Cybersecurity teams often find themselves responsible for the physical security of technology resources. The loss and theft of these resources expose organizations to millions of dollars of losses each year and when those devices are lost or stolen, it is critical to understand what was on them to perform a security impact analysis. In this video, learn about hardware inventory processes and media management.
- [Instructor] Cybersecurity teams often find themselves responsible for the physical security of technology resources. The loss and theft of computing devices exposes organizations to millions of dollars of losses each year, and when those devices are lost or stolen, it's critical to understand what was on them to perform a security impact analysis. Any good physical security program must begin with an inventory process. Quite simply, you can't keep track of your hardware if you don't know what hardware you own.
The hardware inventory process should be integrated with the provisioning and decommissioning processes that occur throughout the life cycle of a piece of hardware. Most organizations accomplish this through the use of an asset management system that either stands on its own or is part of a larger IT service management platform. Let's walk through the lifecycle of a typical piece of hardware, and how the inventory might change over time. First, a user states a need for a new piece of hardware. Let's say that I want a new laptop.
I might contact my IT staff member and they would assist me with the order. As soon as the order is placed, the IT staff member should create an inventory record to track the status of that hardware. Next, the hardware arrives on site a couple of weeks later. The receiving clerk who accepts delivery should match it up to the hardware inventory record and note that it was received, maybe adding some information to the hardware record, such as the device's serial number. The clerk then sends the device on to the IT staff member, and notes in the inventory that that person has possession of the device.
After configuring it to meet my needs, the IT staff member delivers the device to me and changes the inventory record to indicate that I have possession of the device. I might use the computer happily for several years and then decide that I want to order a new device, which starts the whole process we just described again. After I receive my new device, I give the old one to the IT staff member, who then decides to reuse it for another employee, updating the hardware inventory to note that I am no longer responsible for the device.
Data is critical to a hardware inventory. As soon as someone misses an update, the data may become very inaccurate. For this reason, many asset management systems include automation technology that can correlate inventory records with devices present on a network, pointing out any inconsistencies to inventory managers. Media management is a related, and important task. While it's impossible to track every piece of data storage media in an organization, security teams should definitely track media that contains highly sensitive information.
In most cases, the asset management system used to track hardware assets can also be used to track media. I discuss the media lifecycle more in the CISSP Cert Prep 2: Asset Security course. Tracking hardware is an important component of a physical security strategy. It's also important to track changes to that hardware's configuration and software. I'll cover those topics in the next two videos.
Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
Note: This course is part of a series releasing throughout 2018. A complete learning path will be available once all the courses are released.
- Conducting investigations
- Reporting and documenting incidents
- Continuous security monitoring
- Preventing data loss and theft
- Asset management
- Change management
- Virtualization security
- Security principles: need to know, separation of duties, and more
- Building an incident response program
- Personnel safety and emergency management