10.6084/m9.figshare.14035703
© Mark Brett 2021 MDB/LMU/Feb2021 Information Asset Registers. DRAFT V7 -
-
1
Information Asset Registers
Principal Author: Mark Brett February 2021
Visiting Fellow (Cyber Defence) London Metropolitan University
Version 07 Initial DRAFT DOI: 10.6084/m9.figshare.14035703
Keywords: Information Asset Registers/ Information Governance/ Information Assurance
Risk Management / Cyber Incident Response. Information Taxonomies
Extract
Information Asset Registers are a part of the information Management, Assurance and
Governance (IMAG) [3]. It is proposed the Information Asset database is at the heart of the
information Assurance ecosystem. This fact has been partially recognised through the ITIL
(Information Technology Infrastructure Library) [4] CMDB (Configuration Management
Database) .
Whilst this paper contains current forward thinking, the original concepts go back to the ICL
2900 series mainframes under VME/B and the ICL Data Dictionary model [5]. The Data
dictionary was revolutionary as it recorded both the physical real world practices and
procedures and mapped them to their logical programs and processes. This meant that
Business analysts could design systems and services seamlessly in the real world, then map the
data attributes into data schemas and taxonomies.
This was forty years ago. As we have progresses, the essence of data, the use of meta data and
schemas has always been there but today get forgotten about when coding ad designing
systems. The UK Government Digital Service Design Manual considers some of these issues [6].
Information Assurance is the confidentiality, integrity and availability of an information asset.
The need for asset registers is so that we know which key assets we have. Once we talk about a
key asset in this context, we are referring to generally a system or service, those systems and
services all have key components. There are different hardware and software manufacturers,
with different products that have different versions, and different patch levels.
All products are at different points on a life-cycle of procurement and through-life measures
leading eventually to replacement. Todays leading edge product or service is tomorrows legacy
technology. This cycle is in some cases getting rather short, sometimes only a couple of years
from coming to market, through to obsolescence.
DOI: 10.6084/m9.figshare.14035703
© Mark Brett 2021 MDB/LMU/Feb2021 Information Asset Registers. DRAFT V7 -
-
2
We need to consider all of these aspects. When we focus on confidentiality, we're always
thinking about access control and encryption. When we talk about integrity, we're thinking
about the information on the systems and services being accurate, not tampered with and non-
repudiation. And when we're thinking about availability, this is actually about availability of
systems and services, which covers the areas around backups, disaster, recovery, and disaster
recover. In pulling together asset registers, we are also concerned with network components
with manufacturers. We things like operating system types, versions and patch levels within
them. We further need to consider how long it is since the configuration information has been
updated, if indeed an information asset register exists in the organisation.
We need to understand how long it will be until these systems are due to be replaced. The main
reason for wanting this is that if we find a particular vulnerability or exploit appertaining to a
certain manufacturer or type of kit, Knowing who has that specific equipment and what the
patching level, will help quickly determine if an organisation is at risk of a systems breach or
comprise is attacked with a certain exploit. If they are adequately patched, they may not be
vulnerable.
Knowing the profile of equipment deployed and the relevant patching and software versions
and how they configured will help network defenders. Also those challenged with national
network defence will be able to quickly and efficiently contact those organizations and tell
them about vulnerabilities and provide actionable intelligence to help them defend their
networks and infrastructure.
Context
The main international standard for Information Security is ISO27001, which covers a number
of domains relating to Information Security. We must however consider other aspects such as
Information Risk Management, Assurance and Governance. Other ISO standards cover these
areas and so even the standards are many and complex. There is a hierarchy which covers
elements from the physical network, through to servers, operating systems, applications, data
and access control. These elements are all interlinked and it is proposed that you should
consider them in isolation. This paper proposes an approach and flags some of the core issues
and questions.
This paper is also a foundation for further research in the area and explores a novel deployment
of some social science research methods and approaches. The overall information system,
comprises all of the components (attributes) necessary for it’s operation, the hub of the system
is the server which hosts the application. There will be a number of supporting components,
including the file storage, the access control system and the supporting operating system.
Many systems today are run and supported on databases. Servers themselves need to be
accessed. In the old days terminals were hard wired to servers. Today, we generally access a
server through a network. This can be a local network (LAN) or a wide area network (WAN).
