You can only secure what you know about, which is why Asset Management is a foundational Administrative Control of any Information Security program.
Why is Asset Management Important?
Asset Management is important for a number of reasons. The first is that it allows you to understand your organization’s ecosystem of equipment and software. This helps with depreciation tracking, identifying when equipment is lost or stolen, accounting for assets during audits, assessing risk or incidents, enhances vulnerability management efforts, and bolsters the planning of your overall Information Security program.
If your assets contain or store information subject to regulatory oversight or minimum standards around their security such as HIPAA, failing to maintain a record of them could be costly in penalties and fines.
Especially if you are a public company, proper asset management can provide assurances to your investors that you are good stewards of the organization.
How Do We Start an Asset Management Initiative?
Here’s what you need to establish Asset Management in your organization. As you go through this journey, you may find things that you may need to include or adjust to make it work best for your organization.
- Determine How to Track Assets
Start early in determining how you want to track your assets and work with appropriate stakeholders such as accounting, to ensure the best solution. Is there something common among the assets you need to track that you can reference?Most organizations opt for an asset tag system where they have specialized stickers made that are resistant to removal and mention the organization’s name and a reference number. The reference number is not duplicated at any time.
- Setup an Asset Database
This can be as simple as an Excel Spreadsheet, or as complicated as a Configuration Management Database or CMDB for short. A good asset database should ideally know:
- the reference to the asset (Serial Number, Asset Tag Number, etc.)
- who a device is assigned to
- where it’s located
- when it was placed into service
- what it does
- what it runs on (if it’s a computing platform)
- warranty expiration date
- where it was sourced
- replacement cost
- Account for Your Existing Assets
Unless you are starting fresh in your business and no assets have been purchased, you will want to get your existing assets recorded first and foremost.
- Develop Policies for Maintaining Asset Management
Once you’ve completed the first 3 steps, now set up a baseline of policies that define the Asset Management practice and have enforcement mechanisms for failing to abide by it. For example, when employees depart, the asset record should be referenced to ensure important assets are returned and reassigned.
Once you have established asset management and maintained it, you’ll be thankful you did. Your practices around Asset Management will evolve as your organization changes, so don’t sweat if it’s not perfect the first time around. The most important thing is you know what you have, where it generally is, who has it, and what it does for your organization.
Have other ideas on how Asset Management could be improved? Sound off in the comments!
Featured photo from Pexels by Mike van Schoonderwalt.