AiVRICAcademy
Course progress
0%
AiVRIC Asset Governance Foundations • Practitioner

Asset Governance

Asset governance is the practice of knowing what exists, who owns it, how important it is, what data or business process it supports, what risks affect it, and what evidence proves it is governed. In CloudSignals+RiskOps, assets are not just inventory records — they are the connective tissue between cloud posture, findings, business impact, vulnerability exposure, third-party relationships, compliance evidence, and RiskOps execution.

Topic course: ~75 min • Certification path: 4–6 hrs 5 modules + capstone Foundational to Intermediate Certification eligible
Who this course is for
  • Cloud security analysts
  • Asset owners
  • Security operations teams
  • RiskOps coordinators
  • Compliance analysts
  • MSP operators
  • IT governance managers
Prerequisites
  • Basic understanding of cloud resources and asset inventory
  • Familiarity with security findings and business impact concepts
  • Access to CloudSignals asset and findings workspaces

What you will be able to do

  1. Explain asset governance as more than asset inventory.
  2. Navigate the Surface menu to inspect assets, resources, findings, scans, and alerts.
  3. Identify critical, inactive, unmanaged, and high-risk assets.
  4. Use asset context to prioritize security findings beyond severity alone.
  5. Connect assets to managed entities, business processes, third parties, and RiskOps projects.
  6. Create asset governance review outputs for executives and auditors.
Platform areas used in this course: Surface, Asset Dashboard, All Assets, Cloud Resources, Critical Assets, Inactive Assets, Findings, Managed Entities, RiskOps, Reports, Vision. Navigate to Surface > Assets in the main navigation to begin.
AI advisory statement: Vision and other AI-assisted CloudSignals+RiskOps workflows are advisory. AI can summarize asset posture and generate reports, but AI does not independently certify governance. Human validation, evidence references, and source attribution remain required.
1

Asset Governance Concepts

15 min • Surface Overview • Explain ownership, criticality, and business context

Asset governance answers five questions

In many security programs, asset inventory is treated as a technical list — a record of cloud resources discovered by a scanner. CloudSignals+RiskOps treats assets as risk objects. Each asset can be connected to findings, providers, accounts, regions, business processes, managed entities, third parties, control evidence, and remediation projects. Asset governance answers five questions that an inventory record alone cannot:

What do we have?

A complete, current inventory of every cloud resource across all connected providers, accounts, and regions.

Who owns it?

A named individual or team responsible for each asset — linked through managed entities and owner assignment.

Why does it matter?

Criticality, data sensitivity, and business process linkage — the context that determines priority.

What risk does it carry?

Open findings, unresolved treatments, third-party exposure, and compliance gaps linked to this asset.

What proof shows it is governed?

Evidence: ownership records, classification decisions, scan results, treatment plans, access reviews.

In the platform — Lab 1: Asset Coverage Review
1
Navigate to Surface > Assets. Open the Asset Dashboard and review the top-level metrics: total monitored assets, ownership coverage, risk heatmap, and connected providers.
2
Compare monitored asset counts against your expected provider and account inventory. Providers in your billing console but absent from the Asset Dashboard represent blind spots in your governance coverage.
3
Identify assets with missing ownership. Filter All Assets for assets with no assigned owner or managed entity. These cannot receive risk notifications or drive accountable remediation.
4
Review the Inactive Assets view. Note which assets appear inactive but may still be generating findings or carrying configuration risk.
5
Record your asset governance gaps: missing ownership count, unconnected accounts, and inactive assets still flagged in findings. This is your Lab 1 deliverable: an asset coverage review note.
Answer the five governance questions: For your environment, draft one-sentence answers to all five questions. Gaps in your answers are governance gaps.
Document your coverage blind spots: List any cloud accounts, subscriptions, or regions present in your billing console but not connected to CloudSignals.
Count unowned assets: Note the number of assets with no owner or managed entity. Set a target to reach zero unowned critical assets within 14 days.
Knowledge Check
What makes asset governance different from asset inventory?
Asset governance uses automated scanners; asset inventory is maintained manually by operations teams.
Asset inventory records what exists; asset governance answers why it matters, who owns it, what risks it carries, and what evidence proves it is governed — connecting assets to business context, risk, and accountability.
Asset governance is a compliance requirement; asset inventory is an optional operational practice.
Asset governance covers cloud resources only; asset inventory includes on-premises systems as well.
Move on when you've completed the Asset Coverage Review and documented your governance gaps.
2

Asset Inventory & Dashboards

20 min • Asset Dashboard, All Assets • Inspect monitored asset posture

The Asset Dashboard as a posture view

The Asset Dashboard provides a posture view for asset intelligence. It surfaces: ownership coverage percentages, risk heatmaps showing which assets carry the most finding pressure, cloud resource groupings by provider and account, critical asset indicators, inactive asset counts, and import workflows for external asset context. Learners should use the dashboard to understand both coverage and blind spots — not just totals.