DOI: 10.6084/m9.figshare.14035703
© Mark Brett 2021 MDB/LMU/Feb2021 Information Asset Registers. DRAFT V7 -
-
3
Today, we tend to use the Internet as an integrated part of the Corporate infrastructure, by
deploying VPNs (Virtual Private Networks). These VPNs then connect to either on-premises
servers or to cloud services, such as Amazon, Microsoft or Google. There is an emergent theme
of multi-cloud and hybrid cloud (both on premises and Public Cloud based). [7] When we
mention Public Cloud we mean a Virtual Private Cloud (VPC). [8].
All of these components need to be identified, quantified, risk assessed and assured.
This paper proposes an approach to identify, quantify and report on the components in an
organisations infrastructure. The proposed approach covers both the hardware (whether
logical, physical or conceptual) and the software systems, to provide a heterogeneous
taxonomy, for planning, Cyber defence, assurance and incident management.
The approach appropriate for Local Government in England and Wales. This is especially
relevant as a component part of the journey to replace the PSN (Public Services Networks) Code
of Connection (PSN CoCo) compliance regime over the next couple of years.
The reason for this type of granular consideration is to ensure all components of the system are
taken into account, because attackers will try to exploit any available attack vector. Whilst most
attacks are predicated through emails, websites and direct attacks on Internet facing servers.
Asset Descriptions and Registers
Information Asset Registers have been in use for some time, they are acknowledged by the
Information Commissioners Office (ICO) [1]. In the context of this paper, we propose a wider
and deeper use of Information Asset Registers to annotate and record the network and
Infrastructure components deployed within an organisation. The concept was first explored by
the author in a previous paper in 2021 [2].
Methodology
There are a number of academic research methodologies that are useful in this space and an
mixed-methods approach is being taken to undertake and understand this work. The
overarching approach is to use qualitative methods within a practice based research framework
[15].
As the actual project around the replacement of the PSN (Public Sector Network) compliance is
a effectively a live real world problem, requiring tools and techniques to understand, analyse
and work towards solving the problem. An Agile approach to the process is being used, whilst
not a formal research method, it does provide a useful for context and will foster better
DOI: 10.6084/m9.figshare.14035703
© Mark Brett 2021 MDB/LMU/Feb2021 Information Asset Registers. DRAFT V7 -
-
4
understanding of the constructs and issues by stakeholders, namely Local Authority compliance
and security managers.
The Agile methodology is widely used an understood in central and local government in
England and Wales[9]. MHCLG Digital [10] use agile as their delivery method, so any proposals
we make need to interface with at. The NCEF (NLAWARP Cyber Exploitation Framework),
developed and presented at the Cyber Practitioners Conference in York 2017, is a Conceptual
Framework. A Conceptual Framework[11] is a way of mapping and showing the relationship
between a collection of variables, some are fixed and some are dynamic. In this case the
variables are network components and information governance issues. Once you’ve identified
your variables, they can be assembled, mapped and clustered together. This clustering starts to
show relationships and help the formation of categories. Using Grounded Theory[12], to
produce data clusters. Management students will be familiar with the Business Model Canvas
[13] and the similar canvasses and approaches [16]. Many modern tools, such as the agile
“Kanban” [17] approach, software like Trello [18] and MIRO[19] all fit beautifully with
Grounded Theory and conceptual frameworks. These in turn fit with Systems Thinking [20],
Wicked Problems [21], Wardley Maps [22] and weak signals [23], which in Grounded Theory are
outlier variables. I’ve explored some of there issues in a paper on Horizon Scanning [24].
Quantification using Grounded Theory [25], allows for the categorisation of Information Assets
in a way that Grounded Theory allows for the categorisation of issues within a community.
As this is a technical proposal, the use of Ethnographic methods [26] to understand the Local
Authority Cyber Security Environment is a novel use of Ethnographic modelling where the
computer network and the personnel that support it is the ethnographic study, rather than an
indigenous race or community. Finally the Practice and Design Research methods are valid, as
we are identifying, categorising and designing a set of tools and artefacts as the output of the
proposed approach and study. It is hoped that the introduction of these Social Science research
methodologies [27] into areas traditionally serviced by Software engineering [28] and other
Computer Science methodologies [29] will prove innovative and useful to other researchers. In
developing this work I’ve been influenced by the Deep Work approach[30] [31] and the
ZettleKasten [32] which has helped to shape the structure. I believe this approach, brings a
whole range of Qualitative Social Science tools into play in a novel and innovative way that not
only helps map the landscape, but also helps to identify some of the soft cultural issues that
affect information management and governance. The Covid-19 pandemic of 2020/21 has forced
many organisations to work from home and to collaborate and operate in a virtual
environment.
