Versions Compared

Version Old Version 1 New Version 2
Changes made by

Jane Waterfall

Jane Waterfall

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Know what you have, where it is and who is in charge of it

Asset management creates the foundation on which to build all of your other security features

In a similar vein to backing up data, asset management isn’t a specific Cyber Essentials control, but it is a highly recommended core security function. By including this subject in the Cyber Essentials requirements, the importance of good asset management is being emphasised.

 

Asset management doesn’t mean making lists or databases that are never used, it means creating , establishing and maintaining authoritative and accurate information about your assets that enables both day-to-day operations and efficient decision making when you need it. Security experts often refer to asset management as a fundamental cyber hygiene practice that can help an organisation meet all of the Cyber Essentials five controls. Many major security incidents are caused by organisations having assets which are still connected to the network when that organisation is not aware the asset is still active. Effective asset management will help track and control devices as they're introduced into your business. 

The NCSC has comprehensive guidance for organisations on asset management

 

What is an asset?


An asset is a resource or an item of property that is owned or controlled by a company and adds value. Business assets can include technology, information (computers, printers, network devices) software, data  and data), hardware and software. They can also include vehicles, people and infrastructure (offices, electricity, air conditioning).  

Within the context of Cyber Essentials, we will focus on information assets. These can be defined as:  any processed and unprocessed data and the equipment that is used to store, process, or transmit it, that has value and impact to a business, its stakeholders, its supply chain, or other interested parties.  Physical information assets can include laptops, server, or removeable media. Intangible information assets can include employee information, customer contact and financial information and backups. Once a business has identified it's , hardware and software as well as third parties such as MSPs and cloud service providers.

Once an organisation has identified its assets, they can then be factored and controlled when identifying risks, threats and vulnerabilities.

What is an asset register?

...


An asset register is essentially a document or series of documents that list and describe everything that has value to your company. It also nominates someone to be responsible for protecting the confidentiality, integrity and availability of each item. Despite being  time consuming, the activity of making an asset inventory serves as a crucial foundation for implementing information and cyber security controls. How can you protect something that you don't know about?

Making and maintaining an asset register is considered a security best-practise and is a practical first step that will assist with other important requirements. A comprehensive asset registry is usually an important component to your insurance policy and as your organisation grows in its cyber security journey, it will informs your risk assessment as well as an incident response plan.

Most business operations depend on some aspect of asset management. This includes IT operations, financial accounting, managing software licences, procurement and logistics. While they may not all need the same information, there will be some overlap and dependencies between the respective requirements. The security aspect should not be considered in isolation or as the primary consumer of asset information, so integrating and coordinating asset management across your organisation will help reduce or manage any conflicts between these functions.

Ensure all assets are accounted for by the asset management process. This should include physical, virtual and cloud resources, along with your organisation’s internet presence, in the form of social media accounts, domain name registrations, IP address spaces and digital certificates. This helps avoid any assets not being configured with the appropriate security controls and is required for compliance and vulnerability scanning (for those certifying to Cyber Essentials Plus).

Documenting all your assets helps you understand the relative value of your information assets to your business and the impact if they were lost, stolen, or damaged. Once you have identified which assets are most important (valuable) to your business, you can apply adequate protection and the appropriate security budget to them throughout their life cycle. In the case of an incident, asset value will help you prioritise which assets to recover first. The most severe information and cyber security incidents may be where they impact assets which are critical to business operations.

Label your stuff

An asset register should contain some key fields to make the tracking and identification of assets easier. Consider developing a system of unique IDs for each item in the inventory which can save confusion about overlapping technologies or identical multiple items. Asset tags can allow you to label physical devices.

...

  • A category name that groups similar asset types

  • Details of location: (Be aware of any assets that are moved around)

Know where it is

Are your assets on a local computer, 'cloud' storage, on social media, a member of staff's computer, a USB stick, a database, or in a filing cabinet? Are they located at home, the main office, or in a storage unit?
If the asset is fixed, record the location. If the asset is mobile, record who uses it on a day-to-day basis and where it is typically used; mobile assets may be governed more by ownership than location. It may also be possible to track portable assets through the use of mobile device management (MDM) software.

  • An asset importance rating: The relative value and impact of losing the asset can be recorded using protective marking schemes. Common systems to record this include: [high, medium, low], [public, confidential, secret], or [red, amber, green]

  • An asset owner: Having a named owner for each asset ensures that someone is accountable for the activities required to keep it secure. Information asset owners will set the rules around data assets, such as classification, who can access them, and retention periods

  • Managing legacy. knowing versions for all the software installed on your machines helps identify a much wider range of vulnerabilities than just knowing the operating system version. Where certain details may be difficult or costly to capture, consider whether these could be captured less frequently or retrospectively, alongside other mitigations such as network separation. This helps ensure that asset data can be used effectively and does not become unusable as a result of gaps in collection.All software and hardware eventually becomes out of date. Continuing to use products beyond that point involves increased risk, or increased costs to mitigate those risks. Asset management can help organisations identify when systems will reach end of support and plan ahead. Our Obsolete products guidance can help further with managing legacy assets.Identity and access management. Being able to identify users and devices is necessary in order to implement an effective identity and access management system. Asset management can help ensure all users and devices have unique identities, and can also help identify resources that need access controls applied. See our Introduction to identity and access management for more detail.

The use of Bring your Own Devices ( BYOD)


If your security policies allow organisation allows staff to use personal devices, such as mobile phones, for business purposes, your asset register must include them. Any personal devices must be approved before use.

Completeness. Ensure all assets are accounted for by the asset management process. This should include physical, virtual and cloud resources, along with your organisation’s Internet presence, in the form of social media accounts, domain name registrations, IP address spaces and digital certificates. This helps avoid any assets not being configured with the appropriate security controls and is required for compliance and vulnerability scanning.

Comprehensive visibility. Identify how your organisation will use asset information and ensure sufficient details about your assets are collected to support these use cases. For example, knowing versions for all the software installed on your machines helps identify a much wider range of vulnerabilities than just knowing the operating system version. Where certain details may be difficult or costly to capture, consider whether these could be captured less frequently or retrospectively, alongside other mitigations such as network separation. This helps ensure that asset data can be used effectively and does not become unusable as a result of gaps in collection.

Removal of assets


Assets removed from your business estate must be removed from the asset register and disposed of securely.

Review your asset registry


Once you have created your asset register, you need to ensure that you regularly review it and ensure that information is kept up to date. When you buy new equipment, be sure to log it in the asset register, and when you move something or discard it, update your list. Your asset list is only as valuable as the care and detail you put into accounting and documenting each asset. It is worth being meticulous as an asset register gives you the visibility and awareness for many of your other practises and requirements.
IASME can provide an asset register template that can be adapted for most organisations.