Cybersecurity Practice #5: IT Asset Management (medium/large)

The process by which organizations manage IT assets is generally referred to as IT asset management (ITAM). ITAM is critical to ensuring that proper cyber hygiene controls are in place across all assets in the organization. ITAM increases the visibility of cybersecurity professionals in the organization and reduces unknowns.

ITAM processes should be implemented for endpoints, servers, and networking equipment. The cybersecurity practices in this section assist and support every other cybersecurity practice identified in this publication. ITAM cybersecurity practices can be difficult to implement and sustain, but they should be incorporated into every lifecycle stage of IT operations to maintain data accuracy and integrity. For each asset, the lifecycle includes procurement, deployment, maintenance, and decommissioning. Though each type of asset is used differently during its lifecycle, the lifecycle itself is consistent.

The financial sector, as part of its public–private partnership with NIST National Cybersecurity Center of Excellence (NCCOE), has written a detailed ITAM practice guide: IT Asset Management. ²² Though specific to the financial sector, the methods discussed in the guide are easily applied to the HPH sector.

Sub-Practices for Medium-Sized Organizations

The first ITAM component that should be implemented is a buildout of the inventory repository. This critical technology component provides a normalized, consistent approach that organizations can use to store inventory data.

Important data elements should be captured for each asset in the ITAM, including the following:

• AssetID (primary key)
• Hostname
• Purchase Order
• Operating System
• MAC Address
• IP Address
• Deployed to (User)
• Last Logged on User
• Purchase Date
• Cost
• Physical Location
  
  

A robust ITAM repository becomes your single source of truth for all IT assets in your organization. This repository will be maintained and trusted to be highly accurate and actionable.

Special consideration should be given to the differences between ITAM systems and device management systems. Device management systems, which connect to IT devices such as endpoints and servers, can automate the management and maintenance of these assets. They are highly effective at executing tasks such as software discovery, patch management, and performance monitoring. However, device management systems cannot account for the addition and removal of IT assets or answer the inevitable question, “Where did that laptop go?” They manage an organization’s devices at a single point in time and are not workflow driven.

IT service management tools (e.g., ticketing systems) can be integrated with IT general controls to ensure accurate and precise asset management through standard performance management activities.²³

Once the ITAM system is implemented and configured, it is important to integrate normal supply chain processes with the ITAM processes. The goal is to leverage supply chain processes to proactively register each technology asset, endpoint, server, or networking equipment into the ITAM system as it is acquired.

To achieve this, IT organizations must work with supply chain departments to streamline technology acquisition channels. When technology acquisitions are specifically categorized, a trigger can be established to capture the details of each technology purchase. At a minimum, this involves generating a ticket in the IT ticketing system that prompts a designated IT professional to manually capture details for the new asset when it is acquired. New asset details can be captured physically, at a shipping dock, or virtually for virtual technology purchases.

In more advanced organizations, the procurement process may be automated to capture salient details for new assets. This reduces the manual labor required and the exposure to human error in collecting the data.

As an asset is acquired, it is critical to tag it with an asset tag. These tags can be physical or logical. The tagging process ensures that the asset has a unique ID that can be used to identify it in the ITAM system. Using existing data (e.g., hostname, IP address, MAC address) as the unique ID is not recommended, because these fields may change, potentially creating duplicate records.

Assets that are not in circulation should be returned to the appropriate IT department for secure storage. Storage areas (e.g., lockers, cages, rooms) should be secured with physical access controls. Access should be limited to those who require it. Physical access controls may include badge readers, video camera surveillance, and door alarms.

If an asset is identified for redeployment, it should be securely imaged to deploy a “fresh” computer system for the new user. This ensures that old sensitive data are removed and that the asset has a clean bill of health.

When an asset is sent to storage for redeployment or processing, the ITAM system should be updated to reflect a change of ownership and new physical location (i.e., storage) for the asset. If the asset is redeployed or decommissioned, the ITAM system should be updated again to reflect its new status.

