About Asset Management

Know what you have, where it is and who is in charge of it . Asset management creates the foundation on which to build all of your other security features

In a similar vein to backing up data, asset management isn’t a specific Cyber Essentials control, but it is a highly recommended core security function. By including this subject in the Cyber Essentials requirements, the importance of good asset management is being emphasised.

Asset management means creating and maintaining accurate information about your assets that enables day-to-day operations and efficient decision making when you need it. Security experts often refer to asset management as a fundamental cyber hygiene practice that can help an organisation meet all of the Cyber Essentials five controls. Many major security incidents are caused by organisations having assets which are still connected to the network when that organisation is not aware the asset is still active. Effective asset management will help track and control devices as they’re introduced into your business.

The NCSC has comprehensive guidance for organisations on asset management.

What is an asset?

An asset is a resource or an item of property that is owned or controlled by a company and adds value. Business assets can include information (data), hardware and software. They can also include vehicles, people and infrastructure (offices, electricity, air conditioning).

Within the context of Cyber Essentials, we will focus on information, hardware and software as well as third parties such as MSPs and cloud service providers.

Once an organisation has identified its assets, they can then be factored and controlled when identifying risks, threats and vulnerabilities.

What is an asset register?

An asset register is essentially a document or series of documents that list and describe everything that has value to your company. It also nominates someone to be responsible for protecting the confidentiality, integrity and availability of each item. Despite being time consuming, the activity of making an asset inventory serves as a crucial foundation for implementing cyber security controls. How can you protect something that you don’t know about?

Making and maintaining an asset register is considered a security best-practice and is a practical first step that will assist with other important requirements. A comprehensive asset registry is usually an important component to your insurance policy, accounting process or procurement and as your organisation grows in its cyber security journey, it will inform your risk assessment as well as an incident response plan.

Ensure all assets are accounted for by the asset management process. This should include physical, virtual and cloud resources, along with your organisation’s internet presence, in the form of social media accounts, domain name registrations, IP address spaces and digital certificates. Comprehensive asset management helps avoid any assets not being configured with the appropriate security controls and is required for compliance and vulnerability scanning (for those certifying to Cyber Essentials Plus).

Documenting all your assets is the first step towards reviewing and understanding the relative value of your information assets to your business and the impact if they were lost, stolen, or damaged. Once you have identified which assets are most important (valuable) to your business, you can apply adequate protection and the appropriate security budget to them throughout their life cycle.

Label your stuff

An asset register should contain some key fields to make the tracking and identification of assets easier. Consider developing a system of unique IDs for each item in the inventory which can save confusion about overlapping technologies or identical multiple items. Asset tags can allow you to label physical devices.

For each asset, your records must include at least:

  • A category name that groups similar asset types
  • Details of location: (Be aware of any assets that are moved around)

Know where it is

Are your assets on a local computer, cloud storage, on social media, a member of staff’s computer, a USB stick, a database, or in a filing cabinet? Are they located at home, the main office, or in a storage unit? If the asset is fixed, record the location.

  • Mobile assets: If the asset is mobile, record who uses it on a day-to-day basis and where it is typically used; mobile assets may be governed more by ownership than location. It may also be possible to track portable assets through the use of mobile device management (MDM) software.
  • An asset importance rating: The relative value and impact of losing the asset can be recorded using protective marking schemes. Common systems to record this include: (high, medium, low), (public, confidential, secret), or (red, amber, green).
  • An asset owner: Having a named owner for each asset ensures that someone is accountable for the activities required to keep it secure. Information asset owners will set the rules around data assets, such as classification, who can access them, and retention period.

Managing legacy

All software and hardware eventually becomes out of date. Continuing to use products beyond that point involves increased risk, or increased costs to mitigate those risks. Asset management can help organisations identify when systems will reach end of support and plan ahead.

The use of Bring your Own Devices ( BYOD)

If your organisation allows staff to use personal devices such as mobile phones for business purposes, those devices will need to be approved and tracked, but as they are not owned by the organisation, they will not be included in the asset register.

Removal of assets

Assets removed from your business estate must be removed from the asset register and disposed of securely.

Review your asset register

Once you have created your asset register, you need to ensure that you regularly review it and ensure that information is kept up to date. When you buy new equipment, be sure to log it in the asset register, and when you move something or discard it, update your list. Your asset list is only as valuable as the care and detail you put into accounting and documenting each asset. It is worth being meticulous as an asset register gives you the visibility and awareness for many of your other practises and requirements.