Using MONARC for risk analysis in a university / faculty environment – definition of primary assets

[milanvelky999-crypto]

Hello,

I am currently working on a risk analysis using the MONARC methodology as part of my master’s thesis.
The analysis is focused on an academic environment (faculty at a university), not a commercial company.

In many examples and tutorials, primary assets are defined around typical organizational units such as HR department, Finance department, or general Business processes.

In our case, the main mission of the faculty is:

• Education
• Research

The faculty critically depends on several IT services, such as:

• Web services (multiple faculty websites)
• Central authentication / domain controller
• Network storage and cloud services
• DNS, DHCP, NTP and others

My questions are:
Is it methodologically correct in MONARC to define primary assets at a higher, more abstract level (e.g. “IT services supporting education and research”), and then model the individual technical services (DNS, AD, Wi-Fi, etc.) as supporting assets?

Would it be acceptable to treat education and research as business/mission context, rather than defining them as separate primary assets, in order to avoid duplication of risks and supporting services?

I want to stay strictly aligned with the MONARC methodology and its recommended asset hierarchy.

Thank you very much for your guidance.