DOI: 10.6084/m9.figshare.14035703
© Mark Brett 2021 MDB/LMU/Feb2021 Information Asset Registers. DRAFT V7 -
-
5
The SCRAP Framework
It is my contention that Information Asset Registers are an essential part of Cyber Security,
Information Assurance and Cyber Incident Response moving forward. There is anecdotal
evidence in some Local Authorities that Information Asset Registers do not exist for this
purpose. This view has been formed over the past few years, through discussions with Local
Authorities during Cyber Incidents, through on-line forum discussions and during Cyber Incident
Response Training.
Therefore the proposal is to offer an approach to Local Authorities, to develop an Information
Asset Register approach and to implement it as part of their Cyber Incident Response Planning.
As we are advocating an approach to move from static plans to dynamic playbooks, Information
Asset Registers will be a very useful planning and response tool.
Whilst thinking about this problem and a practical approach to implementation,
• Systems
• Cartography
• Registers
• Attributes
• Patterns
Systems
When we talk about systems in this context, we are referring to the discrete system for
instance Housing Benefits, Council Tax. The Systems can also be a service, such as Microsoft
365. Systems and services will be made up of a number of elements, for instance servers,
Operating System, Data Base, Programming language, scripting, configuration files, data files.
The systems f today are very different in their composition than those of twenty years ago. The
most simple Information Asset Register will comprise a series of linked records, which describe
the functional layout and composition of the system. This could physically be a text document,
spreadsheet or database.
We must think about the not only the structure and layout of the Information Asset Register,
but how it will be constituted, stored and published. These Information Asset Registers could
potentially be a valuable asset for attackers and those who wish to cause harm or disruption.
Thought must therefore be given to the creation, storage, publication and use of these
Information Asset Registers.
DOI: 10.6084/m9.figshare.14035703
© Mark Brett 2021 MDB/LMU/Feb2021 Information Asset Registers. DRAFT V7 -
-
6
There are a number of useful descriptors and approaches that may be of use to researchers in
this field and could be the subject of further research and reporting, these include;
• Systems Thinking [20]
• Complexity [33]
• Weak Signals [23]
• Nudge Theory [34]
• Cynefin [35]
• Wicked Problems [21]
• Wardley Maps [22]
Cartography
When the term cartography is used in this context we mean mapping, that is the visual and
textual documentation, illustration and recording of the Physical, Logical and Conceptual layout
of the information that forms the Focus of Interest, in this case the Service of System, being
documented in the Information Asset Register. Some very useful work in this area is the
Domain Based Security, referred to as “DBSy” [14], a process extensively used in the Ministry of
Defence and although now thought of a legacy approach it is still worth reading and
understanding.
Mapping complex interlinked systems is even more important as we move to a cloud based eco
system, which can comprise a hybrid multi cloud approach, that is components of physical
servers on premise, inter-linked with public cloud services of multiple different vendors.
Mapping these interconnections and keeping the documentation up to date, ideally this is done
automatically through the use of metadata and automated module communication.
Many systems components can be open source and these utilise platforms and tools such as
GitHub. The modern systems development process, referred to as “DevOps” ,in the agile world
[36] also has a security approach called DevSecOps (Development, Security Operations) [37]
these processes in turn mean that program code is developed, tested and deployed through a
federated approach called CI (Continuous Integration). Much of this is automated and te whole
code to production (Live running and Operations), is carried out at scale and often is fully
automated.
There are a number of concepts and approaches that have formed the thinking around the
Cartography element of this model, these are worth further investigation;
• Mind Maps
• Architectural Diagrams
• Symbols & Lexicons
• Systems Mapping
DOI: 10.6084/m9.figshare.14035703
© Mark Brett 2021 MDB/LMU/Feb2021 Information Asset Registers. DRAFT V7 -
-
7
• Documentation
• Domain based security.
