2.3 Provision resources securely

  • Information and asset ownership
  • Asset inventory (tangible, intangible)
  • Asset Management

Risk management requires us to keep an accurate inventory of our assets.  If we don’t know what we have, how can we identify the risks to our organization?

An asset can be tangible or intangible.

Examples of tangible assets

  • Buildings

  • Land

  • Vehicles

  • Machines

  • Tools

  • Safety Equipment

  • Computer Hardware

  • Network Equipment

  • Printers and Photocopiers

  • Product Inventory

  • Materials used in the manufacturing process

Examples of intangible assets

  • Software licenses

  • Copyrights

  • Trade secrets

  • Patents

  • Internet Domain Names

  • Royalty Agreements

What kind of software should we use to track our assets?

  • It is important to choose a program that maintains the integrity of the data so that it can’t be modified by unauthorized users

  • There are specific applications that can be used to track software licenses and computers

  • We might use an accounting program to track tangible assets

With respect to computer hardware and software, we might track the following

  • Hardware

    • Make

    • Model

    • Serial Number

    • Physical Location

    • Properties

    • Network interfaces, MAC addresses, IP addresses, hostname

    • Operating system version

    • Purchase Date

    • Warranty

    • Asset Tag

  • Software

    • Publisher

    • Name

    • Version

    • Updates

    • License Type and Serial Number

    • Expiry Date

Information Asset Management works on a cycle because we are always buying stuff and throwing out stuff.  We can refer to the following ISO standards

  • ISO 19770-1 is a framework for establishing an asset management program

    • Controls regarding software modification, duplication and distribution

    • Tracking changes made to IT assets

    • Controls over licensing, underlicensing, overlicensing, and compliance with licensing terms and conditions

    • Controls over situations such as in cloud computing and with Bring-Your-Own-Device’(BYOD) practices, where more than one person owns a device

    • Synchronization of IT asset management data with data in financial information systems recording assets and expenses and other business intelligence systems

  • ISO 19770-2 is a standard for identifying software

    • A tag allows us to track each instance of a software installation so that we can ensure it is properly licensed

  • ISO 19770-3 provides a software entitlement scheme

    • A shared vocabulary helps us understand software license terms

    • The license information is encoded into a format that the computer can understand and enforce
  • ISO 19770-4 provides methods for measuring resource utilization

  • ISO 19770-5 provides an overview and a shared vocabulary

The Baseline Configuration shows us the way that a device is normally configured.  We can compare the baseline configuration against the current configuration to determine whether any changes have been made.  We might have a different baseline for each point in time. 

When we want to make a change to the configuration, we are making the change against the baseline.  People who are responsible for approving the change compare it against the baseline to see what will be affected.  The change may affect only one device or all the devices.  When it affects all the devices, then we might be creating a new baseline.

A single employee cannot make a change by himself.  We must implement change control.  The change control policies tell us the following

  • What types of activities constitute a change.  This might network hardware configuration, switch configuration, security policies, the physical location of infrastructure, and many other items.

  • The work flow for a change request and how we keep track of them.  In general, a person who wants to initiate a change must write a detailed plan and justification for the change. 

  • The person or people responsible for approving the change request.  The level of management required for approval depends on the cost and impact of the change.

  • The change request might go to a committee known as the Change Control Board or CCB.  The policy should define the people who are on the committee.

    The CCB evaluates the impact of the change on the organization.  Some of the things that the CCB might consider

    • The cost of the change

    • The amount of time required to implement the change

    • The risk of the change affecting a critical organizational function

    • The potential benefit of the change

The CCB decides whether a change is approved or denied.  A member of the executive team may be able to overrule a decision made by the committee.

  • Once the change is approved, we must do the following

    • Develop a detailed budget for the change

    • Develop a detailed plan for the change, including a way to reverse the changes should they fail.

    • Develop a detailed schedule for the change

    • Execute the change

  • Once the change has been executed, we must document the change so that others are aware of its existence.  This could include updating critical systems or asset logs.