7.5 Apply resource protection techniques

7.5 Apply resource protection techniques

• Media management
• Hardware and software asset management

Media management is the process of tracking and storing all storage media in our organization.  Media can include

• Hard Disk Drives
  
  
• Removable Hard Disk Cartridges
  
  
• Magnetic Tapes
  
  
• DVDs
  
  
• CDs
  
  
• USB Drives
  
  
• Floppy Disks
  
  
• Zip Drives

We must have clear policies for the following

• Where do we buy new media from?  Is there s a specific vendor?  Is there a specific make, model, and or storage capacity? 
  
  
• Who is authorized to purchase media?
  
  
• Where do we store blank media?  The storage location must be secure so that the media is not stolen or tampered with.
  
  
• What quantity of blank media do we need to stock?
  
  
• How do we label media?
  
  
  • The security level of the data (we might color code the label or the media to indicate the security level)
    
    
  • The type of data that is stored on the media
    
    
  • When the media was created?
    
    
• How do we encrypt the media?
  
  
• Where do we store the media once it is full?  How long do we store it? 
  
  
• Do we need to store the media in a locked container?  Who has possession of the keys?
  
  
• What kind of database do we use to track the media?
  
  
• How do we transport the media from location to location?
  
  
• Is there a vendor who stores media offsite for disaster recovery purposes?
  
  
• How do we determine when the media is no longer useful?
  
  
• How do we sanitize or destroy media once we are done with it?

As discussed earlier, Asset Management works on a cycle because we are always buying stuff and throwing out stuff.  We can refer to the following ISO standards

• ISO 19770-1 is a framework for establishing an asset management program
  
  
  • Controls regarding software modification, duplication and distribution
    
    
  • Tracking changes made to IT assets
    
    
  • Controls over licensing, underlicensing, overlicensing, and compliance with licensing terms and conditions
    
    
  • Controls over situations such as in cloud computing and with Bring-Your-Own-Device’(BYOD) practices, where more than one person owns a device
    
    
  • Synchronization of IT asset management data with data in financial information systems recording assets and expenses and other business intelligence systems
    
    
• ISO 19770-2 is a standard for identifying software
  
  
  • A tag allows us to track each instance of a software installation so that we can ensure it is properly licensed
    
    
• ISO 19770-3 provides a software entitlement scheme
  
  
  • A shared vocabulary helps us understand software license terms
    
    
  • The license information is encoded into a format that the computer can understand and enforce

What kind of software should we use to track our assets?

• It is important to choose a program that maintains the integrity of the data so that it can’t be modified by unauthorized users
  
  
• There are specific applications that can be used to track software licenses and computers
  
  
• We might use an accounting program to track tangible assets

With respect to computer hardware and software, we might track the following

• Hardware
  
  
  • Make
    
    
  • Model
    
    
  • Serial Number
    
    
  • Physical Location
    
    
  • Properties
    
    
  • Network interfaces, MAC addresses, IP addresses, hostname
    
    
  • Operating system version
    
    
  • Purchase Date
    
    
  • Warranty
    
    
  • Asset Tag
    
    
• Software
  
  
  • Publisher
    
    
  • Name
    
    
  • Version
    
    
  • Updates
    
    
  • License Type and Serial Number
    
    
  • Expiry Date