Many people ask me why I place such high importance on building a comprehensive Asset Register. Ultimately, I tell my customers that they need to know what they have before they can protect it.
Why keep a comprehensive asset register?
Let’s break down the reasons to ensure you have a comprehensive asset register.
- If you don’t know what you have, how can you protect it?
- How do you undertake a document classification program without knowing what documents you have and why they are essential?
- Making an insurance claim is challenging if you can’t identify (or remember) all of your assets.
- Undertaking a complete risk assessment would be nearly impossible without knowing how to assess the risks or what is at risk.
- Where should the assets be stored if they weren’t identified?
- Who is ultimately accountable and responsible for managing each asset?
- When should the asset be updated, sold, or destroyed if it’s not identified?
- How would you manage certain assets during an Incident or Breach?
- Which assets do the third parties interact with and subsequently pose a risk to?
I could go on, but I suspect that you get the picture by now.
In cybersecurity, you can’t secure something that you can’t see or don’t know exists.
So, it is really important for effective asset management to be considered the foundation of any cybersecurity efforts across businesses of all kinds.
What exactly is asset management?
An asset refers to any resource, piece of information, or item of value (even intrinsically) that should be protected or managed.
Assets can be tangible (e.g. physical facilities, equipment, or infrastructure) or intangible (e.g. data, information, intellectual property, or brand reputation).
Think about what you are trying to protect. What does your business have that could be adversely impacted by loss, integrity changes, or criminal or staff activities?
Personal Identifiable Information, confidential and proprietary data, information that is secret, valuable, expensive and of use to competitors or criminal organisations.
Common examples of assets
- IT systems, software, SaaS and data
- Physical facilities and infrastructure
- Intellectual property (e.g., patents, trademarks, copyrights)
- Finances and financial information
- Reputation and brand image.
- Personnel and employees, contractors, customers, suppliers, or other persons’ details
- Unpublished financial information
- Patents, formulas, or innovative technologies
- Customer lists (existing and prospect)
- Data entrusted to our company by external parties
- Pricing, marketing and other undisclosed strategies
- Documents and processes explicitly marked as confidential, secret, or private.
- Unpublished goals, forecasts, and initiatives which are marked as confidential.
- Personal Identifiable Information (PII) e.g.,
- Full names
- Social Security Numbers / Mygov details
- Date of birth
- Home address and telephone number
- Email addresses
- Driver’s licence numbers
- Passport numbers
- Financial information (e.g. bank account numbers, credit card numbers)
- Biometric data (e.g. fingerprints, facial recognition)
- Health information (e.g. medical records, health insurance numbers, Medicare numbers)
In general, any combination of data that can be used to identify a person can be considered PII.
Failure to monitor and manage assets can lead to critical breaches that could jeopardise an organisation’s network and resources.
Cybercriminals can exploit vulnerabilities in unmonitored assets and use them as a gateway to launch a more comprehensive attack on an organisation’s IT infrastructure.
So, it is essential to prioritise asset management as a critical aspect of a robust cybersecurity strategy. By continuously monitoring and managing IT assets, organisations can minimise their exposure to cybersecurity threats and reduce the risk of costly data breaches.
Building an Asset Register: What to include
Here are some of the critical pieces of information that should be captured in an asset register:
- Asset identification
A unique identifier should be assigned to each asset in the register to ensure it can be easily tracked.
- Asset description
A detailed description of each asset, including its make, model, serial number, and any other relevant information to help identify it.
- Asset location
The location of each asset should be recorded, including the building, room, or area where it is kept.
- Acquisition Date
The date the asset was acquired, either through purchase or transfer.
- Asset value
The value of each asset should be recorded, including its purchase price, replacement cost, or current market value.
- Person Accountable
Who is accountable for the asset, who is responsible for managing the asset, and who should be consulted in managing the asset?
The physical location of the asset, including the building, floor, and room number, if applicable.
- Asset classification
Information classification categorises information based on sensitivity, confidentiality, and criticality. This could be Confidential, Secret, Internal or Publicly available.
- Maximum allowable recovery time
The maximum amount of time that an organisation can tolerate before it is fully operational again after a disruptive event or disaster.
- Impact against Confidentiality
Loss of confidentiality can occur when unauthorised persons gain access to sensitive information, such as personal or financial data. The loss impact of confidentiality breaches can include identity theft, financial fraud, or damage to an individual’s reputation.
- Impact against Integrity
Loss of integrity can occur when unauthorised persons modify or tamper with information, such as changing the contents of a document or altering financial records. The loss impact of integrity breaches can include financial losses, legal liability, or damage to an organisation’s reputation.
- Impact against Availability
Loss of availability can occur when systems or data become inaccessible or unusable, such as through denial-of-service attacks or system failures. The loss impact of availability breaches can include lost productivity, missed deadlines, or financial losses.
- Controls in place
The controls to manage the security of an asset.
- Access controls
Who can access the asset, and how is this controlled and monitored?
- Asset condition
The condition of each asset should be recorded, including its age, maintenance history, and any damage or wear and tear.
- Asset status
The status of each asset should be recorded, such as whether it is in use, in storage, or awaiting disposal.
- Asset owner
The department or individual responsible for each asset should be recorded to ensure accountability and responsibility.
- Asset maintenance schedule
The maintenance schedule of each asset should be recorded, which can include routine maintenance tasks and inspections.
- Asset disposal
The method and date of disposal for each asset should be recorded to ensure proper accounting and compliance with relevant regulations.
The value of an information security policy
Asset management can aid any business in meeting essential compliance requirements such as ISO/IEC 27001, PCI-DSS, CPS234, and NIST.
Having a detailed map of all the organisational assets and aligning security controls and policies to each asset demonstrates a business’ security readiness and proactive capabilities when qualifying for cost-efficient cyber insurance plans.
Need support with your asset management?
Our cyber security experts are here to help. Get in touch with us and talk to an expert about your asset management needs today.