Key questions the Asset Dashboard should answer every review cycle:

  • Are all expected providers and accounts represented? Any missing account is an unknown risk exposure.
  • Which assets have missing ownership? Unowned assets cannot be assigned risk or receive remediation notifications.
  • Which assets have failed checks? High-finding assets need triage priority regardless of their criticality designation.
  • Which assets appear inactive but still expose risk? Inactive assets can still carry open findings, accepted risks, or stale evidence.
  • Which assets are tied to open POA&Ms or RiskOps work? Active remediation work linked to assets should be visible in the dashboard context.
In the platform — Inspect asset posture across providers
1
Navigate to Surface > Asset Dashboard. Review the ownership coverage percentage and the risk heatmap. Note which provider or account contributes the most unowned assets.
2
Open All Assets. Sort by Findings (descending) to see which assets carry the most open control failures. These are your immediate triage priority regardless of criticality designation.
3
Navigate to Cloud Resources. Group by provider to review how assets are distributed across AWS, Azure, GCP, and OCI. Identify accounts with unexpectedly low resource counts — these may indicate incomplete connector scope.
4
Open Inactive Assets. For each inactive asset with open findings, confirm whether it should be decommissioned or remains active. An inactive asset with unresolved findings represents ongoing exposure without active management.
Record dashboard baseline metrics: Capture today's ownership coverage %, highest-finding asset, and inactive asset count with open findings. Use this as your governance review baseline.
Cross-reference Cloud Resources against your billing console: Verify every active cloud account appears in Cloud Resources. Document any gap as a connector scope issue.
Act on at least one inactive asset: For an inactive asset with open findings, decide: decommission, reactivate, or create a governance exception. Any of these is better than leaving it unaddressed.
Knowledge Check
How can inactive assets still create risk in CloudSignals+RiskOps?
Inactive assets are automatically removed from the asset inventory, so they cannot contribute to findings or risk scores.
Inactive assets may still carry open findings, accepted risks, stale evidence linked to controls, or unresolved treatment plans — all of which contribute to risk pressure and compliance gaps even though the asset appears dormant.
Inactive assets create risk only if they are connected to production managed entities — isolated inactive assets have no governance impact.
Inactive assets increase scan costs but do not affect risk scores or finding counts.
Move on when you've reviewed the Asset Dashboard, Cloud Resources, and Inactive Assets views.
3

Criticality & Crown Jewels

20 min • Critical Assets, Managed Entities • Identify and govern high-value assets

What makes an asset a crown jewel

Critical assets require stronger governance because their failure or compromise creates disproportionate business impact. Crown-jewel assets are those whose compromise would cause the most severe business, regulatory, or reputational harm. They typically include: identity platforms (directory services, SSO, MFA infrastructure), production databases storing regulated data, payment and financial transaction systems, healthcare systems handling PHI, AI model infrastructure and training data, customer data stores, and key cloud control plane services (KMS, secrets management, logging aggregation).

Classifying an asset as a crown jewel is a governance decision, not just a technical tag. It requires evaluating five dimensions:

DimensionQuestion to answer
Business impactWhat business function fails if this asset is unavailable or compromised?
Data sensitivityWhat type of data does this asset store, process, or transmit? (PII, PHI, financial, confidential?)
ExposureIs this asset internet-facing, accessible to third parties, or in a shared environment?
DependencyHow many other systems depend on this asset? A failure here = failures downstream?
RecoverabilityHow long does it take to restore? Is a compromise forensically detectable?
In the platform — Lab 2: Crown-Jewel Classification
1
Navigate to Surface > Critical Assets. Review the assets currently designated Critical. Do these match your organization's crown-jewel expectations based on the five classification dimensions?
2
Select one asset with high business impact. Open the asset detail and review: owner, cloud provider, region, data type classification, open findings, and managed entity linkage.
3
Confirm or set the asset's Criticality designation (Critical/High/Medium/Low) and Data Sensitivity classification (PII/PHI/Confidential/Internal/Public). If the managed entity is blank, assign one now.
4
Navigate to Settings > Managed Entities. Verify the managed entity for this asset has a named owner. Owners receive risk notifications for their managed entity's assets.
5
Recommend a review cadence for this crown-jewel asset. Most organizations review crown jewels weekly (findings), monthly (ownership and classification), and quarterly (full governance review with evidence). Document this as a governance rationale note.
Build your crown-jewel asset list: Using the five classification dimensions, identify your organization's top 5–10 crown-jewel assets. Document each with classification rationale.
Confirm managed entity and owner for every crown jewel: Every crown-jewel asset must have a named owner and linked managed entity. No exceptions.
Set review cadence: Document how frequently each crown jewel will be reviewed for findings, ownership, classification, and governance evidence.
Knowledge Check
What attributes make an asset a crown-jewel system requiring the strongest governance controls?
High finding count, Critical severity findings, and being managed by a named owner in the platform.
Disproportionate business impact if compromised — typically combining high criticality, sensitive data handling (PII/PHI/financial), high dependency count, internet or third-party exposure, and difficult recoverability.
Assets that appear in the Critical Assets view and have been running for more than 12 months without decommission.
Assets explicitly designated crown jewels by the cloud provider through resource tagging APIs.
Move on when you've built your crown-jewel list and confirmed managed entity ownership for each.
4

Findings & Asset Risk

25 min • Findings, RiskOps • Prioritize findings using asset context

From finding severity to risk priority using asset context

Findings become more useful when they are anchored to asset context. A medium-severity finding on a crown-jewel identity system may be more urgent than a high-severity finding on a disposable test asset. CloudSignals+RiskOps helps learners move beyond finding severity to risk priority by considering: asset role, business impact, exposure, finding age, treatment status, and remediation ownership.

When investigating a finding, apply this evaluation framework:

  • What service or resource is affected? — Is it a production database, a development VM, or a shared service?
  • Is it internet-facing? — Public-facing assets with findings have shorter exploitation windows.
  • What data or business function is involved? — PII, PHI, payment data, or critical operational services require faster response.
  • Is there an owner? — An unowned asset with a critical finding has no one to receive the triage assignment.
  • Is the finding recurring? — A finding that reappears after remediation indicates a systemic configuration issue, not a one-time fix.
  • What remediation evidence is required? — Document this before creating the treatment plan, not after.
In the platform — Lab 3: Asset-to-Risk Prioritization
1
Navigate to Findings. Filter to Critical and High severity. For the top 5 findings, open each and pivot to the linked asset. Compare the asset's criticality, data sensitivity, and business process linkage.
2
Select the crown-jewel asset you identified in Module 3. Open its asset detail and review the Findings tab. Compare finding severity against asset context to determine true risk priority order.
3
For the highest-priority finding on your crown jewel, apply the six evaluation questions above. Document your answers — this becomes the risk prioritization rationale.
4
Navigate to RiskOps. Create a treatment plan or RiskOps project for the finding. Set treatment type, owner, target date, and evidence requirement before submitting.
5
Draft a two-sentence executive explanation of why this finding on this asset warrants priority treatment. Frame it in business impact language, not severity score language.
Prioritize findings using asset context: Re-rank your top 10 open findings using all six evaluation factors. The resulting order may differ significantly from severity-only ranking.
Create at least one asset-contextualized treatment plan: For a finding on a crown-jewel asset, create a treatment plan with a named owner, target date, and specific evidence requirement.
Document a recurring finding: Identify any finding that has re-emerged after a previous closure. This indicates a systemic root cause requiring a project, not just a point-fix.
Knowledge Check
Why should asset context influence finding priority rather than relying on severity alone?
Severity scores are calculated by the scanner and may contain errors; asset context provides a manual correction mechanism.
The same severity finding can represent very different organizational risk depending on the asset's role, data type, business process linkage, and exposure. A medium finding on a PII database may require faster response than a critical finding on a dev VM with no sensitive data.
Severity alone is sufficient for technical teams; asset context is only needed for executive reporting purposes.
Asset context replaces severity as the primary prioritization signal — severity scores should be ignored when asset classification is available.
Move on when you've completed the asset-to-risk prioritization lab and created at least one contextualized treatment plan.
5