• Security Domain and mapping.
Registers
Because of the federated nature of agile cloud based systems, it is necessary to have
authoritative lists of data items, some of which are fixed for instance recognised countries of
the would used by the banks: https://bank-code.net/iban/country-list also country prefixes for
international telephone dialling, there are also registers on the .gov.uk website at are definitive;
https://www.registers.service.gov.uk Registers are therefore an approach and worth
consideration in the context of Information Asset Registers. We must however be mindful of
the security implications and the “Equity” (The usefulness for a hacker), so these register
entries will need to be pseudo-anonymised. To facilitate pseudo-anonymisation, we propose a
CUON (Cyber Unique Organisational Number), which would be randomly allocated to an
organisation in a similar way to a private and public key.
Registers are also extensible, like postcodes. Once components have been declared, other
organisations with the same components would be able to copy the entries, this would speed
up the whole process up enabling fast and accurate data base population of asset components.
This would in turn lead to a standardisation of threat profiles and compensating controls and
architectural patterns. This could make a huge difference to local authorities, through standard
threat profiles. The contention being all Council Tax Systems have the same data and asset
value. Once a systems has been profiled, all councils would be able to use the same profile. Any
variations would also be recorded and a huge amount of effort can be saved. Defining and
saving these threat profiles and in time asset register entries in XML or similar makes them
machine readable and this opens the possibilities for further work to look at the use of agent
and API based automated approaches.
Attributes
The mapping of attributes will it is contended be a journey of iteration. To start with key
components will be identified to form the core of a taxonomy. For instance;
Application Servers
Web Servers
Mail Servers
Firewalls
Routers
Proxy Servers
Active Directory Servers
Network Area Storage Devices
A detail of this approach is laid out in the NIST SP 1800-5 document:
DOI: 10.6084/m9.figshare.14035703
© Mark Brett 2021 MDB/LMU/Feb2021 Information Asset Registers. DRAFT V7 -
-
8
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-5.pdf
Taking a firewall as an example;
CUON: 654/21/9874
Entity: Firewall
Owner: ICT Network Team / Team Leader Ext 5434 ICTNetork@dovedale.gov.uk
Location: Server Room 102b
Asset number: 21/45634
Classification Level: OFFICIAL
Manufacturer: Cyber Sure
Model: 345/t
Build level: 34.9.8.7
Last patched: 12/02/2021
IP Address or identifier: 10.3.4.56
Record Date: 210215
Record version 1.0
Notes
The above is a simple example but it means there is a definitive record for the asset.
The CUON being: [654] The organisation ID [21] Year of allocation [9874] the unique reference
number for the firewall. The key being that a CERT or other authorised entity, could search for
Cyber Sure model 345/t firewalls and find all of the organisations that have them recorded. A
further refined search could be on build level [34.9.8.7], that could be an old build and subject
to a zero day CVE exploit.
This would save a lot of time and effort. Using an agent based system for instance HUGINN
https://github.com/huginn/huginn The agent based approach is a push/pull system. The
updated contents of a database wait until polled for an update. Bespoke workflows are put
together. This node based store and forward approach could be incorporated into a CERT
(Computer Emergency Response Tram) or as part of a hierarchic network for instance linking all
of the Local Authorities in Wales, through regional based nodes. This was discussed in a CSIRT
paper, referencing Cybershare as model that could achieve this [38].
this type of asset register could be automated and integrated into a STIX and TAXII type
infrastructure: https://stixproject.github.io – however as previously discussed the issue of
security and pseudo-anonymisation has to be considered.
Other areas for further consideration are;
Taxonomy of Physical components for this I would consider:
https://www.opensecurityarchitecture.org/cms/index.php
DOI: 10.6084/m9.figshare.14035703
© Mark Brett 2021 MDB/LMU/Feb2021 Information Asset Registers. DRAFT V7 -
-
9
Data Dictionary example: https://www.usgs.gov/products/data-and-tools/data-
management/data-dictionaries
Cataloguing Functional and non-functional requirements.
https://qracorp.com/functional-vs-non-functional-requirements/
Patterns
When we discuss patterns in this context we propose that a pattern show the linkages between
elements of an Information Asset Register and how the individual components form a coherent
system or service. The DBSy references [14] previously discussed and the Data Dictionary
reference [39] are both good examples of elemental linkages. The rationale for needing these
descriptors is that ultimately we need to follow the data [40]. A Data Protection Impact
Assessment (DPIA) may well have a diagram showing the flow of information through a system.
