- September 26, 2023: Data review and calculation frequency and how they affect importance criteria; Separated user-assigned asset importance instructions.
- November 30, 2021: Linked to the Assets page overview.
- June 12, 2020: Now with customizable asset importance.
Asset importance (low, medium, high, critical, or none) estimates the importance of the underlying IP or domain/host to the organization, as visually depicted in the Asset Risk Matrix.
Related data:
- Asset Risk Matrix
- Assets
- Attack Surface Analytics
- Finding Details
- Issue Tracking (SPM)
- Remediation (Continuous Monitoring)
Importance Criteria
A number of factors are used in the algorithm for determining how assets are ranked by importance relative to the company. We regularly review data and calculate it daily into asset importance. As a result, the calculated importance could change based on the importance criteria.
- If you require a static asset importance, we advise creating a user-assigned asset importance.
- An asset of the highest importance within a subsidiary may not necessarily have a high importance relative to the other assets within a larger parent.
| Importance Criteria | Description |
|---|---|
| System Usage | The most notable contribution is the measurement of a system’s usage. The more distinct machines that are accessing a particular asset on the Internet are, the higher the importance of the asset. This is agnostic of the service or protocol used to access that system. |
| Egress IP | The IP address where the traffic on an organization’s endpoint devices exits their network onto the Internet are of higher importance. |
| Information Submission | Underutilized systems that contain sensitive data may pose a security risk, such as B2B applications or latent test or development systems. This factors in the website’s support for the user’s ability to submit information. It could take the form of mailing list enrollments, registration, login credentials, or any situation where the user is providing information to the server. |
| Service Classification | The type of service made available is evaluated, and the importance of its function is considered in its importance.
Example Service Categories: “Authentication protocols,” “Databases,” “System remote access,” “Network remote access,” “Communication services,” “Network infrastructure,” “ICS protocols,” “File exchange,” and “Mail systems,” among others. |
| Special Certificates | Systems that are provisioned with special certificates, known as “Extended Validation (EV) certificates,” are of high importance. |
User-Assigned Asset Importance
Users may assign an importance level to assets in their SPM companies (My Company, SPM Subsidiary, and subscribed companies in the same Ratings Tree as the My Company).
- The importance of user-assigned assets replaces the Bitsight-calculated asset importances any time importances are referenced (e.g., Assets, Asset Risk Matrix on the remediation tab, Attack Surface Analytics charts).
- User-assigned asset importance are contained within the entity in which they were assigned; They do not translate across the tree.
- User-assigned importances are visible to all users in your organization who can see the company where the asset importance was customized. They are not visible to any third parties monitoring your organization.
User-assigned asset importances are labeled with a User icon near the asset importance section in the Assets tab. The following additional details are included:
- User Importance: The user-assigned asset importance.
- Calculated Importance: The Bitsight-calculated asset importance.
- Importance Updated: The date when the importance was assigned.
- Updated By: The name of the editing user.