IT Asset Management Sample Policy
Download my sample Asset Management policy to get your Asset Management program off the ground today
Overview
Welcome to the Cybersecurity Mindset channel. Let’s talk about asset management. What comes to mind when you think of asset management? Usually it’s a tangible piece of hardware. Many times when I request an asset inventory from a client, that is what they hand me. A spreadsheet filled with serial numbers, model numbers, purchase dates and assignments. Those are all great items to have documented, however, hardware isn’t the only inventory you should keep. You also need to think in terms of software assets. What software is present in the environment? What systems have what software installed? Asset management is the entire package. Who has what hardware and what software is installed on that hardware?
Asset management is likely one of the first items on the list of almost every request list that I hand off to a client. I would say just about every cybersecurity framework out there requires some form of asset management. Asset management is more than just a spreadsheet or tool to track inventory. Asset management as a whole encompasses the hardware, the software, it’s procurement and disposal. A well-developed security program is going to have these documented in the form of policies and procedures.
Asset management is such a fundamental aspect of cybersecurity because it forms the basis for several critical security processes. Without a detailed understanding of what hardware and software assets are in your environment, it becomes challenging to implement effective security measures. You’ll want to understand what is in your environment so you can take appropriate action. Here are a few reasons why this is so critical to cybersecurity:
Why is IT Asset Management Important?
Risk Assessment: Understanding the assets in your organization allows you to assess potential risks accurately. By knowing the hardware and software running in your network, you can identify vulnerabilities and prioritize them based on their criticality, reducing the attack surface and enhancing overall security.
Patch Management: Asset management is central to patch management. It enables you to track which software versions are running on each system, making it easier to identify devices that need critical updates or patches. This proactive approach helps protect your organization from known vulnerabilities.
Compliance and Auditing: Many cybersecurity frameworks and industry regulations mandate proper asset management. Maintaining an accurate inventory of assets helps demonstrate compliance during audits and ensures adherence to relevant security standards.
Incident Response: In the event of a security incident, having a complete asset inventory aids in a swift and targeted response. You can quickly identify affected assets, quarantine them if necessary, and investigate the extent of the breach.
Cost Management: Asset management goes beyond security benefits; it also helps optimize cost management. By understanding hardware and software lifecycles, organizations can plan for hardware upgrades and software renewals, avoiding unexpected costs.
Asset Management Tools
There are plenty of cost effective tools out there that you can purchase to assist your organization with this endeavor. PDQ-Inventory and Lansweeper are two products that come to mind first. These are tools I’ve used numerous times over the years as a system administrator. They’re relatively inexpensive and easy to get spun up. They’ll be able to scan your network and inventory both hardware and software assets alike. If you’re a Microsoft 365 shop, you can likely leverage Intune to perform a similar function. The point I am trying to make is that there are many ways, logistically speaking, to get asset management up and running within your environment.
Asset management is one of those things that is pretty simple to implement and often overlooked by system administrators and IT teams alike. It’s what I would consider a pretty low hanging fruit. While the tools themselves are fairly straightforward to obtain and implement, let’s talk about policies and procedures.
Asset Management Policies and Procedures
Your cybersecurity program should encompass an asset management policy along with a set of procedures to back that policy up. The policy should state things like how your hardware and software will be purchased, procured or obtained, who is authorized to obtain those assets, what happens to a stollen piece of hardware, what it’s useful life expectancy is, and how it will be disposed of at the end of its useful life.
Your policy should reference any procedures you have for handling those topics. For instance, your helpdesk may have a procedure where when a system is decommissioned, they remove the system’s drive, wipe it and send the drive off to by physically shredded. That procedure is something that should be documented. You may also want the policy to state if your organization is following any hardening baselines for systems such as the Center for Internet Security (CIS)’s hardening guidelines or if you’re in the government sector following Security Technical Implementation Guides (STIGs) etc. These are all items a well written asset management policy should include. Let’s take a deeper dive into a well-developed program:
What is in an Asset Management Program?
Asset Procurement: The policy should define the process for acquiring new hardware and software assets. This includes specifying authorized vendors, budget considerations, approval workflows, and the involvement of relevant stakeholders.
Asset Tracking: The policy should outline how assets will be tracked throughout their lifecycle. This includes maintaining a central repository for all assets, assigning unique identifiers, and updating information as assets move or change hands.
Access Control: Clearly define who has access to request and obtain assets. Access control measures ensure that only authorized personnel can request, install, or manage assets, reducing the risk of unauthorized software or hardware being introduced into the environment.
Asset Disposal: This section should address how assets are decommissioned and disposed of properly. Whether it’s recycling, donating, or selling, the policy should define procedures for securely wiping data and removing sensitive information from retired assets.
Incident Reporting: Include guidelines for reporting lost or stolen assets. This will ensure that any incidents involving assets are promptly addressed, minimizing the impact on security and operations.
Asset Maintenance: Establish guidelines for maintaining assets, including regular hardware maintenance and software updates. This ensures that assets remain in good working condition and reduces the risk of unpatched vulnerabilities.
Compliance Requirements: If your organization must adhere to specific regulations or industry standards, the policy should reference these requirements and explain how asset management supports compliance efforts.
Conclusion
By developing and implementing a comprehensive asset management policy, organizations can gain better control over their IT infrastructure, reduce security risks, and improve overall cybersecurity posture. Remember, asset management is an ongoing process that requires continuous monitoring and improvement to stay effective in an ever-evolving threat landscape.
If you found this video helpful, please consider liking and subscribing below. It really helps my channel out with the YouTube algorithm. You can also visit my blog site, achubbard.com, for additional content. I’ll post link there as well to download a sample policy that you can use to get started. Thank you for watching, and I look forward to exploring more cybersecurity topics with you in the future. In the meantime, stay secure!