Service.
Service Transaction Mapping https://insidegovuk.blog.gov.uk/2018/02/07/how-we-
approached-service-mapping/ Is a good example of how this looks in practice. We contend this
is valuable in working through Cyber Resilience Planning as has immediate utility for Cyber
Incident Response when you are making sense of what has happened after an attack.
When systems were written in house, it was possible for the programmer to understand the
entire system. Today systems are far more complex and can be distributed and inter-linked.
This is why documentation is so important.
There are various standards and approaches to security architecture that may be of interest for
further research;
SABSA https://sabsa.org/sabsa-executive-summary/
Zackman https://www.zachman.com/about-the-zachman-framework
TOGAF https://www.opengroup.org/togaf
DOI: 10.6084/m9.figshare.14035703
© Mark Brett 2021 MDB/LMU/Feb2021 Information Asset Registers. DRAFT V7 -
-
10
Architectural patterns
Pulling this all together, the mapping of components, their inter relationship, implementation,
configuration and protective controls can all be pulled together in the form of a security
architectural pattern.
The NCSC have written a useful set of guidance: https://www.ncsc.gov.uk/blog-post/secure-
systems-design--new-guidance-now-available
One of the best ways to ensure good security practices is to observe bad ones, this is where
Security “Anti-Practices” come in useful; https://www.ncsc.gov.uk/whitepaper/security-
architecture-anti-patterns
A good example of a pattern for the safe import and export of data can be found at:
https://www.ncsc.gov.uk/guidance/design-pattern-safely-exporting-data
The Information Asset Eco system
Back in 2017, some work was undertaken to consider the key questions relating to network
protection and defence. These questions were designed to be an aide memoir for Information
Governance professionals to understand Information Assurance issues. This has how been
developed on to help visualise what an information asset eco system may look like.
DOI: 10.6084/m9.figshare.14035703
© Mark Brett 2021 MDB/LMU/Feb2021 Information Asset Registers. DRAFT V7 -
-
11
Lego building Blocks
It is even possible to use Lego bricks to develop physical representations of networks and
architectures: https://www.decisions-disruptions.org
This approach is very good for explaining to senior leaders and non technical people how
components link together. This can be used for Risk Management modelling and as an planning
aide for Cyber Security exercises [41].
ISACA have also published a useful article that discusses the use of Lego models for Cyber
decision making and risk management [42].
Implementation Approach The 5 D’s
This methodology was developed by the author and was tested by a group of London Boroughs
in 2009 [43] through the LGA. The approach take you through Information Asset Identification
and classification. This helps determine the relative value of an Information Asset.
DOI: 10.6084/m9.figshare.14035703
© Mark Brett 2021 MDB/LMU/Feb2021 Information Asset Registers. DRAFT V7 -
-
12
Discovery
• A trawl of Information Assets – This is the difficult bit and the SCRAP process already
discussed can help with this.
• What assets exist. You need to understand what you have and how they physically or
logically exist, where are they and if they are backed up against cyber-attack.
• What are their inputs / outputs. Asset and Systems linkages are critical to enabling
incident managed and recovery. Linked assets need to be viable, that is all of their linked
parts exist and are accessible.
• What linkages exist, without the linkages, you can’t restore a working system.
Determination
• Who owns the asset? Every Information Asset must have an owner. The acid test is, who
would miss it most if it were permanently destroyed?
• Who is responsible for the asset? As above, along with the Owner is the team
responsible for it’s maintenance, operation and use.
• Who controls the asset? How is it delivered, through a system or service.?
• Who can authorise the processing and disclosure?
Decision
Discovery
Determination
Deployment
Destruction
DOI: 10.6084/m9.figshare.14035703
© Mark Brett 2021 MDB/LMU/Feb2021 Information Asset Registers. DRAFT V7 -
-
13
Decision
• What is the business impact level of the asset? That means if it’s lost how much “harm”
would it cause? [REF] to Harm modelling….
