This chapter is from the book
This chapter is from the book
This chapter is from the book
Provision Resources Securely
While information and assets within an organization are ultimately owned by the organization, it is usually understood that information and assets within the organization are owned and managed by different business units. These business units must work together to ensure that the organizational mission is achieved and that the information and assets are protected.
For this reason, security professionals must understand where the different information and assets are located and work with the various owners to ensure that the information and assets are protected. The owners that security professionals need to work with include data owners, system owners, and business/mission owners. As part of asset ownership, security professionals should ensure that appropriate asset management procedures are developed and followed, as described in Chapter 7.
Asset Inventory and Asset Management
To properly secure organizational assets, security professionals must ensure that an accurate inventory of all assets is obtained. After all assets are inventoried, assets must be managed by the asset owners. To fully understand asset inventory and management, security professionals must understand the asset life cycle. According to the National Institute of Standards (NIST), the asset life cycle is an eight-phase process, as shown in Figure 2-1.
)
Figure 2-1 Asset Life Cycle
In a typical life cycle, an asset goes through the enrollment, operation, and end-of-life phases. The enrollment process involves manual IT staff activities, such as assigning and tagging the asset with a serial number and barcode, loading a baseline IT image, assigning the asset to an owner, and, finally, recording the serial number as well as other attributes into a database. The attributes might also include primary location, hardware model, baseline IT image, and owner. This process can also be referred to as the inventory phase.
As the asset goes through the operations phase, changes can occur. Such changes could include introduction of new or unauthorized software, the removal of certain critical software, or the removal of the physical asset itself from the enterprise. These changes need to be tracked and recorded. As a consequence, asset monitoring, anomaly detection, reporting, and policy enforcement are the primary activities in this phase.
The assets within the enterprise are monitored using installed agents that reside on the asset, as well as network-based monitoring systems that scan and capture network traffic. These monitoring systems collect data from and about the assets and send periodic reports to the analytics engine.
As an asset reaches the end of its operational life, it goes through activities within the end-of-life phase that include returning the asset to IT support for data removal and removing the serial number from the registration database and other associated databases. Finally, the asset is prepared for physical removal from the enterprise facility.
Asset management includes the operate, maintain, and modify phases of the asset life cycle. After an asset is configured as it should be with all updates and settings, administrators should document the configuration baseline, which is a description of an asset’s attributes at a point in time, which serves as a basis for defining change. (Configuration and change management are discussed in more detail in Chapter 7.) As part of asset management, an asset’s security and configuration baseline should be enforced by configuration management agents, and installed software is captured by software asset management agents. Both categories of agents forward reports to their respective servers, which serve as data storage facilities. Reports can be compiled based on the data received from the agents and sent to those responsible for managing the assets. Regular examination of these reports should be a priority to ensure that assets have the appropriate security controls.