Taking the first steps to secure your business is always difficult – especially if you’re starting from scratch. At 7 River Systems, we maintain that one of the best ways to immediately improve your security is to understand your information assets – that is, your systems, networks, and data. These information assets are the cyber equivalent of the achilles heel, and they are compromised, your entire business can potentially come crumbling down. By knowing more about your information assets, you have the home field advantage – and the ability to better protect your IT infrastructure. In this blog post, we’ll explain how to build an asset inventory and how it can help you maintain your own or your organization’s security posture.
Building an Asset Register
An asset register is a detailed accounting of all of your information assets. Let’s clarify what qualifies as an information asset:
- Hardware – desktops, laptops, servers, mobile devices (phones/tablets), routers, firewalls, etc. – if it’s a piece of information technology equipment, it probably belongs in this category.
- Software – any software or apps (free or paid) being used on any of your systems.
- Data – the key information that your organization stores and processes. It may include information that is on paper or in digital form. It could be stored in files or in a database/repository.
- Services – it’s very popular for individuals and organizations to use online or outsourced services as part of their IT setup. This might include e-mail (e.g. Google, Outlook 365), accounting (e.g. QuickBooks Online), hosting infrastructure (e.g., GoDaddy, Amazon Web Services, Microsoft Azure), Customer Relationship Management (CRM) (e.g. Salesforce) and much more. Even though these services are often managed by someone else, it is important to account for them as part of your asset inventory, since they are also part of your own information environment.
- Non-IT Infrastructure – the assets that are not part of your information environment, but underpin it. Examples include electricity, heating/cooling, and physical security such as an alarm system. If one of these systems fails, it could place jeopardize the security or reliability of your information assets.
- People – your people are some of your most valuable information assets, especially if you’re working in an industry that requires specialized expertise. Your people know your business, trade secrets, customers, and a whole lot of intangibles that aren’t necessarily written down.
Now that you know what qualifies as an asset, let’s build a template that we can fill in. We’ve provided a very simple example below, but feel free to add to it according to your business, security and organizational needs.
|Asset ID||Name of Asset||Description of Asset||Type (Hardware, Software, Data, etc.)||Location||Does it Contain Personal Data?||Does it Contain User Data?||Does it Contain Sensitive Data?||Asset Owner||Asset Custodian|
|1||Paul’s Laptop||Macbook Air
Serial No. 12345
|Hardware||Mobile Device||Yes||No||Yes||Paul P.||Paul P.|
|2||Company Laptop||Dell Poweredge Server
Serial No. 23456
|Hardware||Server closet at Company HQ, 123 Main St||Yes||Yes||Yes||Paul P.||Bob A.|
In your register, you’ll want to specify the name of each asset, a description (including model, service tag, serial number, or activation key if applicable), the type, location, and what kind of data it contains. You’ll also want to specify an asset owner and an asset custodian.
- Asset Owners are responsible for the overall information asset, as well as supplying/updating information for the asset inventory, determining if any information on the asset is sensitive, ensuring that sensitive data is protected, sponsoring regular audits, and determining who should have access to the asset.
- Asset Custodians are responsible for safeguarding information on the asset, implementing access control systems, maintaining backups, and other tasks required to implement, operate, and maintain security measures defined by asset owners.
In a large organization, asset owners might be heads of departments or business units, with asset custodian roles assigned to IT and security personnel. In smaller organizations, asset owners are typically the business owner or manager, with asset custodians as the IT point-of-contact.
As you build your register, you’ll want to interview asset owners and asset custodians throughout your business and list as many assets as possible. Try to be as detailed as possible; it’s easier to remove items from the list later than to have gaps, which might mean overlooking a critical security gap.
Using the Asset Register
Once you have an asset register, you can use it in many different ways, just a few of which include:
- Keeping track of inventory to ensure that assets are used on a regular basis, and are secured from physical theft
- Seeing where your sensitive data is, and taking steps to secure it, if you haven’t already
- Subscribing to vulnerability alerts for your hardware/software/services so that you can quickly take countermeasures in the event of a problem
- Holding your asset owners accountable for maintenance and security of critical assets
Cyber- and information-security isn’t always a cumbersome, expensive, high-tech process. Sometimes it just means knowing what you have, where it is, who is responsible for it, and if it should be protected. After that, it’s much easier to take the next steps to ensure that your data is secure.
Need help crafting, planning and filling in your Asset Register? Do you want guidance on next steps for securing your information assets? Do you think you have everything in hand, but just need to ask a few questions? 7 River Systems can help you, no matter where you are located – contact us today to keep moving forward with your security project.