Looking at a plain system (there are no security controls implemented yet), we need to think about its functions and derive appropriate assets which we’d like to protect in order to ensure the system continues to function as intended (also making sure no intellectual property, private data, etc. are leaked).
My question is, do security measures themselves become assets once they are implemented? For example, we have a shared key to encrypt some data. This data is an asset with the property “confidentiality”, to protect its confidentiality, we implement the security control encryption using said key.
The key in itself is not relevant to us, its just some random bits. Fundamentally, we still only care about the data being encrypted. However, the key is required to ensure the confidentiality of our data.
Does this in turn make the key itself an asset (we can argue that the key must remain confidential as well, since information disclosure of the key automatically results in information disclosure of our data).
Or would you argue that storing the key securely is simply part of the security control/measure in the first place, thus it doesn’t make sense to make the key a new asset and continue with risk analysis for this new asset.
Another example, messages transmitted are digitally signed to ensure authenticity/integrity. Now I have somewhere a function/code which performs the verification, as well as cryptographic key material. Would the verification functionality and keys/certificates become new assets on their own, or is it considered part of the mitigation in the first place to correctly/securely handle these.
Curious about your opinions on this topic.