Cybersecurity - quick start guide
Cybersecurity - quick start guide
Your security team runs scans, tracks risks in spreadsheets, and scrambles before every audit to prove compliance. The Cybersecurity Asset Inventory schema brings all of that into Assets: a structured, queryable, auditable system where vulnerabilities link to assets, controls map to compliance requirements, and risk scores actually mean something because they are connected to real data.
This guide is split across four focused pages. Start here for the big picture, then follow the links to the detail you need.
Who should read this guide
This guide is written for Security Analysts responsible for vulnerability triage and incident response, Security Engineers implementing scanner integrations and control frameworks, CISO and Security Leadership requiring risk visibility and compliance reporting, IT Operations teams managing patch cycles and asset lifecycle, Compliance and Audit teams mapping controls to requirements and collecting evidence, and GRC Analysts tracking regulatory compliance across the organisation.
Prerequisites
Before deploying this schema, you need a Jira Service Management Premium or Enterprise licence (Assets requires Premium tier minimum), Object Schema Manager or Jira Admin permissions, and the Core Schema v1.1 deployed with Person, Team, Application, Vendor, and Location object types populated. You should also be familiar with basic Assets concepts (object types, attributes, references) and with vulnerability management fundamentals (CVE, CVSS, remediation workflows).
⚠️ Important: This schema extends the Core Schema. All ownership, team assignment, vendor, and location references point at Core objects. If Core is not deployed and populated first, those references will have nothing to connect to.
When to use this schema
Deploy the Cybersecurity Asset Inventory schema when your organisation needs to bring security operations data into a structured CMDB. This schema is the right choice when you need to manage vulnerabilities at scale across scanners like Tenable, Qualys, or Rapid7; when you must demonstrate compliance with frameworks such as ISO 27001, SOC 2, PCI-DSS, HIPAA, or NIST 800-53; when you need a formal risk register with likelihood/impact scoring and residual risk calculation; when you maintain a security-specific asset inventory with criticality ratings and data classification; or when you face regular security audits and need a single source of truth.
Choose this schema if your security team currently tracks vulnerabilities in spreadsheets, lacks a formal risk register, or cannot demonstrate control-to-requirement mapping during audits. It is particularly valuable for organisations subject to two or more compliance frameworks.
Consider alternatives if:
| Scenario | Better Choice |
|---|---|
| You only need IT hardware and software inventory without security context | Standard CMDB or Basic CMDB |
| You need comprehensive IT asset management but not security-specific controls and risks | Enterprise IT CMDB |
| You have a mature GRC platform and only need asset inventory | Core Schema with GRC integration |
Schema architecture
Five object types
The Cybersecurity schema provides five object types that work together to model the full security operations lifecycle:
| Object Type | Purpose | Key Attributes |
|---|---|---|
| Security Asset | Physical or virtual devices requiring security management | Name, FQDN, Type, Environment, Criticality, Data Classification, Status |
| Vulnerability | Known security weaknesses from scanner findings | CVE ID, Severity, CVSS Score, Affected Asset, Remediation Status, Remediation Due |
| Security Control | Safeguards mapped to compliance frameworks | Control ID, Framework, Category, Implementation Status, Evidence Location |
| Risk | Business-level exposure tracked in the risk register | Likelihood, Impact, Risk Score, Residual Score, Treatment, Treatment Plan |
| Compliance Requirement | Regulatory or policy obligations | Requirement ID, Framework, Compliance Status, Mapped Controls, Applicable Assets |
How this schema extends core
The Cybersecurity schema references Core Schema objects rather than duplicating master data. Person, Team, Application, Vendor, and Location records are maintained once in Core and referenced across all security records.
| Core Object | How Cybersecurity Uses It |
|---|---|
| Person | Asset owners, vulnerability remediation assignees, control owners, risk owners, compliance owners |
| Team | Owning teams for assets, security teams responsible for controls |
| Application | Business application context for impact analysis |
| Vendor | Hardware manufacturers, software vendors, security tool providers |
| Location | Physical asset locations, data centre assignments, regional compliance scope |
Reference types
The schema defines 18 custom reference types, colour-coded by relationship category:
| Colour | Category | Reference Types |
|---|---|---|
| Blue (#0052CC) | Ownership and accountability | Owned By, Managed By, Remediation Assignee, Control Owner, Control Team, Compliance Owner |
| Green (#36B37E) | Service delivery and asset relationships | Located At, Supports, Provided By, Protects |
| Orange (#FF991F) | Security relationships | Affects, Addresses, Impacts, Mitigated By, Triggered By |
| Red (#DE350B) | Critical accountability | Risk Owner |
| Purple (#6554C0) | Compliance relationships | Applies To, Satisfied By |
Schema at a glance
Security Asset ──(Owned By)──────────▶ Person (Core)
│ ──(Managed By)──────────▶ Team (Core)
│ ──(Located At)──────────▶ Location (Core)
│ ──(Supports)────────────▶ Application (Core)
│ ──(Provided By)─────────▶ Vendor (Core)
│
├──◀──(Affects)────── Vulnerability ──(Remediation Assignee)──▶ Person
│
├──◀──(Protects)───── Security Control ──(Control Owner)──▶ Person
│ │ ──(Control Team)──▶ Team
│ │──(Addresses)──▶ Vulnerability
│ │
│ └──◀──(Satisfied By)── Compliance Requirement
│ ──(Compliance Owner)──▶ Person
│ ──(Applies To)──▶ Security Asset
│
└──◀──(Impacts)────── Risk ──(Risk Owner)──▶ Person
──(Mitigated By)──▶ Security Control
──(Triggered By)──▶ Vulnerability
Screenshot coming soon
Guide contents
This Quick Start Guide is split into four child pages, each covering a specific aspect of the schema:
| Page | What It Covers | Read Time |
|---|---|---|
| Assets and vulnerability management | Security Asset and Vulnerability object types: full attribute reference, implementation best practices, SLA matrices, AQL queries | ~8 min |
| Controls, risk, and compliance | Security Control, Risk, and Compliance Requirement object types: framework mapping, risk scoring, assessment scheduling | ~10 min |
| Deployment and scanner integration | Step-by-step deployment, first records to add, Tenable/Qualys/Rapid7 integration, GRC and cloud platform integration | ~6 min |
| Troubleshooting and operations | Troubleshooting tables, FAQ, related resources, and version history | ~5 min |
Pro tip: If you are deploying this schema for the first time, start with the Deployment and Scanner Integration section to get the schema running, then read the object type reference pages as you populate records. The Assets and Vulnerability Management section covers the two object types you will create first.