Not enough emphasis is given to IT asset management. This is one of the first things an organization needs to get under control before they can really implement any security program. Yet few people do it well, if at all. How can you possibly protect an environment if you don’t know what assets make up that environment?
Lets quickly define what I mean by “IT asset.” An asset can be any computer, server, network device, application, database, archive of uncompiled code, or whatever that has monetary or perceived value to the business. It’s easy to justify why a piece of hardware or software is an asset, as there is a direct cost involved with procurement, management, and maintenance. You also depreciate your hardware investments in your accounting books, so even those with the checkbooks are acutely aware of hardware costs and value. The not-so-obvious items are web applications and databases. Some disagree that a database is an “asset” but what if that database contains your entire customer list? Isn’t that important to the business? Essentially, if your IT department spends time working on, fixing, installing, or maintaining it as a part of their day-to-day duties, it’s probably an asset.
There are some very basic questions you should be able to answer with a high level of precision about your assets and, if you can’t, IT assets aren’t being managed properly in your organization.
Let me give you an example:
How many physical servers do you have?
How many laptops does the business own?
When were assets purchased?
How many servers are physical vs. virtual?
What operating systems are your systems running (and what are their patch levels)?
What MAC addresses are assigned to each system?
Who owns each server? How do you get ahold of them? Who is the second point of contact if they’re not available?
How many web applications do you have?
How many licenses of Microsoft Office do you have?
What is your total annual maintenance commitment for software?
What is the circuit ID of your main Internet connection and what is the best number to call in case of an outage? (You don’t want to have to look through years of bills to try and identify this when your business is down.)
You should be able to answer all of those questions pretty quickly by looking at an IT asset management database. You don’t have to spend millions on the shiniest box with the prettiest light array. You can do an adequate job with a spreadsheet, SharePoint, and/or a home-grown application.
Here are some items you may find useful to track:
Asset type: circuit, server, desktop, laptop, router, switch, web application, standalone application, database, SAN head, NAS head, disk shelf, firewall, bridge, thin WAP, thick WAP, wifi controller, other.
Sales contact name
Sales contact number
Sales contact email
Purchase order number
Physical location (Minneapolis, 511, rack 12, position 13-15)
Retirement date / lifecycle information
Emergency contact name
Emergency contact number
Emergency contact email
Service Level Agreement (SLA)
PSU (single, dual, n+1, n+2, other)
IP addresses associated
Operating system (very specific)
Physical host ID (another AssetID if virtual)
Has virtual guests? (is a virtual host)
Owner & contact info
Secondary owner & contact info
Hardware change history
Software change history
This is not exhaustive. It’s just meant to help organizations get an idea of where to start. The more specific and detailed your asset management database, the more sound the rest of your decisions will be when implementing and enforcing specific company policies. I also like a single database with version control for everything, so you only have a single location where you can find the answers you need. How you normalize your data is up to you, but I prefer a single table for everything. Obviously, if you have tens of millions of assets, this may not be reasonable.
From here you should also consider defining:
How your organization is going to perform asset discovery;
How you plan to capture the data to populate the database;
How you plan to keep it up-to-date and verify the integrity of the data;
Acceptable use of assets;
Your organization’s official IT asset lifecycle for each major type of asset; and
Data and server classification policies.
There are a ton of other policies you probably need to define here as well, but this discussion could quickly fill a library.
Get started today! You’ll find that this isn’t an easy project to get started with but, the sooner you get started and the more effort you put into the process, the easier things will get over time. If you need standards to lean on, have a look at section A.8 of the ISO/IEC 27001:2013 standard, and section 8 of the ISO/IEC 27002:2013 standard. ISO/IEC 27005 in section 8.2.2 helps identify assets your business should include in its risk assessment. PCI DSS version 3.0, requirement 2.4 requires “maintain an inventory of system components that are in scope for PCI.” Cataloging only PCI systems doesn’t seem to fulfill the spirit of the requirement, so I think it’s safe to say PCI requires IT asset management. Additionally requirement 12.2 states, “implement a risk-assessment that Identifies critical assets, threats, and vulnerabilities, and results in a formal risk assessment.” Risk assessments are not possible without first identifying the assets you need to protect. Consider management of all IT assets as a shadow requirement of becoming PCI compliant.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
YouTube session cookie.
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Discover why security operations teams choose NetSPI.