To skip the article and download the policies and procedures provided:

Asset Inventory – Policy and Procedures

Sample-Asset Management Policy

Introduction

In our last several articles we’ve discussed and dived deep into the topic of asset management. Asset management, also referred to as asset inventory or inventory management of technology is critical to a successful cybersecurity program. It’s at the top of importance of two of the most popular cybersecurity frameworks; NIST – Asset Management: The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy. CIS Top Twenty lists inventory controls as the first two security controls:

1. Inventory and Control of Hardware Assets
2. Inventory and Control of Software Assets

Lack of Asset Management When assets are not tracked and documented, the technology program and the cybersecurity program do not know exactly what they have. Because of this the security program and all of its controls do not permeate to all the assets. This leaves vulnerabilities and security exposures. Even if most of the company is fully protected, these rouge unprotected assets leave a potential opening into the company. As we’ve discussed, one of the first steps to improving asset management is to create a policy and standard operating procedure. These formal policies get leadership approval and set the stage and expectations for the business to follow. This level of support also drives the initiatives and budgets. With these policies sand procedures supporting the people resources and budget required to build this pillar of the program, success can finally be realized.   Asset Management Policy Purpose A good asset management policy will start by define the purpose of the policy. In the free downloadable policy, we’ve provided for you, it started by define the purpose.

• The purpose of this document is to establish the policy for ensuring that management of the Asset Inventory list at [insert company name] by the appropriate department.

Scope As discussed in our articles about improving asset management we’ve specially hammered on the point that define the scope is of the utmost important. Without this defined, scope can be questioned and get confused. Decided early what’s currently going to be included and tracked in these inventory systems. Start simple and expand the context of the scope as the cybersecurity program matures. It’s a good idea to specially call out technology that will NOT be included in the policy at this time. This shows staff and external auditors you are informed about technology and know there are areas that have not been addressed yet and prevent audit creep from considering these areas. The type of technology and business you have will greatly influence how you choose the scope of your asset management. 2.1.         This policy applies to Assets (applications and services) that are managed by IT at [company name]. 2.2.         This policy does not apply to [fill in] systems maintained by IT at [company name]. Policy Details With the purpose and scope defined we can finally get into the details of what the policy is ultimately for, providing instruction on what, how, when, and who. 3.1.         Asset Inventory List Ownership 3.1.1      IT Management is responsible for the sole ownership and maintenance of Asset Inventory List in [system name or document] which serves as [company name] electronic document management system. 3.1.2      IT Management can designate personnel within IT group who will be responsible to maintain this list. 3.2.         Critical Aspects of Asset Inventory List 3.2.1    Asset Inventory List at a minimum includes the following:

• Application Name (eg: Adobe, Argus)
• Vendor (eg: Microsoft, Oracle)
• Installation Location/Type (eg: Web Based, Thick Client)
• Description (eg: Used for data analysis)
• Support Contact details (eg: phone, email)

