CHAPTER 9: ASSET MANAGEMENT
Effective cyber security starts with protecting your IT and information assets – and remember: any information valuable to your organisation is, by definition, an information asset. The first step is to determine exactly what assets you have. Compiling and maintaining an asset inventory is a good way of achieving that.
This type of inventory helps other security activities too, like making it easier and quicker to conduct risk assessments, and making their results more reliable. There are also non-security benefits: you can better plan finances and identify areas where costs can be saved if, for example, you have some idea how often assets like computers need to be replaced, or can estimate the attrition rate on losing portable devices or removable media. Furthermore, because you have a clear overview of all your assets, you can better optimise how you use them, further reducing costs and improving operational efficiency.
Creating an asset inventory
The way an asset inventory is presented and stored can significantly vary depending on the organisation’s size and complexity, as well as the activities it intends to use the inventory for. You could use a spreadsheet, a database or software that tracks assets and/or classes of asset. Each entry should also specify certain characteristics, such as classification and location, and needs to identify an owner – the person responsible for managing the asset.
Note that you are not necessarily tracking every individual item, or your inventory could quickly become hard to manage. Even entries like ‘Desktop computer – Windows’, ‘Desktop computer – Mac’, ‘Mobile phone – Android’ and ‘Mobile phone – iOS’ can be sufficient. There is no ‘right’ approach; just choose one suitable for your organisation’s needs and apply it consistently.
Locating assets
Remember that you are not simply documenting IT assets: you are focusing on information security. This means recording assets that extend far beyond hardware, software, networks and systems: it means recording information and information systems. That information may reside in both physical and digital locations. Some information may even exclusively reside in certain employees’ heads.
To cover all digital locations, make sure you track down any forgotten servers or databases, as well as information and other assets stored in the Cloud. You may also find it valuable to record assets such as organisational sites or structure, important processes and personnel. To cover all physical and intangible information, talk to people from different departments.
Considering these types of points will help you establish the boundaries of what your organisation considers an asset.
Characteristics to log
Besides identifying the actual asset and logging it in your inventory, you will also need to record some additional details about that asset, such as:
As soon as an asset is created or obtained, management should appoint someone to be responsible for managing that asset across its life cycle, including ensuring that it is properly inventoried, appropriately classified and protected, and deleted or destroyed in line with company procedure. That owner can delegate tasks as appropriate, but remains responsible for that asset.
2. Classification
This reflects the sensitivity or importance of the information. A classification system such as ‘confidential’, ‘restricted’, ‘private’ and ‘public’ is ideal, so long as those terms are clearly defined and are used consistently.
3. Asset identifier
Some sort of unique identifier to make sure you identify each asset – especially devices – individually and avoid duplication. This could be as simple as the manufacturer’s serial number.
4. Asset category
For example, ‘hardware’, ‘software’ or ‘portable device’.
5. Valuation
Valuation estimates can be a valuable aid for risk assessment. Clearly defined scales are ideal, which can be based on monetary values such as >£1,000, £1,000–£10,000, and so on, or abstract bands such as ‘low’, ‘medium’ and ‘high’ where the asset has a non-monetary value. Again, consistent use is vital, as are unambiguously defined terms.
You may also want to add further details, such as type, version number, operator, location, expiry or replacement dates, links to operating instructions, and so on. If you conduct asset-based risk assessments, you may even want to record risks to the asset in your inventory.
Exactly what information you should record will depend on your needs and what else you use your inventory for, but the asset owner is an absolute minimum. You should also make sure you at least include the information you need to categorise your assets to help inform risk assessments and sensibly prioritise security resources.