Skip to content

Page067

Ownership and Inventory

Information security requires a complete and up-to-date inventory of all assets. Each asset requires clear corporate ownership, which defines the personnel responsible for making sure all assets are protected. Primary information security roles include business or mission owners, data owners, system owners, custodians, and users. Each plays a different role in securing an organization’s assets.

Asset Inventory

There’s an old saying: you can’t protect it if you don’t know you have it. A complete and current inventory of all assets is critical. An asset is something of value to an organization. There are two types of assets: tangible assets (such as computers, network equipment, cables, and monitors) and intangible assets (such as data, intellectual property, and brand reputation). Tangible assets exist in physical form and intangible assets do not.

It is critical to identify all computers in an organization and ensure that they are properly protected (hardened, patched, updated, monitored, backed up, etc.) This was simpler in the past but has become complicated by the Internet of Things (IoT, discussed in Chapter 4, Domain 3: Security Architecture and Engineering). “Smart” TVs and VoIP (Voice over IP) phones are computers, for example. Does your IT team protect them, as they would any other computer? Many IT organizations ignore IoT devices and other forms of embedded devices, treating them as simple TVs, phones, etc. This means they aren’t properly maintained, aren’t patched, etc. This can lead to significant risk to an organization.

Asset Retention

All computer systems should be protected with proper maintenance, updates, patches, etc. Two critical metrics to follow are End-of-Life (EoL) and End-of-Support (EoS). End-of-Life means the vendor no longer sells a product but will typically still support it for a period of time. End-of-Support (also called End-of-Service-Life or EoSL) means the vendor no longer supports the product. This means no vendor-supplied maintenance, patches, updates, etc. This process is called sunsetting.

It is critical that organizations track these two dates for all assets and replace devices before they reach End-of-Support. Devices that pass that date become legacy devices and can represent significant risk to an organization. Many organizations focus on critical assets only, which can be a mistake. Networked assets that are not considered critical (such as many IoT devices) can represent significant risk to an organization should they become compromised. These devices themselves may not be critical, but they may offer network access to assets that are through a process called pivoting (discussed in Chapter 9, Domain 8: Software Development Security).