7.5 Apply resource protection techniques
- Media management
- Hardware and software asset management
Media management is the process of tracking and storing all storage media in our organization. Media can include
- Hard Disk Drives
- Removable Hard Disk Cartridges
- Magnetic Tapes
- DVDs
- CDs
- USB Drives
- Floppy Disks
- Zip Drives
We must have clear policies for the following
- Where do we buy new media from? Is there s a specific vendor? Is there a specific make, model, and or storage capacity?
- Who is authorized to purchase media?
- Where do we store blank media? The storage location must be secure so that the media is not stolen or tampered with.
- What quantity of blank media do we need to stock?
- How do we label media?
- The security level of the data (we might color code the label or the media to indicate the security level)
- The type of data that is stored on the media
- When the media was created?
- The security level of the data (we might color code the label or the media to indicate the security level)
- How do we encrypt the media?
- Where do we store the media once it is full? How long do we store it?
- Do we need to store the media in a locked container? Who has possession of the keys?
- What kind of database do we use to track the media?
- How do we transport the media from location to location?
- Is there a vendor who stores media offsite for disaster recovery purposes?
- How do we determine when the media is no longer useful?
- How do we sanitize or destroy media once we are done with it?
As discussed earlier, Asset Management works on a cycle because we are always buying stuff and throwing out stuff. We can refer to the following ISO standards
- ISO 19770-1 is a framework for establishing an asset management program
- Controls regarding software modification, duplication and distribution
- Tracking changes made to IT assets
- Controls over licensing, underlicensing, overlicensing, and compliance with licensing terms and conditions
- Controls over situations such as in cloud computing and with Bring-Your-Own-Device’(BYOD) practices, where more than one person owns a device
- Synchronization of IT asset management data with data in financial information systems recording assets and expenses and other business intelligence systems
- Controls regarding software modification, duplication and distribution
- ISO 19770-2 is a standard for identifying software
- A tag allows us to track each instance of a software installation so that we can ensure it is properly licensed
- A tag allows us to track each instance of a software installation so that we can ensure it is properly licensed
- ISO 19770-3 provides a software entitlement scheme
- A shared vocabulary helps us understand software license terms
- The license information is encoded into a format that the computer can understand and enforce
- A shared vocabulary helps us understand software license terms
What kind of software should we use to track our assets?
- It is important to choose a program that maintains the integrity of the data so that it can’t be modified by unauthorized users
- There are specific applications that can be used to track software licenses and computers
- We might use an accounting program to track tangible assets
With respect to computer hardware and software, we might track the following
- Hardware
- Make
- Model
- Serial Number
- Physical Location
- Properties
- Network interfaces, MAC addresses, IP addresses, hostname
- Operating system version
- Purchase Date
- Warranty
- Asset Tag
- Make
- Software
- Publisher
- Name
- Version
- Updates
- License Type and Serial Number
- Expiry Date
- Publisher