Source: Photo by ThisisEngineering RAEng on Unplash
In my recent daily readings on LinkedIn, I came across Aron Lange's post:
Taking advantage of this valuable input from Aron, let's delve a bit more into the topic?
First, we need to remember that assets are everything that adds value to the organization's business, so they can be people, processes, systems, physical environments, logs, configuration files, stored information itself, machines, servers, other network devices (switches, routers).... To better visualize how they can be categorized, I'll bring back a recent post from Gary in one of the groups I participate in:
Source: iso27001security@googlegroups.com
Source: iso27001security@googlegroups.com
Source: iso27001security@googlegroups.com
As we recall what assets are, let's begin our analysis with ISO/IEC 27002:2022. In this standard, under control "5.9 Inventory of information and other associated assets" it states that the inventory of assets should be constantly updated and maintained, considering the individuals responsible for each listed asset. The standard is not prescriptive, but one thing it makes clear is that you don't necessarily need to have a single inventory. What does this mean? You can have machines, servers, notebooks, and various other network devices managed by an automated system, a list of business processes and people in the organization with their competencies managed manually, for example, through a spreadsheet.
Vitor, I still don't understand what kind of information I should have in my inventories. When in doubt, consulting the references below can make your inventories more comprehensive:
CIS Control v8: Controls 01, 'Enterprise Asset Inventory,' and 02, 'Software Asset Inventory,' are dedicated to the topic.
NIST CSF: Go straight to the category 'Asset Management (ID.AM).'
NIST 800-53 rev.5: Here, the Configuration Management control, specifically CM-8 'System Component Inventory,' CM-10 'Software Usage Restrictions,' CM-11 'User-installed Software,' as well as SA-22 'Unsupported System Components,' are related to what we are discussing.
In the end, having an automated inventory, using, for example, Desktop Central:
Source: manageengine.com
Together with other automated inventories, using tools like Desktop Central, and manual inventories managed through Excel, you and your company will gain visibility into all information assets. In this way, you can implement various controls to protect them, as Aron pointed out.
Source: cisecurity.org
After all:
You cannot protect what you do not know.' (Author Unknown)