Asset Evidence & Reporting

20 min • Reports, Vision • Produce governance-ready asset summaries

What counts as asset governance evidence

Asset governance evidence is the documentation that proves assets are known, owned, classified, and governed. It is broader than scan results. Evidence may include:

  • Ownership records: named owner and managed entity assignments with timestamps
  • Data classification decisions: documented rationale for sensitivity designations
  • Architecture diagrams: showing where assets sit in data flows and trust zones
  • Tagging policies: evidence that assets are tagged consistently with required governance metadata
  • Scan results: timestamped scan outputs confirming the asset was evaluated and control states
  • Remediation tickets: linked treatment plans or RiskOps projects showing active governance
  • Backup proof: records confirming backup policies are configured and tested
  • Access reviews: periodic confirmation that asset access is limited to authorized users
  • Incident records: any security event linked to this asset and the response taken
  • Third-party attestations: vendor confirmations for assets where remediation authority lies with a vendor

Using Vision for asset reporting — with required human validation

Vision can help summarize asset posture, identify patterns in ownership gaps, and draft executive narratives from asset dashboard data. However, Vision outputs must include evidence references and pass human validation before they are shared as governance artifacts. A Vision asset summary that references specific asset counts and findings must be verified against current platform data before distribution.

In the platform — Produce a governance-ready asset summary
1
Navigate to Reports. Open the Asset Governance report. Review the available report scopes: all assets, by managed entity, by provider, or by criticality tier.
2
Generate an asset governance report filtered to your Critical/High criticality assets. Review: ownership coverage, finding count, classification completeness, and open treatment plans.
3
Navigate to Vision > Ask Vision. Request an asset posture summary: "Summarize our crown-jewel asset governance posture including top ownership gaps and highest-risk findings."
4
Review the Vision output. Verify each cited metric against the Reports view. Correct any inaccuracies. Add evidence references (report export timestamp, scan run ID). Add your reviewer attestation.
5
Export the validated asset summary. This is your Lab deliverable: an asset governance review output suitable for leadership distribution.
Generate an asset governance report: Export a report for your Critical/High assets and distribute to managed entity owners as the starting point for their accountability review.
Identify evidence gaps by asset: For each crown-jewel asset, note which evidence types are missing from the list above. Create collection tasks for each gap.
Validate a Vision asset narrative: Generate, verify, and attest a Vision asset summary before treating it as a governance output.
Knowledge Check
Which of the following best represents a complete set of asset governance evidence for a crown-jewel database?
A scanner report showing all checks passed on the most recent scan date.
Named ownership record, PII data classification with rationale, current scan result, linked treatment plan for open findings, most recent access review, and backup confirmation — together proving the asset is known, owned, classified, and actively governed.
A Vision-generated asset summary approved by the security manager and stored in the document management system.
A remediation ticket in Jira confirming that the most recent Critical finding was fixed within the SLA window.
Move on when you've generated an asset governance report and validated a Vision asset narrative.

Certification: AiVRIC CloudSignals Asset Governance Practitioner

Completing all five modules makes you eligible for the Asset Governance Practitioner certification exam.

Exam domainWeight
Asset governance concepts20%
Asset inventory and coverage20%
Criticality and crown-jewel governance20%
Findings and asset risk prioritization25%
Evidence and reporting15%

Capstone practical scenario

A tenant has 350 monitored assets, several inactive resources, incomplete ownership metadata, and open findings on an identity platform and a payment database. Your task:

  1. Identify the most critical assets using the five classification dimensions.
  2. Explain why criticality changes remediation priority beyond severity alone.
  3. Recommend ownership and evidence improvements for unowned or ungoverned assets.
  4. Create a RiskOps action plan for the identity platform and payment database findings.
  5. Draft a governance summary for leadership including coverage gaps and remediation status.
Passing criteria: Correctly identifies business-critical assets using classification dimensions. Uses asset context rather than severity alone. Produces clear evidence and ownership recommendations. Routes unresolved work into RiskOps with named owners and target dates. Executive summary uses business-impact language, not technical jargon.
🏅
Course complete!
You've completed Asset Governance. Assets are now risk objects with ownership, context, and evidence — not just inventory records.
Explore more courses