Five tips for effective digital asset management
It’s a commonly known and accepted maxim in today’s world that you can’t handle what you can’t measure. While this applies in many different ways in our lives, this is especially true when it comes to managing digital assets within any organization. If you don’t carefully monitor your assets in your organization, then you’re not really managing them effectively, are you?
Asset management refers to the systematic approach to data governance and valuation of assets for which an organization is responsible throughout their lifecycle. Essentially, asset management is the process of developing (or acquiring) operating, maintaining, upgrading and disposing of assets in the most cost effective manner (including all costs, risks, capabilities and performance attributes).
Digital assets can exist in any number of environments or domains. Your business certainly has data analytics assets, it likely has assets stored with cloud providers, and in many cases, it stores assets in the data center.
Best practices for asset management
To help you implement and maintain a strong asset management strategy and program for your organization, consider the following tips. In doing so, coordinate with the C suite, all staff, and IT management. They will help you gain greater visibility into your organization’s assets and ultimately help you manage them throughout their lifecycle.
Carry out an asset inventory
Asset inventories are necessary to ensure that organizations know what assets are being used in their environment, as well as to identify who is responsible for managing the identified assets. Assets cannot be protected against existing or emerging threats if the personnel responsible for their protection are unaware that the assets exist in the environment.
Asset inventories are also an important tool to help organizations track capital investments while reducing the likelihood of hardware theft going unrecognized. Your organization should ensure that all information assets are clearly identified, documented, and maintained in an asset inventory. The inventory should be reviewed at least once a year and appropriate updates should be made during each review.
Define acceptable use of assets
If you don’t document, communicate, and ask staff to agree to acceptable use requirements, staff may not be limited to what actions they can perform or how they perform them. Responsibility for the inappropriate use of systems or information is difficult to enforce if limitations on use or behavioral restrictions are not provided and acknowledged.
Information systems acceptable use requirements should be identified, documented, and implemented to deter personnel from using your organization’s information assets for unauthorized purposes. Your organization’s acceptable use requirements should address restrictions on the use of social media, networking sites, posting of information on commercial websites, and sharing of information system account information.
Determine the classification, labeling and management of assets
Information assets must be classified appropriately to ensure that they are treated securely. Organizations may not have the appropriate security controls in place for sensitive assets if classification levels are not defined. The asset classification process, along with the definition of associated security requirements, helps reduce the likelihood of sensitive information being provided or viewed by unauthorized parties.
Information assets should be classified in terms of business value, legal requirements, sensitivity and criticality for the organization. A classification scheme should be established that differentiates the various levels of sensitivity and value of information assets, or groups of information assets.
Implement media management and protection
Media management controls should be applied to protect organizations from risks associated with loss of confidentiality, integrity or availability of media. Access and use of media should be restricted to authorized personnel only.
Your organization should ensure that management controls for removable media, including on laptops, are enforced. This should include restrictions on the types of media that are permitted for use, as well as requirements for acceptable use.
Media containing sensitive or protected information should be stored securely at all times and should be encrypted in accordance with internal security controls and regulatory requirements until the media is destroyed or disinfected. Media should be physically controlled and stored securely in areas controlled by the organization.
Ensure safe disposal and reuse of assets
Organizations should ensure that the process of disposing or reusing equipment is strictly controlled. The improper disposal or reuse of any information system, system component or storage device could potentially impact data privacy by inadvertently making it available to unauthorized audiences. This could easily lead to a reportable security incident or data breach.
All media should be safely disposed of when no longer needed. This should be done using formally documented procedures to ensure that all protected or otherwise sensitive data has been completely deleted or securely overwritten prior to media disposal. Information systems or other devices that contain sensitive or protected information must be physically destroyed or the information must be destroyed, deleted or overwritten using techniques that make the original information unrecoverable.
It really doesn’t take much for your organization to ensure that a comprehensive asset management program is developed and implemented consistently across the organization. Organizations that do not have an effective program in place could potentially overlook a critical security function or leave assets unprotected or unaccounted for. By developing an asset management strategy as part of your overall security program, supported by all stakeholders in the organization, organizations can avoid the main pitfalls of asset management for effective overall security.
About the Author:
Bryon Miller is co-founder and CISO of the ASCENT portal