• What is it’s Data Protection Status? Does the Asset contain Personal Data?
• Who is authorised to process the asset? Again Data Protection status.
• What protective measures are required? This is about the Information Assurance of the
asset.
Deployment
• Where will the asset be created, stored and processed?
• Will the asset be transmitted?
• Will the asset be copied?
• Will the asset be controlled?
• Who will process it?
• Where?
• How?
• Compliance/monitoring/audit regime??
Destruction
• Who will authorise the destruction of the asset?
• How will you know if all copies are destroyed?
• Do you need to retain a copy for legal/compliance purposes?
• How will you destroy the asset?
Linking Information Risk, Information Assurance and Incident Management
These tools and techniques are part of wider Cyber Incident Management, a detailed approach
is explored in the authors incident response policy primer and guide [44]. The SCRAP approach
previously discussed provides a practical framework and approach to facilitate the scoping and
identification phase to enable Cyber Incident Planning. Likewise the 5Ds provides a structured
approach to augment Cyber Incident planning and management. Public Sector organisations
can make full use of the National Cyber Security Centre (NCSC) Active Cyber Defence (ACD)
tools and services [45].
Logs / Time Sources / Network Diagrams / Documentation
The SCRAP approach above was devised to draw together the key non-functional requirements
for Cyber Indent Managing and Response.
DOI: 10.6084/m9.figshare.14035703
© Mark Brett 2021 MDB/LMU/Feb2021 Information Asset Registers. DRAFT V7 -
-
14
Making artefacts unique (Developing a descriptive Taxonomy for asset identification, version
control and management). Further applications for Incident reporting. These are discussed in
detail in the NIST incident Response Guide [46].
Once you have identified the assets and catalogued them, you can then start to evaluate the
Assets and their inter relationship. All of the attributes are as discussed, causal variables.
Identifying and documenting the attributes, will lead to the creation of. Taxonomy [47] and the
NSIT Asset implementation guide [48] , which can then be mapped against the Mitre Att&ck
Framework [49], which will expose the vulnerabilities and attack vectors that can be exploited
through the Cyber kill chain [50]. We mitigate these attack vectors through compensating
controls [51].
Future Work
The changing dynamic and need to remote coordination and response.
Future studies may well confirm an acceleration towards cloud provisioned software and
services. I am also concerned with the need to review and change Cyber resilience plans,
Incident response and Crisis Management may well need to be delivered remotely rather than
in the traditional face to face manner. There is a need to understand fast time communications,
using various channels and software applications.
References (All accessed February 2021)
[1] https://ico.org.uk/for-organisations/accountability-framework/records-management-and-
security/information-asset-register/
[2] Brett(2021) An overview of current issues and practice relating to local government cyber
security in England and Wales Henry Stewart Publications Cyber Security: A Peer-Reviewed
Journal Vol. 4, 4 1–13
[3]IMAG:https://www.researchgate.net/publication/342804953_An_Overview_of_Local_Gover
nment_Cyber_Security_in_England_and_Wales_Emergent_Threats_and_Practice
[4] ITIL CMDB: https://www.axelos.com/best-practice-solutions/itil/what-is-itil
[5] Data Dictionary (ICL IDMS Design {1987} Page 1-6:
http://www.computinghistory.org.uk/downloads/32270
[6] GDS Service Design Manual: https://www.gov.uk/service-manual
[7] Mulder J. (2020) Multi-Cloud Architecture and Governance, Packt Publishing
[8]
Shrivastwa A. (2018) Hybrid cloud for Architects, Packt Publishing
DOI: 10.6084/m9.figshare.14035703
© Mark Brett 2021 MDB/LMU/Feb2021 Information Asset Registers. DRAFT V7 -
-
15
[9] Agile Methodology in UK Govt: https://www.gov.uk/service-manual/agile-delivery
[10] MHCLG Cyber: https://mhclgdigital.blog.gov.uk/category/cyber/
[11] Miles, Huberman & Saldana Qualatative Data analysis, Sage, 2018
https://uk.sagepub.com/en-gb/eur/qualitative-data-analysis/book246128
[12] Grounded Theory: http://www.groundedtheoryonline.com/what-is-grounded-theory/
[13] https://www.strategyzer.com/canvas/business-model-canvas
[14] DBSy: S. Katam, P. Zavarsky and F. Gichohi, "Applicability of Domain Based Security risk modeling to SCADA
systems," 2015 World Congress on Industrial Control Systems Security (WCICSS), London, UK, 2015, pp. 66-69, doi:
10.1109/WCICSS.2015.7420327.
