It is a commonly known and accepted maxim in today’s world that you can’t manage what you can’t measure. While this applies in several different ways in our lives, it is especially true as it relates to digital asset management within any organization. If you’re not carefully monitoring your assets in your organization, then you’re not really managing them effectively, right?
Asset management refers to the systematic approach to the data governance and realization of value from the assets that an organization is responsible for over their entire life cycle. In essence, asset management is the process of developing (or acquiring) operating, maintaining, upgrading, and disposing of assets in the most cost-effective manner (including all costs, risks, capacity, and performance attributes).
Digital assets can exist in any number of environments or domains. Your business certainly has data analytics assets, it likely has assets stored with cloud providers, and in many cases it stores assets in the data center.
Best Practices for Asset Management
To help you implement and maintain a strong asset management strategy and program for your organization, consider the following tips. As you do so, coordinate with the C-suite, all staff and IT management. They will help you achieve greater visibility into your organization’s assets and ultimately help you in managing them throughout their lifecycle.
Conduct an asset inventory
Asset inventories are necessary to ensure organizations know what assets are being used within their environment, as well as identify who is responsible for managing the identified assets. Assets cannot be protected from existing or emerging threats if the personnel responsible for their protection are not aware that the assets exist within the environment.
Asset inventories are also an important tool to help organizations track capital investments while reducing the likelihood of hardware theft going unrecognized. Your organization should ensure that all information assets are clearly identified, documented, and maintained in an asset inventory. The inventory should be reviewed at least annually, and appropriate updates should be made during each review.
Define the acceptable use of assets
If you do not document, communicate, and have personnel agree to acceptable use requirements, personnel may not be limited to what actions they can perform or how they perform them. Accountability for the improper use of systems or information is difficult to enforce if usage limitations or behavioral restrictions are not provided and acknowledged.
Acceptable use requirements for information systems should be identified, documented, and implemented to deter personnel from using your organization’s information assets for unauthorized purposes. Your organization’s acceptable use requirements should address restrictions on the use of social media, networking sites, posting information on commercial websites, and sharing information system account information.
Determine the classification, labeling, and handling of assets
Information assets should be classified appropriately to ensure they are handled securely. Organizations may not have the appropriate security controls in place for sensitive assets if classification levels are not defined. The process of classifying assets, along with defining associated security requirements, helps reduce the likelihood of sensitive information being provided to, or viewed by, unauthorized parties.
Information assets should be classified in terms of business value, legal requirements, sensitivity, and criticality to the organization. A classification schema should be established that differentiates between the various levels of sensitivity and value of information assets, or groups of information assets.
Implement media handling and protection
Media handling controls should be enforced to protect organizations from the risks associated with the loss of confidentiality, integrity, or availability of media. Access to and use of media should be restricted to only authorized personnel.
Your organization should ensure that controls for the management of removable media, including on laptops, are enforced. This should include restrictions on the types of media that are permitted to be used, along with acceptable use requirements.
Media that contains sensitive or protected information should be securely stored at all times and should be encrypted in accordance with internal security controls and regulatory requirements until the media are destroyed or sanitized. Media should be physically controlled and securely stored within organization-controlled areas.
Ensure the secure disposal and re-use of assets
Organizations must ensure that the process for the disposal or re-use of equipment is strictly controlled. The improper disposal or re-use of any information system, system component, or storage device could potentially impact the confidentiality of data by inadvertently making it available to unauthorized audiences. This could easily result in a reportable security incident or data breach.
All media should be disposed of safely and securely when it is no longer needed. This should be performed using formally documented procedures to ensure that any protected or otherwise sensitive data has been completely removed or securely overwritten prior to media disposal. Information systems or other devices that contain sensitive or protected information should be physically destroyed or the information must be destroyed, deleted, or overwritten using techniques to make the original information non-retrievable.
It really does not take much for your organization to ensure that a comprehensive asset management program is developed and implemented consistently across the organization. Organizations that do not have an effective program in place could potentially overlook a pivotal security function or leave assets unprotected or unaccounted for. By developing an asset management strategy as part of your overall Security Program, supported by all organizational stakeholders, organizations can avoid key asset management pitfalls for effective overall security.
About the Author:
Bryon Miller is co-founder and CISO at ASCENT Portal