B R A I N B I T S

, , , ,

Asset Management in a nutshell

What is Asset Management?

Asset management is the process of identifying, tracking, and maintaining information about an organization’s assets. The goal of asset management is to minimize risk and maximize return on investment (ROI) in regards to their associated risks and risk treatment. In order to achieve these goals, organizations must have a clear understanding of their assets and how they are used.

Asset management is a critical component of any organizational risk management strategy. By identifying and quantify risk, asset managers can make informed decisions about where to allocate resources.

Asset management is also an important aspect of compliance with ISO/IEC27001, the international standard for information security. This standard requires organizations to establish and maintain an asset management program in order to control and protect their information assets.

What are the levels/types of assets?

Assets can be broadly described as anything that an organization considers valuable, which goes beyond tangible or physical assets. There are basically four different categories of assets, including hardware and software, outsourced services and infrastructure that may influence the accessibility of information.

  • Human Assets: Skills of the workforce, their level of training and education, and other attributes like loyalty, quality and security or privacy awareness.
  • Financial Assets: Sstocks, real estate, and other liquid assets with or without intrinsic value or physical existence.
  • Information assets: Databases, passwords, and encryption keys, whether they are written on paper or digitally.
  • Intangible Assets:, Reputation, trademarks, certifications, and other assets that could impact a company’s reputation are examples of intangible assets.

What does ISO/IEC27001 say?

An inventory of information and other associated assets, including owners, shall be developed and maintained. 

So, to identify the organization’s information and other associated assets in order to preserve their information security and assign appropriate ownership. Doing this please consider the following:

  • Hardware
  • Information systems
  • Possible removable storage devices (USB sticks, hard drives)
  • Mobile devices
  • Data center and networking components
  • Data

When possible, determine the information classification (A.5.12 Information classification) associated to the asset.

Responsibility of assets:

Organizations must identify and document who is responsible for the assets that support the organization’s information security. The management should review and approve these responsibilities. This is to ensure that there is an appropriate level of control over the assets and that the individuals responsible for them understand their roles and responsibilities.

When defining roles and responsibilities, the following factors should be taken into account:

  • The value of the asset to the organization
  • The sensitivity of the asset
  • The level of access required to the asset
  • The Availability, Integrity and Confidentiality requirements for the asset
  • The impact of a loss of the asset

Inventory of assets

The purpose of this asset inventory is to list and describe the organization’s information assets, as well as to identify the location of these assets. This will help the organization to better understand its information assets and their value, so that they can be better protected. An information asset is anything that has value to the organization, including:

  • Physical assets
  • Electronic assets
  • Intellectual property
  • Sensitive information

The inventory should be reviewed and updated on a regular basis, as the organization’s information assets are constantly changing.

Ownership of assets:

The ownership of assets is a critical component of any organization’s security posture. The primary purpose of this control is to ensure that only authorized individuals have access to organization assets. This includes all physical and electronic assets, as well as any associated data and information.

Organizations should clearly define and document the roles and responsibilities for asset ownership. This will help to ensure that all assets are accounted for and that unauthorized access is prevented. Furthermore, all changes to asset ownership should be tracked and recorded.

This control is applicable to all organizations regardless of size or industry. In order to effectively implement this control, organizations should take the following steps:

  • Define the roles and responsibilities for asset ownership
  • Develop a process for tracking and approving changes to asset ownership
  • Ensure that all assets are accounted for and that unauthorized access is prevented

Acceptable Use of Assets

An organization needs to define requirements for establishing, implementing, maintaining and documenting a policy for the acceptable use of information and information processing assets.

When doing so, please consider the following:

  • Establish, implement, maintain and document a policy for the acceptable use of information and information processing assets
  • Ensure that the policy for the acceptable use of information and information processing assets
  • Use is consistent with the organization’s information security policy
  • Establishes acceptable use criteria for information and information processing assets
  • Defines the consequences of breaching the policy

The policy for the acceptable use of information and information processing assets should be reviewed and updated regularly to ensure that it remains relevant and up-to-date.

Return of Assets :

The ownership of assets is a critical component of any organization’s security posture. The primary purpose of this control is to ensure that only authorized individuals have access to organizational assets. This includes all physical and electronic assets, as well as any associated data and information.

Organizations should clearly define and document the roles and responsibilities of asset ownership. This will help to ensure that all assets are accounted for and that unauthorized access is prevented. Furthermore, all changes to asset ownership should be tracked and recorded.

This is a control is applicable to all organizations regardless of size or industry.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.