Scribd
Upload
65 views9 pages

5 - Asset Management Section PDF

The document discusses asset management and identification. It states that all valuable resources must be identified and classified to effectively protect an organization. The identification and classification process involves inventorying assets, assigning ownership, classifying assets based on value, and periodically reassessing. Assets then need to be protected based on their classification. The document also discusses data retention requirements based on legal and organizational needs and the risks of retaining sensitive information. It defines the different states data can be in - at rest, in motion, and in use - and outlines protections for each state.

Uploaded by

nallamalli subramanyam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
65 views9 pages

5 - Asset Management Section PDF

The document discusses asset management and identification. It states that all valuable resources must be identified and classified to effectively protect an organization. The identification and classification process involves inventorying assets, assigning ownership, classifying assets based on value, and periodically reassessing. Assets then need to be protected based on their classification. The document also discusses data retention requirements based on legal and organizational needs and the risks of retaining sensitive information. It defines the different states data can be in - at rest, in motion, and in use - and outlines protections for each state.

Uploaded by

nallamalli subramanyam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Asset Management Section

Identifying and Classifying Assets

InstructorAlton.com
Assets
Anything deemed valuable to a company is considered an asset:
• People
• Information
• Data
• Hardware
• Software
• Processes
• Ideas
• Etc.

You can’t effectively protect your organization if you don’t know what you have.
Therefore, assets should be identified and classified so they can be effectively
protected.
Asset Identification & Classification Process
1. Inventory Your
Assets

5. Periodically
2. Assign
Assess &
Ownership
Review

4. Protect Based
3. Classify
on Value
Based on Value
Classification
Asset Management Section

Understanding the Asset Lifecycle

InstructorAlton.com
The Asset Lifecycle

1. Identify & Classify •New assets should be identified and classified.

2. Secure •Secure assets based on the classified value.

3. Monitor •Regularly monitor for changes in value and the effectiveness of our security controls.

4. Recovery •If an asset if adversely impacted, recovery measures should in place.

•Once the usefulness of an asset been reached and it is to be disposed, there are two primary
5. Disposition methods: archiving the asset for long-term storage or defensible destruction, ensuring there
is no data remanence.
Asset Management Section

Data Retention

InstructorAlton.com
Data Retention
• Data retention is the long-term storage of valuable assets, typically driven by:
o Legal and Regulatory Compliance Requirements
o Organizational Requirements

• Retaining sensitive information poses a risk to the organization because of data


breaches and threats of disclosure.
o 2017 Equifax Data Breach of 145.5 million U.S. consumers cost the company $1.4 billion
o 2013 Target Customer Credit/Debit Card Data Breach of 70 million customers cost the
company $162 million

• Therefore, sensitive information should only be retained as long as it is useful or


required by law.
• Organizations can do so by developing a records retention policy based on legal,
regulatory, and organizational requirements.
Asset Management Section

Understanding Data States

InstructorAlton.com
Data States
Data State Details
Data that’s stored on media of any form (hard drive, USB stick, tape, CD). It’s considered at rest
Data at Rest because it’s not being transmitted over the network or in use. Data at rest is commonly protected
by disk and file encryption.
Data that’s currently moving across a network from one device to another. Data in motion is
Data in Motion commonly protected by network encryption, such as SSL, TLS, and VPN connections with IPSec
encryption.
Data that’s being used by a system process, application or user. It’s data that’s being created,
updated, appended, or erased. Data in use is the hardest to protect because it’s not encrypted
Data in Use
while in use. Proper access control, integrity checks, and auditing measures can help protect data
in use.

You might also like