The thing with security is that there is always more than 1 top priority, so the trick is not to choose which comes first, it’s to get them ALL assigned and moving forward at the same time. There are simply too many interdependencies, and you will only avoid the inevitable road-blocks or analysis paralysis if you plan accordingly.
Asset Management is one of those top priorities, and is at the core of everything else you will ever do in the development, maintenance, and continuous improvement of your security program.
IF you do it properly that is.
Prior to v3.0 of the DSS, the requirement for asset management only went so far as an understanding of every system type, function, and number of them. Basically a spreadsheet to support the sample sizes and PCI validation efforts. But this undermines the entire assessment process itself, as the whole point of an assessment is that you are able to make EDUCATED judgment calls. Knowing that you have 20 Windows web servers tells you nothing about the potential impact of their loss, for example.
I think everyone’s heard the famous mis-quote by Peter Drucker; “If you can’t measure it, you can’t manage it.”, but how do you measure the value of an asset? The answer, like everything else in security, is simple. Not easy, and pretty much never done well, but it IS simple;
“The value of each of your assets is directly related to the value of the data that flows through it.” and;
“The value of your data is directly related to its importance to your business.“
If you don’t know the above values you have a lot more probelms than security.
It does not matter whether or not the ‘value’ is in financial or criticality terms, what matters is that every OTHER security process must directly reflect its relative importance to your organisation. Does a web server have more importance to an e-commerce only merchant than it does to a plague/nest/whoop of lawyers (or whatever their collective noun is)? Maybe, maybe not. Would you expend far more effort protecting your intellectual property than you would your public web content? Of course you would, unless you’re irretrievably stupid.
But what IS an asset? It’s not just your servers, network devices and software, it’s your locations, your vendors, your business processes, and just as importantly, it’s your PEOPLE (or more to the point, your people’s knowledge and skill-sets.). There are often many single-points of failure in most organisations, and the one that’s most often overlooked is the human factor.
Unless you include ALL of these things, none of the following business processes will be anywhere near as effective, and perhaps not even possible:
- Risk Assessment – No point trying to examine your risks if you don’t know what those risks are related to.
- Gap Analysis & Control Acquisition – A logical follow on from a risk assessment, what are the gaps you have to fill? Can you use existing assets?
- Change Control – How can you give appropriate attention to change requests if you have no indication of regulatory relevance, maximum data classification, or the business criticality?
- Automated / Continuous Compliance Validation – If you don’t have a list of all the running services and listening ports against your systems, how can you hope to automate the detection of policy / compliance violations?
- Business Transformation – Try adjusting your business in the face of competition if you don’t know what you have and how it fits together.
Asset Management is simply too important and too core to security to give it real justice in a blog, but suffice to say it is one of the easiest ways to centralise the required information to support every other process used to manage your security program. It is because Asset Management is so overlooked by PCI that everything else is seen as being so difficult.
This is one of the few areas where I actually recommend you look into implementing an Asset Management system, especially if it forms the core of a Governance, Risk and Compliance tool. Surprisingly few do.