Cybersecurity Practice #5: Asset Management (small)

Modified on Wed, 14 Jun, 2023 at 12:51 PM

Organizations manage IT assets using processes referred to collectively as IT asset management (ITAM). ITAM is critical to ensuring that the appropriate cyber hygiene controls are maintained across all assets in your organization.


ITAM processes should be implemented for all endpoints, servers, and networking equipment. ITAM processes enable organizations to understand their devices, and the best options to secure them. The practices described in this section may be used to support many of the practices described in other sections of this volume. Although it can be difficult to implement and sustain ITAM processes, such processes should be part of daily IT operations and encompass the lifecycle of each IT asset, including procurement, deployment, maintenance, and decommissioning (i.e., replacement or disposal) of the device.


Sub-Practices for Small Organizations

 

5.S.A

Inventory

NIST FRAMEWORK REF:

ID.AM-1

A complete and accurate inventory of the IT assets in your organization facilitates the implementation of optimal security controls. This inventory can be conducted and maintained using a well-designed spreadsheet. The following information should be captured for each device:

  • Asset ID (primary key)
  • Host Name
  • Purchase Order
  • Operating System
  • Media Access Control (MAC) Address
  • IP Address
  • Deployed to (User)
  • User Last Logged On
  • Purchase Date
  • Cost
  • Physical Location


Remember to include all devices owned by your organization, including workstations, laptops, servers, portable drives, mobile devices, tablets, and smart phones.

 

5.S.B

Procurement

NIST FRAMEWORK REF:

ID.AM-6


 

Once you have established your ITAM spreadsheet, it is important to record each new IT asset as it is acquired. This requires establishing standard operating procedures for procurement.

Generally, it is advisable to assign the responsibility of collecting information on new assets to the purchaser within your organization.

 

5.S.C

Decommissioning

NIST FRAMEWORK REF:

PR.IP-6, PR.DS-3

IT assets that are no longer functional or required should be decommissioned in accordance with your organization’s procedures. Small organizations often contract with an outside service provider specializing in secure destruction processes. Such providers can ensure that all data, especially sensitive data, are properly removed from a device before it is turned over to other parties.


Additionally, your standard operating procedures should ensure that you record the decommissioning of each device. If you use a service provider to decommission or destroy devices, record the certification of destruction so there is never a question about what happened to it.


Threats Mitigated

  1. Ransomware attack
  2. Loss or theft of equipment or data
  3. Insider, accidental or intentional data loss
  4. Attacks against connected medical devices that may affect patient safety

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article