Asset Management (ASM)
Asset management has been historically seen as an essential element of an organization’s security and risk management program. Organizations of modern days, with the advent of information technology, are increasingly relying on the information assets that are found in enormous varieties. It builds its central infrastructure that deploys high end computing systems, interconnects its resources with network routers and switches, installs application infrastructure for execution of business transactions, distributes the endpoints to the users for business purposes, extends its connections to partners and suppliers, stores its data on the storage systems, and secures the infrastructure with a variety of security devices and solutions.
The diversity and complexity of the information assets are on the rise. So is their usage. Typically, an organization deploys numerous such assets, making the job of their security more challenging as they have to cater to the numbers and complexities of the assets. Each type of asset has its own inherent security characteristics and different security implications in a connected network. Security management should take a note of each asset that is being procured, acquired, implemented and connected to the network. In the operational life cycle of an asset, it delivers many objectives as it is used for different purposes. Each of these purposes, and the contribution of the asset to that purpose, transforms its security behaviour.
- Evaluate how an organization creates visibility about the information assets – on-boarding of an asset, updating asset registry, tracking assets and managing information about the assets
- Evaluate the procurement process of an organization to identify how security principles are integrated in the process
- Evaluate the security posture of an asset
- Evaluate the process of accountability for asset access and usage – a. How asset ownership is managed? b. How accountability towards the asset is ensured? c. How access to asset is regulated? d. How information about the access and asset usage is maintained?
- Identify how IT asset management is integrated with other IT and security processes
- Evaluate how licensing of an asset is managed
- Evaluate how the warranty and maintenance support of an asset is managed?
- Identify how security classification of the assets is performed
- Identify how asset labelling is managed. How asset classification is enforced across all operating units?
- Identify how classification of the asset is ensured in the operational life cycle of an organization
- Identify and map the protection level prescribed and advocated to each security level of the assets. Evaluate how protection level is enforced for each security level
- Identify how security issues associated with an asset are managed in the life cycle
- Identify the coverage of the IT asset management: asset type, business units and functions, etc.
- A strategic plan for IT asset management to ensure security can be built with contemporary practices and solutions evolving in the market.
- Ensure that there exists a mechanism for comprehensive and dynamic visibility over the information assets of an organization
- Ensure that the asset on-boarding process, including the procurement process is revitalized to incorporate security principles. This can be achieved by assessing the impact of an asset on the security
posture of an organization, Identifying and defining the security requirements for an asset under procurement, Testing the security strength of the asset under procurement, Acceptance testing to incorporate security elements, Standards and guidelines for secure implementation of an asset
- Ensure that security has been given a due consideration in the contracts with the vendors and suppliers
- Ensure that a process for asset classification is established and followed across the operating units of an organization. The parameters should include Business criticality of an asset, Strategic importance of an asset, Positioning of the asset in an organization’s ecosystem, Value of an asset, Likely impact of the security threats
- Ensure that the asset classification is followed for each type of information asset. This establishes a sense of security during the life cycle of an asset.
- Ensure that a process for asset labelling is established. Ensure that all assets are labelled.
- Ensure that for each level of asset classification a security level is defined.
- Ensure that a process for assigning asset ownership is established.
- Ensure that security is managed in the life cycle of an asset. The contextual information of security of an asset plays an important role in its life cycle.
- Ensure that there exists a mechanism for licensing compliance of an asset.
- Ensure that the asset management processes are integrated with the organization’s security, and IT processes. The processes that have dependencies on the asset management are Security monitoring and incident management, Identity and access management, Threat and vulnerability management, Data security, Change management, Capacity and availability management, Secure content management, Business continuity and disaster management, Governance, risk and compliance
- Ensure that there exist guidelines for security configuration and hardening for each type of an asset
- Ensure that there exists a mechanism, which assures the application of security updates and patches to close the issues or weaknesses that appear in the operational life cycle of an asset
- Ensure that any changes to the asset characteristics, asset configuration, its usage should go through the change management process
- Ensure that there exists a mechanism to manage the warranty and support of an asset. The maintenance support should support the security requirements that may arise in the operation life cycle of the asset
- Ensure that the coverage of asset management is extended to cover all information assets that an organization owns, manages and uses including Mobile assets, Wireless assets, Assets owned or managed by vendors or suppliers, Assets created by virtualization, Tangible and intangible information assets
- Comprehensiveness and dynamism of the visibility over an organization’s assets reflect the ability of the central security function to have complete and current information on the assets that are under use
- Ability to track the assets on-boarding, provisioning, de-provisioning and decommissioning reflects that how effectively an organization can discover, identify and update its registry of assets
- Coverage and extent of the asset management program reflect an organization’s ability to extend the program to all assets and asset types
- Incorporation of security in the life cycle of an asset reflects how effectively security is integrated in the procurement, implementation, operations, maintenance and de-boarding of an asset
- Enforceability of asset management policies reflects an organization’s ability to enforce the policies for asset classification and asset management across all operating units
- Integration of the asset management processes with the security and IT processes reflects how well the asset management processes collaborate, interface and support the security and IT processes
Please allow pop-up in your internet browser to download DSF
DSCI Security Framework