3.3.         Frequency of Review/Update to Asset Inventory List 3.3.1      IT Management must review the Asset Inventory List at a minimum on a semi-annual basis. The Asset Inventory List can also be updated on a quarterly or on as needed basis (where applicable) to reflect the current inventory of software applications and services deployed at [company name]. 3.3.2      The Asset Inventory List will be required to be updated whenever there is a new application, updates to an application, removal and/or retirement of an application. 3.3.3      Any updates to the Asset Inventory List will be managed in [system name]. 3.4.         Approval and Record Retention 3.4.1      The Asset Inventory List will be approved by [list approver or process]. This will ensure a centralized location, with version control and audit trail and also searchable by IT or designated users.   This basic and straight forward policy detail provides users a brief and direct document to identify what they need to do, when they need to do it, and where this needs to take place. Sometimes it’s important to consider the audience of who will be reading and trying to follow this policy. If the audience is not technology adapt, or familiar with all the systems identified in the policy, a definition section may be beneficial to add.  Spending a little extra time on definition section prevent the situation where a user took the time to read and review the policy, but didn’t know what it meant so they decided not to follow it and od it their own way instead. (tragic). Definitions We’ve listed an example here, but review your policy and audience and come up with a list of keywords that were used within the policy that might not be clearly understood by all the readers. 4.1.         Asset – Term used by [company name] to describe software applications and services maintained by IT Management. Finally keep track of updates and approvals by adding a Revision or approval section to your document. Not only is this important for internal tracking, but especially important to prove to auditors that the policy has been approved, and has been updated on a regular basis that matches whatever the policy states is required. Revision History 5.1 Revision number and summary of changes   Policy & Procedure Sometimes it’s easier to combine the policy and procedure into a single document. This reduces confusion and time wasted by resources looking around for what steps they need to take to follow the policy. This is most commonly used by small businesses that want the maturity of a cybersecurity program, without the complexity of a big corporate company. Here is a simple Asset Inventory Policy and Procedure I wrote to help this kind of business. Goal: To maintain an inventory of current assets so that an appropriate level of protection of organization assets can be achieved. This is done through asset documentation, ownership, and risk rankings.   Scope: [Company name] must maintain inventories of all-important information assets. The scope of this policy is inclusive of all IT assets that are owned or hosted by [company name], is hosted on behalf of [company name] by a cloud vendor or is located at a shared date center facility. At this time the current scope for maintaining inventory on assets includes:

• End user compute devices (computers, laptops)
• End user applications
• Cloud based (SaaS) applications
• Company provided endpoints for employees
• Company provided endpoints for contractors and/or consultants
• Employee owned (BYOD) endpoints used on premises.
• Company owned servers onsite
• Non-company owned servers onsite
• Company owned servers at vendor or partner locations
• Non-company owned servers located at vendor or partner locations
• IoT devices on company premises like HVAC and alarm systems.
• Company owned servers at offsite data center.
• Company owned networking infrastructure onsite
• Company owned access badges
• Company owned mobile devices
• Company access devices (keys to building / elevators)

(Cross off or delete any assets you do not want to include in the scope of your inventory management at this time.)   Required fields: Data required to be collected and retained as part of the asset inventory process is:

• Asset name (DNS, hostname, Application name)
• Approval (Checkbox field that the asset has been verified as appropriate to the environment)
• Device Type (computer, server, laptop, end user application, cloud application)
• Description (field to provide basic description)
• Asset Location (on prem, mobile, cloud)
• IP Address (any protocol assignment associated with asset, can be IP range)
• Asset Owner (group that owns, maintains, or requires this asset)
• Risk Classification (unknown, low, medium, high)
• Risk Assessment Performed (NA, none, or date)
• Notes

  Inventory System: The assets shall be inventoried in a central repository. This source should be independent and regarded as the authoritative source of trust for the inventory is maintains. Procedures will exist to reconcile and update this inventory. No automated processes should update this inventory from a subjective inventory, such as other security management console.   Asset Owners: All information assets must have owners, within the context of the organization. Assets owner is responsible for the providing risk classification information consistent with data classification policy levels. If the ownership for a specific type of asset has not yet been clearly assigned to a specific owner, it will be temporarily default to the [fill in role].   Asset Monitoring: Assets should be continuously monitored, as part of the cybersecurity vulnerability management program.

Asset Inventory: Management Process

Inputs: Assets will be discovered and ingested from other appropriate technology tools and resources. Data exports, or manual exports can be performed to populate the inventory asset list. For example, for cloud applications (SaaS) can be exported from CASB solution. Endpoint resources can be exported from [IP management system].   Review: Assets will be reviewed with the asset owner for appropriateness within the environment.  Once a single approval is achieved the asset is approved unless the data owner provides written notice the asset is no longer approved.   Discovery: Ongoing processes will be used detect new, rouge, or malicious assets introduced in the environment.

• Utilize Discovery Tools: Utilize active and passive discovery tools such as scanners, Active Directory, and other resources to discover new assets.
• Log Sources: Log sources can be used and reviewed to identify previously unknown assets such as DHCP, and DNS logs.