It is critical to properly dispose of retired assets, because these assets may contain sensitive information. When executing destruction and certification procedures, update the ITAM to indicate that the device has been decommissioned. This establishes a permanent record in your asset management source of truth, the ITAM. The following procedures should be completed when decommissioning an IT asset:

• Central collection: IT assets should be collected and stored in centralized, physically locked areas prior to decommissioning. Your workforce must be trained to turn in any asset that they no longer use.
• Central destruction/wipe: Assets that are collected for decommissioning must undergo a secure process to destroy or electronically wipe the storage media. This ensures that devices are properly sanitized before leaving the organization’s possession for destruction/ Permanent removal of storage media may be completed by your IT organization or an external service provider. It is a good practice to obtain and archive a certificate of destruction for audit purposes.
• Record keeping: Once the IT asset has been cleared for removal from the organization, the ITAM record of the asset information should be registered for destruction or decommissioning. Certificates of destruction can be stored in the ITAM record for easy access. It is highly advisable not to delete the asset record/ Instead, update the asset’s status in the ITAM system to reflect that it has been decommissioned and is no longer owned by the organization. You may need to refer to the asset record in the future.

Sub-Practices for Large Organizations

Once your ITAM system is in place and your procurement processes are registered, the challenge is to maintain these records. The following fictitious example describes a common IT asset in a large organization with the following characteristics:

• Number of endpoints: 10,000
• Number of servers: 1,000
• Number of data elements managed per asset: 11
• Total number of data elements required to maintain accurate details: 121,000

It is very difficult to manually maintain 121,000 data elements. After an asset is acquired, it is often deployed throughout its lifecycle in unforeseen ways. For example, a new laptop may be issued to a user. That user may leave the organization, turning in the laptop to a supervisor. The supervisor may assign the laptop to the new employee who fills the open position. Unless IT is informed and the ITAM is updated, the asset record for the laptop, now assigned to a different user, will be wrong.

Another classic example relates to an upgrade or hardware change to an existing asset. This asset might change operating system or patch levels. Maintaining that information manually in the ITAM is nearly impossible.

Automated discovery systems can maintain these records and account for both scenarios described above. In the case where an asset changes hands to a new user, discovery tools can register login occurrences for the “assigned user” and for the “actual logged in user.” If a threshold is triggered indicating that the assigned user no longer logs in and a different user continually logs in, a change-in- ownership process can be triggered. This process may be automated, requiring no intervention, or manually completed by generating a ticket to validate the change of ownership. In the case of OS and patching levels, automated discovery systems can provide snapshot views of current patching levels for assets. When these snapshots are compared by cybersecurity vulnerability management systems, vulnerabilities due to obsolete software versions will be identified across the fleet.

The practices outlined so far assume normal acquisitions processes. There are times, however, when IT assets are integrated in the organization by means other than standard supply chain channels. Examples include personal devices (BYOD) and assets that are donated or provided free-of-charge as part of a third-party contract.

Without oversight, it is difficult to detect and track these assets. Outliers can be controlled by integrating your NAC and ITAM systems. Further details can be found in Cybersecurity Practice #6: Network Management.

Threats Mitigated

1. Ransomware attacks
2. Loss or theft of equipment or data
3. Insider, accidental or intentional data loss
4. Attacks against connected medical devices that may affect patient safety

Suggested Metrics

• Percentage of devices added to ITAM system through procurement channels, trended over time. The goal is to establish a baseline and achieve a higher percentage over time.

• Number of devices added to the ITAM because of NAC, trended over time. The goal is to analyze spikes that occur after initial deployment, which may indicate a problem capturing or maintaining asset records.
• Number of devices properly removed from asset management system using proper decommissioning channels, trended over time. The goal is to ensure devices are properly decommissioned. Lack of execution of these processes over a period may indicate a compliance issue.