Organizations manage IT assets using processes referred to collectively as IT asset management (ITAM). ITAM is critical to ensuring that the appropriate cyber hygiene controls are maintained across all assets in your organization.
ITAM processes should be implemented for all endpoints, servers, and networking equipment. ITAM processes enable organizations to understand their devices, and the best options to secure them. The practices described in this section may be used to support many of the practices described in other sections of this volume. Although it can be difficult to implement and sustain ITAM processes, such processes should be part of daily IT operations and encompass the lifecycle of each IT asset, including procurement, deployment, maintenance, and decommissioning (i.e., replacement or disposal) of the device.
Sub-Practices for Small Organizations
5.S.A | Inventory | NIST FRAMEWORK REF: ID.AM-1 |
A complete and accurate inventory of the IT assets in your organization facilitates the implementation of optimal security controls. This inventory can be conducted and maintained using a well-designed spreadsheet. The following information should be captured for each device:
- Asset ID (primary key)
- Host Name
- Purchase Order
- Operating System
- Media Access Control (MAC) Address
- IP Address
- Deployed to (User)
- User Last Logged On
- Purchase Date
- Cost
- Physical Location
Remember to include all devices owned by your organization, including workstations, laptops, servers, portable drives, mobile devices, tablets, and smart phones.
5.S.B | Procurement | NIST FRAMEWORK REF: ID.AM-6 |
Once you have established your ITAM spreadsheet, it is important to record each new IT asset as it is acquired. This requires establishing standard operating procedures for procurement.
Generally, it is advisable to assign the responsibility of collecting information on new assets to the purchaser within your organization.
5.S.C | Decommissioning | NIST FRAMEWORK REF: PR.IP-6, PR.DS-3 |
IT assets that are no longer functional or required should be decommissioned in accordance with your organization’s procedures. Small organizations often contract with an outside service provider specializing in secure destruction processes. Such providers can ensure that all data, especially sensitive data, are properly removed from a device before it is turned over to other parties.
Additionally, your standard operating procedures should ensure that you record the decommissioning of each device. If you use a service provider to decommission or destroy devices, record the certification of destruction so there is never a question about what happened to it.
Threats Mitigated
- Ransomware attack
- Loss or theft of equipment or data
- Insider, accidental or intentional data loss
- Attacks against connected medical devices that may affect patient safety
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article