Reconcile: Assets identified as part of the discovery process will be reconciled against the source of truth asset inventory list. Assets identified, that were not currently previously in the asset list, will be reviewed for ownership assignment and approval by ownership to be included in the asset inventory list. Maintain: An ongoing governance task will be created and assigned to regularly review the asset inventory list. This maintain process will ensure the following:

• Discovered assets are being added
• Asset ownership and fields are being updated
• Information is accurate and up to date

Revisions I recommend adding a Revision section to this document that includes the date it was updated and approved, by who, and a summary of what changes were made.   Roles & Responsibilities You’ll not one area that we haven’t focused too much on is roles and responsibilities. Depending on your business and company culture you’ll want to decide how much you need to call out in detail who is responsible for what. We’ve covered this in other articles on asset management the ability to define a SME (subject matter expert) to manage most of this from a central stand point. Or you can decide to manage inventory with a distributed approach where the appropriate asset owner is responsibility for managing their own inventory. You can add a roles and responsibility section to your policy, or procedure, or both to describe the responsibilities to be performed by individuals participating in asset management. You may need to scope these roles and responsibilities to internal employees, contractors, consultants, or external service providers. Here is a common list of roles and responsibilities you can use for your policies and procedures on asset management:

Asset Custodian	Is responsible for ensuring assets assigned to them have been accounted for in accordance with this standard.
Asset Owner	Is responsible for the effective management of the asset over the whole of the asset’s lifecycle
Procurement	Receives purchase requests from employees, and submits completed IT equipment and Software purchase request forms to Purchasing for fulfillment.
Department Lead	Responsible for the roll out of the procedure and operations and ensuring employees understand their responsibilities.
Security Committee	Group of elected company representatives to influence policy, privacy and security across the company.

Revisions and Updates: As we’ve discussed revision history, approvals, and updates throughout this article I want stress two things;

1. The importance of regular review cadence
2. Tips on how to accomplish this so that it doesn’t fail.

Regular review Consider how often is practical for your company and culture to review and update this policy. The purpose of the policy is to mature your cybersecurity program. This is accomplished in two ways. First it improves the best practice and procedure of your employees following the right steps to accurately maintain an up-to-date list of asset inventory. The second way this policy acts as milestone for measurement by internal or external resources to score your program. One the policy is written, it will help garter the resources needed to accomplish the goals, but it will also do something else. It creates a documented standard that you will be held to and measured against. So, it is really important that whatever you write in the policy is being done. One of the most frequent areas of failure I’ve witnessed is the updates. The policy will state that it is required to be reviewed annually. The policy is then forgot about and fails to meet this requirement, thus failing when auditors review the maturity of the program. Ensure that you are reviewing and updating the policy in accordance the requirements set for in your own policy. If you can’t uphold and maintain the cadence, reduce the frequency stated int eh policy, or remove it all together. Tip My favorite way to ensure the policy and procedures are getting updated in accordance with what the policy states is by doing these two things below.

1. Schedule it on the calendar. Add an appointment a year out on your calendar with a reminder on it. In addition, invite someone else on your team. Explain to them what I’s for and also add a brief description to the appointment. That way if you’re not longer with the company, someone else can ensure It’s still getting done. A manger or leader can be an excellent chose of someone to invite to this appointment as it’s shows them your diligence and they are ultimately responsible for ensuring these activities get done.
2. Governance Calendar. Create a document that lists out all these types of activities that are considered operational maintenance. Make a leader aware of the se list and get direction on where and how to store it. This can be great because it combines this activity or viewing policies with all the other security activities that need to done to maintain the program, but can be easily forgotten about.

I hope these resources help you improve and mature your cybersecurity program. If you have any tips of your own please provide them in the comments section as they help everyone.   Asher Security focuses on helping Minnesota businesses improve their security programs. If you’d like with your asset management, or other pillar of your cybersecurity program please reach out and schedule a thirty-minute meeting so we can learn more about you and the current challenges you’re having.