From the course: CISSP Cert Prep (2021): 7 Security Operations

Physical asset management

From the course: CISSP Cert Prep (2021): 7 Security Operations

Start my 1-month free trial

Physical asset management

- [Instructor] Cybersecurity teams often find themselves responsible for the physical security of technology resources. The loss and theft of these resources exposes organizations to millions of dollars in financial losses each year, and when those devices are lost or stolen, it's critical to understand what was on them to perform a security impact analysis. Any good physical security program must begin with an inventory process. Quite simply, you can't keep track of your hardware if you don't know what hardware you own. This hardware inventory process should be integrated with the provisioning and decommissioning processes that occur throughout the life cycle of a piece of hardware. Most organizations accomplish this through the use of an asset management system that either stands on its own or is part of a larger IT service management platform. Let's walk through the life cycle of a typical piece of hardware and how the inventory might change. First, a user states a need for a new piece of hardware. Let's say that I want a new laptop. I contact my IT team and they assist me with that order. As soon as they place the order, the IT staff member should create an inventory record to track the status of that hardware. Then the hardware arrives on site a couple of weeks later. The receiving clerk who accepts delivery should match it up to the hardware inventory record and note that the hardware was received, adding some information to the hardware records, such as the device's serial number. The clerk then sends it on to the IT staff member and notes on the inventory that that person has possession of the device. After configuring it to meet my needs, the IT staff member delivers it to me and changes the record to indicate that I have possession of the device. I use the computer happily for several years and then I decide that it's time to order a new device, which starts the whole process we just described over again. After I receive my new device, I give the old one to the IT staff member, who decides to reuse it for an intern, updating the hardware inventory to note that I am no longer responsible for it. Data is critical to a hardware inventory. As soon as someone misses an update, the data may become very inaccurate. For this reason, many asset management systems include automation technology that can correlate inventory records with devices that are actually present on the network, pointing out any inconsistencies to inventory managers. Media management is a related and important task. While it's impossible to track every piece of data storage media in an organization, security teams should definitely track media that contains highly sensitive information and apply appropriate media protection techniques. In most cases, the asset management system used to track hardware assets can also be used to track sensitive media.

Contents