Assets, as they relate to information and technology facilities of an organisation, are typically identified and recorded in dedicated inventories as part of the overall technology documentation. To be effective, the register(s) should include all applications and software systems, end-user equipment, network devices and services, infrastructure systems, back-end technology, servers and related systems, cloud based systems and services. In other words, these inventories act as the definitive record of the entire set of technology that is known to exist within the organisation.
Most asset registers focus on the operational and financial management processes involved in the handling of hardware and software usage. Hardware registers capture details of the physical properties of equipment to assist with the management of routine maintenance, replacement cycles, etc. Software applications registers help manage the pool of user licences that are needed to provide access to the various systems used by the organisation.
In relation to security, additional details are required for technology systems to facilitate the Information Security Management System. This means every single element that makes up the company technology environment needs to be documented not just for classic operational management purposes but also to assist the construction of the security framework.
Knowledge of the company’s technology asset base will provide certainty over the status of the assets, as well as who has access to those assets and how this access is managed. These details are important when planning how to maintain security of critical company assets. As well as the necessary technical details, the information recorded for each asset will include where the assets are located, what configuration they have, what version they are, and many other security specific details.
With an appropriate asset register, the information can be used to help identify unauthorised modification to assets, for example, which is often the first indication that an asset has been compromised.
The management of assets within the scope of the company’s ISMS is dependent on policies governing the following:
- Asset Inventory – what is included in the register
- Ownership of Assets – who is responsible for the management of different assets
- Acceptable Use of Assets – how the assets should be used
An organisation must identify all assets in the information technology environment and document their significance. Documentation of specific or current inventories should be maintained by authorised individuals as required.
The register(s) of assets must be accurate, up to date, compatible, and matched with other technology service inventories. Ownership should be allocated to each of the assets and grouping or classification of assets should be used to highlight relevant types, functions or uses for the assets.
The recording of lifecycle events of assets should include activities involved in the acquisition, creation, processing, storage, transmission, deletion and destruction of the asset.
Guidelines should be identified, documented, and implemented for the acceptable use of technology assets linked to information and information processing facilities. This will serve to increase awareness of responsibilities in relation to the security of the assets.
Employees and external parties who use or have access to the company‘s assets must be made aware of the all Information Security requirements, especially when information is shared with other users. The owners and/or regular users of company assets will be responsible for the use and management of any related information processing services carried out.
More To Come...
Look out for the next instalment in this topic.
In the meantime, browse more Thistle Tech posts by clicking this button.
If you need assistance with this topic,
or advice on any other aspect of what we do,
feel free to contact us using this button.