Asset registers come up all the time when discussing cybersecurity and are a key component of any security framework or standard. They are also one of the most neglected pieces of an organisational security program. The purpose of this article is two-fold. The first is to outline the significance of an asset register. The second is to provide the basis for you to create your own asset register. But before I get into the nitty-gritty, let us start by clarifying what I mean by asset register.
What is an asset register?
Traditionally when an organisation refers to their asset register, they are referring to fixed assets in the form of a register maintained as part of the organisation’s overall financial tracking. When looking at cybersecurity, the fixed asset register still remains relevant. You want to know what assets you have, how old they are, whether they are enrolled in mobile device management, and so on. But you also require a second asset register, one that provides information on the type of applications that you are using throughout your organisation. This type of asset is anything associated with information and information processing, which extends the definition beyond the traditional fixed asset register. Under this definition, an asset register would include applications, databases, and even hard copy storage.
Wait what…
When referring to an asset register regarding information security, we are talking about a complete list of assets that are used by your organisation, which includes applications such as Microsoft 365, creative applications such as Adobe and Canva, any CRMs, and even your accounting software. Everything! If you are relying on a database, whether it is based on a commercial product or developed in-house, this should also be on your asset register. Even the hard copy compactus everyone has forgotten about should be identified and added to the list. This is your first step in ensuring that anywhere you have information stored or processed, you have it documented. This way you can ensure you are applying adequate security controls throughout your organisation.
How do you create an asset register?
So where do you start to gather this information?
There are several products out there that will scan your internal network to tell you what is currently connected, but these generally only look at devices, such as laptops, desktops and mobile devices. Basically, anything that is connected to the network, so will not tell you everything. It can provide a complete list of applications currently sitting on your network, but it can’t tell you, for example, if an employee has set up Dropbox to store data, or when someone is saving a backup of critical data to a USB drive. So this is just your starting point.
Armed with your list, or if you are not able to use any type of software to give you a starting point or you don’t have a fixed asset register, your next (or first) step is to talk to relevant stakeholders. Have a good old conversation with representatives from across the business and ask them ten simple questions:
- What applications are you currently using for your job?
- Are you using any databases, or external storage devices such as external hard drives, USBs or cloud services to save data?
- Who is financially responsible for the application or asset?
- Who looks after the management of the application or asset?
- Are you using any other methods to save information, such as hard copy filing cabinets?
- What type of data are you storing in the application or asset?
- How sensitive is this data?
- How important is it that this data maintains its integrity?
- How long could you last without access to the asset?
- Has any type of security assessment been conducted on the asset?
What should be included in an asset register?
These questions are designed as a starting point and may lead you down a rabbit hole of additional questions. But this is a necessary step to ensure you identify where all your sensitive information is being held and who is responsible for that information.
Asset register example
At this stage you should have an asset register that looks something like this:
Asset | Owner | Manager | C | I | A | PII | SAC | Comments |
Salesforce | Eugene Belford | Margo Wallace | 8 | No | No | Salesforce is the main platform used across the organisation to hold customer information and leads. | ||
Microsoft 365 | Dade Murphy | Kate Libby | 4 | Yes | Yes | Microsoft is used across the organisation to save patient PII. It undergoes a yearly configuration review each January. | ||
Canva | Paul Cook | Emmanuel Goldstein | No | No | Canva is used internally for marketing. It only holds public classified data and has been deemed not to require a security assessment. |
Legend
C = Confidentiality |
Black = Critical |
I = Integrity |
Red = Very High |
A = Availability |
Orange = High |
PII = Personally Identifiable Information |
Yellow = Medium |
SAC = Security Assessment Complete |
Green = Low |
This is by no means a complete asset register, you still have a lot of work to do before your asset register is done, and like everything security related, it should be updated regularly. This is however a starting point, the start of your journey so to speak. Often people view security as needing to be 100% from the start, but it does not need to be. It progresses over time, slowly improving maturity and your overall security posture.
Compliance requirements around asset registers
For organisations that are following a particular information framework such as ISO/IEC 27001 or the NIST Cybersecurity framework, there are specific guidelines as to what should be included as part of the asset register. Every organisation needs a starting point and hopefully, this article has provided this for you.
It should be noted that for those organisations that come under the SOCI Act, your obligations are a lot stricter with regard to the register of critical infrastructure assets. The intention is that the government will be able to weave together an intricate web of who is relying on what and in doing so, pinpoint those assets that are central to the nation’s stability and fragility.
Benefits of maintaining an asset register
The key point to the asset register is that you have captured what assets are used to save, process or manage your organisational data. You then need to be asking the question, ‘what is being done to ensure that the data remains safe?’
A starting point would be to undertake a security assessment of the asset, such as a cybersecurity application risk assessment or a penetration test. If you have an asset that is processing sensitive information, that has never been assessed, then you potentially have a major risk that needs to be addressed. Other questions you should be asking are:
- What controls are currently in place to ensure the organisation has safeguarded the sensitive information?
- Who has access to this data? This could also be ‘what’ has access in the case of other systems connecting via APIs or other methods.
- What are the consequences if the data is breached?
- What backups do we have in place if the data is lost or corrupted?
The consequences of someone accessing your CRM holding B2B data will be different to a CRM holding B2C data for example.
This is a huge topic and one that is hard to cover in 1,000 words. Who would have thought that a simple asset register could be such a powerful tool? Your next step, ask your business where your asset register is, and if you do not have one, get cracking!
0 Comments