When it comes to the asset management aspect of cybersecurity, most organizations focus on two areas: hardware and software. It’s an obvious concept that you can’t protect something you don’t know you have. Most companies with a cybersecurity program in place at least have a hardware inventory. For licensing purposes, most companies also maintain some type of software inventory as well.

However, conducting the appropriate discovery and analysis of your hardware and software is just the beginning of effective asset management for cybersecurity.

Why Asset Management is Important

In a previous blog, we outlined why data discovery and classification is an important process for cybersecurity. But, the assets involved in storing, moving, and securing that data are just as important.

As we’ve discussed before, developing a comprehensive cybersecurity program requires an awareness of the physical threats just as much as the cyber threats. This is why comprehensive asset management strategy is so important.

4 Assets You Can’t Afford to Ignore

The process for identifying your assets, classifying, and developing the appropriate security measures for your assets is very similar to data classification and management (read more about the steps here). However, as we mentioned earlier, asset management goes well beyond IT hardware and software.

When it comes to asset management, there are four areas we always encourage organizations to consider:

  1. Your Data— As we mentioned in our previous blog, it’s important to know all the data moving in and out of your organization, where it is stored, and how important it is.
  2. Your Hardware and Software—The next step is to identify all the hardware devices and software applications that process the data. A list of authorized hardware should be created and maintained in order to provide insight into the components that may comprise an organization’s infrastructure. Additionally, a software inventory provides insight into the applications that are approved for use in the environment. We strongly encourage application white-listing (only allowing approved applications) to help you maintain control over your environment. This will, of course, require you to have the capability to scan for, and then remove, unauthorized software.
  3. Your Physical Property and Facilities—Extending your asset management beyond the IT hardware devices and software programs is a critical part of developing a comprehensive cybersecurity program. Making sure you have the appropriate security processes in place to protect the physical assets that house those systems is vital. This is also critical to having up-to-date and effective disaster recovery plans.
  4. Your People—When it comes to asset management, we often think about hardware and software but forget people. Without making sure you’re adequately managing and equipping people to run those systems, you’re putting your assets at risk for a potential cyber-attack. This means making sure employees have an understanding of their role in cybersecurity. It also means creating accountability for the people who are running the systems and processes and establishing contingency plans that consider the loss or lack of availability of critical team members.

Ensuring Your Data (and Systems) Are Adequately Protected

Building in the appropriate security and availability controls to protect your assets is critical to protecting your data. Once you have an understanding of all of the assets that need protection, you can take steps towards protecting it.

With BALLAST, you don’t have to wonder if you’re applying the appropriate controls to protecting your assets. We developed BALLAST to make it easy for you to know where you have the greatest risks (for your data and your assets) and where you can strengthen your efforts to create a capable cybersecurity program. Contact us today to learn more!

Mark Fulford

Mark Fulford

Mark Fulford, CISSP, CISA, ABCP, CRISC, is a Shareholder in the risk services division of LBMC, PC. With nearly 25 years of experience in information security audit and compliance, Mark understands how to translate technical jargon into actionable intelligence. With significant experience in healthcare, his expertise includes assisting companies with Sarbanes-Oxley, HIPAA & PCI, HITRUST compliance, as well as providing assurance to clients and their stakeholders through SOC 1 and 2 reporting engagements. More recently, his focus has been on helping organizations identify and manage information security risks through both guided and automated risk assessment techniques.