Should we change "asset" to "SACM asset"?

[adammontville]

The current definition of asset: Is a system resource, as defined in {{RFC4949}}, that may be composed of other assets. This may amount to changing the definition of asset to something more specific without also changing the label for the definition.

[henkbirkholz]

I am not really sure why the term asset is still used. We do "security posture assessment of target endpoints". Of course, from an org pov, everything that supports a primary or secondary business process is an asset - and then some. Therefore most entities (such as components, functions and or even planes) count as assets. SAM is a thing that makes use of SWID, so I see a specific relationship there also. But effectively, Asset is a catch all phrase with little meaning to SACM, in general.

It is still in because it doesn't hurt to see how SACM relates the term (which we do by the included examples), I think. It is not required to be in the terminology document. It helps if it is in there more than it hurts when it is not there, I think.

I am more on the neutral side. Slightly in favor of removing it entirely rather than word-smithing its definition away from 4949.

[david-waltermire]

I am in favor of less jargon. If we don’t need the term asset, then we should drop it.

Regards, Dave

From: Henk Birkholz [mailto:notifications@github.com] Sent: Thursday, December 14, 2017 7:45 AM To: sacmwg/draft-ietf-sacm-terminology draft-ietf-sacm-terminology@noreply.github.com Cc: Subscribed subscribed@noreply.github.com Subject: Re: [sacmwg/draft-ietf-sacm-terminology] Should we change "asset" to "SACM asset"? (#61)

I am not really sure why the term asset is still used. We do "security posture assessment of target endpoints". Of course, from an org pov, everything that supports a primary or secondary business process is an asset - and then some. Therefore most entities (such as components, functions and or even planes) count as assets. SAM is a thing that makes use of SWID, so I see a specific relationship there also. But effectively, Asset is a catch all phrase with little meaning to SACM, in general.

It is still in because it doesn't hurt to see how SACM relates the term (which we do by the included examples), I think. It is not required to be in the terminology document. It helps if it is in there more than it hurts when it is not there, I think.

I am more on the neutral side. Slightly in favor of removing it entirely rather than word-smithing its definition away from 4949.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fsacmwg%2Fdraft-ietf-sacm-terminology%2Fissues%2F61%23issuecomment-351701073&data=02%7C01%7Cdavid.waltermire%40nist.gov%7Ccd773c2a146f400585f808d542f08607%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636488523197215903&sdata=vntuqjSIxxb0jwIwGSO8uD1Bxd92G7%2FsoAZ9F0JFQPg%3D&reserved=0, or mute the threadhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAJaiaJP05drUChMsqnVC0gQRgK9hec6Pks5tARhZgaJpZM4Q8hXd&data=02%7C01%7Cdavid.waltermire%40nist.gov%7Ccd773c2a146f400585f808d542f08607%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636488523197215903&sdata=YCwdh6FqgDd60cfwUXBLNarlSMmtheDBxNQPITRP5ec%3D&reserved=0.

[strazzie123]

I agree. From Henk's description, there is nothing unique about a SACM asset (vs a non-SACM asset). Hence, I vote for removing the term.

regards, John

On Thu, Dec 14, 2017 at 6:37 AM, David Waltermire notifications@github.com wrote:

I am in favor of less jargon. If we don’t need the term asset, then we should drop it.

Regards, Dave

From: Henk Birkholz [mailto:notifications@github.com] Sent: Thursday, December 14, 2017 7:45 AM To: sacmwg/draft-ietf-sacm-terminology <draft-ietf-sacm-terminology@ noreply.github.com> Cc: Subscribed subscribed@noreply.github.com Subject: Re: [sacmwg/draft-ietf-sacm-terminology] Should we change "asset" to "SACM asset"? (#61)

I am not really sure why the term asset is still used. We do "security posture assessment of target endpoints". Of course, from an org pov, everything that supports a primary or secondary business process is an asset - and then some. Therefore most entities (such as components, functions and or even planes) count as assets. SAM is a thing that makes use of SWID, so I see a specific relationship there also. But effectively, Asset is a catch all phrase with little meaning to SACM, in general.

It is still in because it doesn't hurt to see how SACM relates the term (which we do by the included examples), I think. It is not required to be in the terminology document. It helps if it is in there more than it hurts when it is not there, I think.

I am more on the neutral side. Slightly in favor of removing it entirely rather than word-smithing its definition away from 4949.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://na01.safelinks. protection.outlook.com/?url=https%3A%2F%2Fgithub.com% 2Fsacmwg%2Fdraft-ietf-sacm-terminology%2Fissues%2F61% 23issuecomment-351701073&data=02%7C01%7Cdavid.waltermire%40nist.gov% 7Ccd773c2a146f400585f808d542f08607%7C2ab5d82fd8fa4797a93e054655c6 1dec%7C1%7C0%7C636488523197215903&sdata=vntuqjSIxxb0jwIwGSO8uD1Bxd92G7 %2FsoAZ9F0JFQPg%3D&reserved=0, or mute the threadhttps://na01.safelinks. protection.outlook.com/?url=https%3A%2F%2Fgithub.com% 2Fnotifications%2Funsubscribe-auth%2FAJaiaJP05drUChMsqnVC0gQRgK9h ec6Pks5tARhZgaJpZM4Q8hXd&data=02%7C01%7Cdavid.waltermire%40nist.gov% 7Ccd773c2a146f400585f808d542f08607%7C2ab5d82fd8fa4797a93e054655c6 1dec%7C1%7C0%7C636488523197215903&sdata=YCwdh6FqgDd60cfwUXBLNarlSMmthe DBxNQPITRP5ec%3D&reserved=0.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/sacmwg/draft-ietf-sacm-terminology/issues/61#issuecomment-351728329, or mute the thread https://github.com/notifications/unsubscribe-auth/AJgkSVRE1HEIPdUUVDCbdd1q7eZwaD6yks5tATKpgaJpZM4Q8hXd .

-- regards, John

[adammontville]

Seems like this one should be removed. Will address.