PROTECTION NEEDS ASSESSMENT

Determine protection needs. Automatically, by maximum principle.

Assess confidentiality, integrity and availability per information asset. Kopexa inherits CIA values along the asset chain, so protection needs never accidentally dilute.

Book a demoExplore information assets

FOUNDATION

What a protection needs assessment delivers

Before you decide on measures, you need to know how worth protecting an asset is. That is exactly what the protection needs assessment determines. It rates every information asset against the three protection goals and assigns it a category.

Three protection need categories

normal

Impact of damage is limited and manageable.

high

Impact of damage can be considerable.

very high

Impact of damage can reach an existentially threatening scale.

Each protection goal is rated separately. An asset can be very high on availability and normal on confidentiality.

MAXIMUM PRINCIPLE

The highest value wins. Automatically.

Assets are connected. An asset carries several information assets, a parent asset carries several assets. Under the maximum principle, every parent object inherits the highest protection need of the values it depends on, separately per protection goal.

C = Confidentiality I = Integrity A = Availability

Parent asset

Production server

inherits the highest applicable value
Csehr hochIhochAhoch

Asset

CRM application

inherits from the information assets
Csehr hochIhochAnormal

Information assets

Customer data · Contracts

the assessment starts here
Csehr hochInormalAnormal

Inheritance in both directions

Assets inherit the CIA values of the information assets they carry, and pass the highest value up to parent assets.

No undershooting

Manually lowering below the inherited value is not possible. The chain cannot accidentally dilute.

Individually justified

Confidentiality, integrity and availability are rated separately and justified individually, instead of one blanket rating.

PROCESS

Protection needs assessment in four steps

1

Capture information assets

Define the values that really matter: customer data, contracts, source code, business processes. Link them to the assets that carry them.

2

Rate protection goals

Rate confidentiality, integrity and availability separately per information asset. The schema suggests a category that you can override with justification.

3

Apply inheritance

Kopexa inherits the CIA values along the asset chain by the maximum principle. The highest applicable value propagates upward without manual upkeep.

4

Derive controls and keep them current

Protection needs map to the right controls from your active frameworks. Every change stays traceable, responsible owners get notified.

FAQ

Frequently asked questions about protection needs

What is a protection needs assessment?

A protection needs assessment determines how worth protecting an information asset is. It rates confidentiality, integrity and availability, typically as normal, high or very high. The result drives which protective measures and controls are actually needed.

What is the difference between a protection needs assessment and a Schutzbedarfsfeststellung?

Both are largely the same in content. Schutzbedarfsfeststellung is the fixed term from BSI IT-Grundschutz and tied to its methodology. Protection needs assessment is used more generally, including in the context of ISO 27001 and TISAX.

What does the maximum principle state?

A parent object inherits at least the highest protection need of all the values it depends on, considered separately per protection goal. If a server carries a highly confidential dataset, its confidentiality is high too. This keeps the chain from accidentally diluting.

What protection need categories are there?

The common scale comes from BSI IT-Grundschutz: normal, high and very high. Each level is defined by the possible impact of damage, from limited and manageable to existentially threatening.

How does Kopexa keep protection needs current?

Kopexa inherits CIA values automatically by the maximum principle along the asset chain. Manually undershooting the inherited values is not possible, every change stays traceable, and responsible owners are notified whenever inheritance raises protection needs anywhere in the chain.

Is a spreadsheet enough for a protection needs assessment?

For a first overview yes, in the long run rarely. Every new information asset can raise the protection need of a system, which propagates up to every parent object. In a spreadsheet this quickly becomes inconsistent. A tool that applies the maximum principle automatically keeps the chain consistent.

Read more in the glossary

SchutzbedarfsanalyseSchutzbedarfsfeststellungMaximumprinzipKumulationseffektCIA-Triade

Protection needs that keep themselves current

Let us show you in 30 minutes how Kopexa automates the protection needs assessment with CIA inheritance, history and notifications.

Book a demo
Information assetsAuto-DiscoveryAsset management overview