Categories Topics
Description
Asset Management

Overview
Organizational assets should be appropriately protected to include asset ownership, inventory, data classification and acceptable use of assets. Assets consist of physical systems, removable media, software, information (such as databases or data files), services and people.

Guidelines
Effective Asset Management should first start with a Data Classification policy and procedure that will include how sensitive information will be classified, labeled, handled retained and disposed of based on sensitivity, criticality and business value. Examples of data classification levels, in order of least to highest levels of sensitivity and value to the organization, can include: "Public", "Internal", "Confidential", "Secret", etc. The higher the level (e.g. Secret) would require the highest level of security controls and attention to protect the assets.

An Asset Management system should include the following requirements at minimum:
  • Assets should be clearly identified and documented in an inventory system (e.g. application directory, CMDB, etc.)
  • Assets should have a designated owner
  • Assets are appropriately classified
  • Ensure acceptable use of assets
Organizations can choose a simplified model to classify assets based on value to the organization (e.g. High, Medium, Low) and based on data classification to ensure appropriate controls are in place. For instance, sensitive applications that are customer facing or store employee or customer Personal Identifiable Information (PII) can be categorized as "High risk" based on data classification of "Confidential" (as identified in the Data Classification Policy).  High risk applications should be documented in the Asset Management system and should require an extra level of security controls to protect the data to include, but not limited to: network segregation, sensitive system isolation, privileged access monitoring, firewall and IDS controls to name a few.

The focus of the Asset Management system should be on the data protection first as mentioned above. The Asset Management system should also include a full inventory of systems that are used to host applications (e.g. servers, laptops, etc.) as well as critical network and telecom infrastructure. Vulnerability Management or Configuration Management systems can be used to scan and detect vulnerabilities on systems and devices that are hosting critical applications and data. This reinforces the need to document application ownership to ensure accountability for remediation of vulnerabilities.

Topic Category
Asset Management
 
News Articles
Joomla websites attacked en masse using recently patched exploitswww.computerworld.com10/31/2016
A quarter of banks' data breaches are down to lost phones and laptopswww.theregister.co.uk8/25/2016
FBI, DEA warn IPv6 could shield criminals from policenews.cnet.com6/15/2012
Ex-Nokia Siemens engineer admits eBaying nicked routerswww.channelregister.co.uk5/28/2012
White Papers
Draft - Technical requirements for continuous monitoring and cloud boundary defensewww.fbo.gov6/25/2012
FY 2012 FISMA Reporting Metricswww.dhs.gov2/14/2012
Disposing of Consumer Report Information? New Rule Tells Howbusiness.ftc.gov6/1/2005
Policies
Asset Management Policy
Information Classification Policy
Standards
FIPS 199 Standards for Security Categorization of Federal Information and Information SystemsFIPS2/1/2004
NIST Guide for Mapping Types of Information and Information Systems to Security CategoriesNIST8/1/2008
NIST Appendices to Guide for Mapping Types of Information and Information Systems to Security CategoriesNIST8/1/2008
NIST SP 800-88 Revision 1 Guidelines to Media SanitizationNIST12/18/2014