[15] https://www.creativityandcognition.com/resources/PBR%20Guide-1.1-2006.pdf
[16] https://www.strategyzer.com/canvas
[17] https://kanbanize.com/kanban-resources/getting-started/what-is-kanban
[18] https://trello.com
[19] https://www.miro.com
[20] https://thesystemsthinker.com/systems-thinking-what-why-when-where-and-how/
[21] https://www.wickedproblems.com/1_wicked_problems.php
[22] https://learnwardleymapping.com
[23] https://www.mckinsey.com/industries/technology-media-and-telecommunications/our-
insights/the-strength-of-weak-signals#
[24] https://www.researchgate.net/publication/348931430_Horizon_Scanning_White_Paper
[25] Strauss, A., Corbin, J.M.: Basics of Qualitative Research: Grounded Theory
Procedures and Techniques. Sage Publications, Inc. (1990)Google Scholar
[26] https://www.forbes.com/sites/forbestechcouncil/2016/06/01/how-to-use-ethnographic-
research-to-help-your-business/
[27] https://esrc.ukri.org/public-engagement/social-science-for-schools/resources/what-is-
social-science-research/
[28] https://www.freecodecamp.org/news/computer-science-vs-software-engineering-which-
one-is-a-better-major-88482c38446b/
[29] https://cgi.csc.liv.ac.uk/~ullrich/COMP516/notes/lect06.pdf
[30] https://thebookofsarah.com/deep-work-rules-focused-success-distracted-world-summary/
[31] Newport C. (2016) Deep Work. Rules for Focused Success in a Distracted World, Grand Central Publishing
[32] https://zettelkasten.de/posts/overview/
[33] https://research-information.bris.ac.uk/en/publications/what-is-a-complex-system
[34] https://www.imperial.ac.uk/nudgeomics/about/what-is-nudge-theory/
DOI: 10.6084/m9.figshare.14035703
© Mark Brett 2021 MDB/LMU/Feb2021 Information Asset Registers. DRAFT V7 -
-
16
[35] https://hbr.org/2007/11/a-leaders-framework-for-decision-making
[36] https://www.gov.uk/guidance/development-operations-devops-engineer#introduction-to-
the-role-of-development-operations-devops-engineers
[37] https://www.redhat.com/en/topics/devops/what-is-devsecops
[38] iStand UK Cyber (Cybershare) https://istanduk.org/wp-content/uploads/2019/08/Cyber-
Emergency-Response-BRT-002.pdf
[39] https://www.fujitsu.com/uk/Images/ICL-Technical-Journal-v04i02.pdf
[40] https://ico.org.uk/for-organisations/accountability-framework/records-management-and-
security/information-asset-register/
[41] http://www.toknowpress.net/ISBN/978-961-6914-26-0/57.pdf
[42] ISACA Lego Article: https://www.isacajournal-
digital.org/isacajournal/2020_volume_4/MobilePagedArticle.action?articleId=1598518#articleI
d1598518
[43] 5 D’s (2009) LGA https://slideplayer.com/slide/6407124/
[44] https://www.researchgate.net/publication/342898805_Cyber_Incident_Response_-
Working_Paper
[45] https://www.ncsc.gov.uk/section/products-services/active-cyber-defence
[46] NIST Incident Response Guide:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
[47] NIST Asset Registers: http://doi.org/10.6028/NIST.SP.1800-5
[48]https://www.nccoe.nist.gov/library/it-asset-management-nist-sp-1800-5-practice-guide
[49] https://attack.mitre.org
[50] https://www.sans.org/security-awareness-training/blog/applying-security-awareness-
cyber-kill-chain
DOI: 10.6084/m9.figshare.14035703
© Mark Brett 2021 MDB/LMU/Feb2021 Information Asset Registers. DRAFT V7 -
-
17
[51] OSA Taxonomy: https://www.opensecurityarchitecture.org/cms/foundations/osa-
taxonomy