The Unified Compliance Framework™ defines an asset as something that falls under the purview of an Authority Document's controls either because of its value or its configuration properties. This has one bit of qualification as, within the UCF at least, data fields, records, and compliance documentation fall outside of the scope of assets, as those items are audited in a more scrupulous method.

Information technology assets are the combination of logical and physical components and resources and are grouped into the specific classes (Operating System [includes drivers], Application [includes drivers], Storage, Hardware, Network, Power or Air, and Facility [including containers]). Assets that need to be individually managed are also configuration items. For example, the door lock on a computer room or a consumable item might not be a configuration item, but the software firewall on a notebook computer would be a configuration item. In the context of financial management, items below a specific value are not considered to be assets as it would not be cost effective to track and manage them. However, in the context of auditing information systems, even logs (of little financial worth in and of themselves) are considered assets because they are artifacts that need to be examined or tested.

Asset classes

This is the grouping of the various organizational assets into distinct assortments based upon a process of arranging them according to type. Currently, the UCF tracks the following asset classes:

1. Operating System [includes drivers]

2. Application [includes drivers]

3. Storage

4. Hardware

5. Network

6. Power or Air

7. Facility

Remember that all data, records, and databases are already being tracked through the information classification tables (databases should be listed as supporting records), and compliance documents, such as policies, standards, and procedures are also tracked separately. Let us go through each of the above to further define them.

Operating System

An Operating system provides the software platform which directs the overall activity of a computer, network or system, and on which all other software programs and applications can run. In many ways, choice of an operating system will effect which applications can be run. Operating systems perform basic tasks, such as recognizing input from the keyboard, sending output to the display screen, keeping track of files and directories on the disk and controlling peripheral devices such as disk drives and printers. For large systems, the operating system has even greater responsibilities and powers - becoming a traffic cop to makes sure different programs and users running at the same time do not interfere with each other. The operating system is also responsible for security, ensuring that unauthorized users do not access the system. Examples of operating systems are UNIX, DOS, Windows, LINUX, Macintosh, and IBM's VM. Operating systems can be classified in a number of ways, including: multi-user (allows two or more users to run programs at the same time - some operating systems permit hundreds or even thousands of concurrent users); multiprocessing (supports running a program on more than one CPU); multitasking (allows more than one program to run concurrently); multithreading (allows different parts of a single program to run concurrently); and real time (instantly responds to input - general-purpose operating systems, such as DOS and UNIX, are not real-time).

Application

In the broadest sense, the use of information resources (information and information technology) to satisfy a specific set of user requirements. When speaking about software, any program designed to perform a specific function directly for the user or, in some cases, for another application. A computer program designed to help people perform a certain type of work, including specific functions, such as payroll, inventory control, accounting, and mission support. Depending on the work for which it was designed, an application can manipulate text, numbers, graphics, or a combination of these elements. An application contrasts with systems program, such as an operating system or network control program, and with utility programs, such as copy or sort.

Storage

Storage is the catch-all term for any type of media and medium that holds information or information assets, such as a direct access storage device, an electronic storage system, a storage area network, offline storage, or even open storage.

Direct Access Storage Device

Any storage device, such as a hard disk, that provides the capability to access and/or manipulate data as required without having to access all preceding records to reach it. In contrast to direct or random access, sequential access devices, such as tape drives, require all preceding records to be read to reach the required data.

Electronic storage system

An electronic storage system is a system to prepare, record, transfer, index, store, preserve, retrieve, and reproduce files, organizational books and records.

Offline storage

Electronic records stored or archived on removable disk (optical, compact, etc.) or magnetic tape used for making disaster-recovery copies of records for which retrieval is unlikely. Accessibility to off-line media usually requires manual intervention and is much slower than on-line or near-line storage depending on the storage facility. The major difference between near-line data and offline data is that offline data lacks an intelligent disk subsystem, and is not connected to a computer, network, or any other readily-accessible system.

Open storage

Storage of classified information within an accredited facility, but not in General Services Administration approved secure containers, while the facility is unoccupied by authorized personnel.

Storage Area Network

A high-speed subnetwork of shared storage devices. A storage device is a machine that contains nothing but a disk or discs for storing data. A SAN's architecture works in a way that makes all storage devices available to all servers on a LAN or WAN. As more storage devices are added to a SAN, they too will be accessible from any server in the larger network. In this case, the server merely acts as a pathway between the end user and the stored data. Because stored data does not reside directly on any of a network's servers, server power is utilized for business applications, and network capacity is released to the end user. See also Network.

Hardware

The physical components of information technology including the computers, peripheral devices such as printers, discs, and scanners, and cables, switches, and other elements of the telecommunications infrastructure.

Network

A group of computers and associated devices that are connected by communications facilities in order to share resources. A network can involve permanent connections, such as cables, or temporary connections made through telephone or other communications links. A network can be as small as a local area network consisting of a few computers, printers, and other devices, or it can consist of many small and large computers distributed over a vast geographic area. A telecommunications medium and associated components responsible for the transmission of information. A local-area network (LAN) refers to connected computers and devices geographically close together (i.e. in the same building). A wide-area network (WAN) refers generally to a network of PC's or other devices, remote to each other, connected by telecommunications lines. Typically, a WAN may connect two or more LAN's together.

Power or Air

Power is an organizational asset that describes both full time power from an electrical grid and emergency power (whether from a generator or an uninterruptible power supply). Air is an organizational asset that ensures heating, cooling, and humidity are kept in the right proportions according to organizational asset needs.

Facility (includes containers)

A facility in terms of organizational assets can be anything from a lockable and transportable container, through stationary containers, through individual buildings, to campuses.

Containers

A container is any object that can be used to hold things, and in our context, information, information assets, or other organizational assets. Containers can either be strong plastic or metal box-like objects of standardized dimensions that can be loaded from one form of transport to another.

Assets as configurable items

A configurable item is a part of an asset specifically called out during the audit process. They are used as objects that help determine that status of the asset (the log as a configurable item to determine who accessed the asset), the configuration of the asset (a software configurable item being checked for its configuration status), or the activities surrounding an asset (the transit bill showing where a container has been). A configurable item may also help determine a specific process (such as a procedure document as audit configurable item), or define behavioral norms (a policy as an audit configurable item). It should be noted that configurable items are not evidence. A configurable item is the object itself submitted for testing or examination. The evidence is found within the configurable item -- it is the means by which an alleged matter of fact is established or disproved. If the configurable item is a log, then the evidence for whom accessed the system is the logged system access records within with configurable item.