This first blog post will introduce IT Asset Management and explain why it’s important for Information Security Management.
First, let's provide some clear definitions.
What's an Asset?
The NIST SP 800-160 defines an asset as:
"An item of value to stakeholders. An asset may be tangible (e.g., a physical item such as hardware, firmware, computing platform, network device, or other technology component) or intangible (e.g., humans, data, information, software, capability, function, service, trademark, copyright, patent, intellectual property, image, or reputation).”
While ISO 55000 defines an asset as:
"An asset is an item, thing, or entity that has potential or actual value to an organization."
What's IT Asset Management?
The NIST Cybersecurity Framework defines Asset Management as:
"The identification and management of the data, personnel, devices, systems, and facilities that enable an organization to achieve its objectives and reduce its risks.”
While ISO 55000 defines Asset Management as:
"The coordinated activity of an organization to realize value from assets."
Next, let’s look a bit closer into IT Asset Management.
What Are the Specializations of IT Asset Management?
IT Asset Management is often broken down into three specializations:
- IT/OT Asset Management – Servers, Laptops, Software, Industrial Control Systems Appliances etc.
- Information Asset Management – Information/Data.
- Physical Asset Management – Offices, Computing Facilities, Removable Storage Media, Access Cards etc.
IT Asset Management at its core consists of Asset Lifecycle Management, which, at a high level, can be broken down into:
- Planning – Planning the usage of an Asset and ensuring the Asset adheres to Business Requirements.
- Acquisition/Deployment – Purchasing and/or creating the Asset and introducing the Asset into the organization/environment.
- Operation and maintenance – Maintaining the Asset through its lifecycle.
- Disposal – Disposal of the Asset when it no longer fulfills its purpose or has passed its End-Of-Support/End-Of-Life date.
Why is IT Asset Management important for Information Security Management?
If you don’t know what you have, you don’t know what you need to protect.
Below are a couple of examples of why you need IT Asset Management.
When performing IT Risk Management, during the Risk Analysis Phase, a Threat Scenario needs to be described, which requires identifying the asset at risk; also, during the Business Impact Assessment of a Risk, we need to have the affected asset or assets identified.
Example 1 - "Lack of Asset Inventory"
I was invited to an organization's risk decision workshop where the expected outcome was to determine the risk classification and risk treatment for twelve identified risks that had not gone through the Risk Analysis phase of Risk Management.
When the workshop participants tried to judge the criticality of the risks, their judgments were highly subjective as the business impact was unknown due to the lack of Asset Identification in the Threat Scenario definition (and the lack of a Business Impact Analysis based on what Business Processes and Capabilities were realized/served by the asset). The reason given as to why the asset had not been identified in the Threat Scenario nor conducted the Business Impact Analysis was “due to lack of asset inventory.”
When performing Vulnerability Management, we need to know what our assets are to identify their vulnerabilities, and also, during the Risk Management phase, where we determine the risk action in relation to Vulnerability Management. Later, in a Patch Management action during Release and Deployment Management, we again need to know what our assets are.
Example 2 - An "Unknown" IP Address
I participated in an Incident Response assignment where a breach had occurred; the breach was traced back to an IP address on the internal network. Network Address Management has the IP address recorded with the comment “unknown,” with no record of what was consuming the IP address. The content management database had a configuration item for the IP address in question but contained no record of what was consuming the IP address. Investigations found it was an old virtual web server in DMZ (which should have been decommissioned years ago, but this was left as a rest-task from the migration project tasked to transform to a new web platform and forgotten about).
The managed service provider changed from when the web migration project closed; this virtual server was somehow missed in the content management database migration project. In the new managed services provider’s content management database, there were no records of this server, meaning the managed service provider did not manage this system as they had no knowledge the virtual server asset existed.
There are several other examples, both within and outside of the Information Security Management scope; for instance, within IT Management, the Capacity and Performance Management capability/capabilities are also dependent on understanding the organization's IT assets.
IT Asset Management is a core capability of IT Management and Information Security Management. Several other capabilities in the organization are dependent on the data provided by the IT Asset Management capability.
We at Truesec have encountered several organizations finding themselves breached in an IT security threat event where our post-incident investigations have shown that the initial breach point was an old known software vulnerability that was not patched even though a software patch has been available for years. The cause as to why the vulnerability was not mitigated through Vulnerability Management and Patch Management may have been different. Was there a glitch in Vulnerability and Patch Management, or were Vulnerability and Patch Management teams unaware of these assets?
Again, without IT Asset Management, we don’t know what we need to protect!