Integrating Security with Asset Management Part 2

Summary:

  • Business alignment with security projects will help persuade the decision makers to  approve and endorse security projects
  • Being creative helps to obtain business alignment

As mentioned, when looking at frameworks eg: ISO27001, SANS top 20, etc. several of them mention Asset Management as an action and it is a task quite high on the list.

Several things will need to be done:

  • Out of scope for this blog but a procurement structure is in place so that staff know who to go to for acquiring equipment.
  • Procurement and security policies, standards and guidelines, covering acquisitions to securing devices in place
  • Policies are communicated to staff

All is good now but how does it provide benefits for the business?

Well, this is where metrics come in.

The decision makers will want to know how successful your project will be and they will be interested in how the project has saved the business money, increased productivity, etc. Metrics is a way to provide this information.

The ability to measure provides opens opportunities to be ‘creative’ with business goals.

Let’s look at business strategies:

  • Saving costs
  • Reducing downtime
  • etc.

Taking the two examples:

  • Saving costs-Asset discovery, license management, lease management, whole of life, power consumption, etc…
  • Reducing downtime-hardware failure, software failure, system performance, etc…

There should be enough information in the Asset Management database to establish metrics to determine the basics:

  • Number of systems
  • Where are they located
  • When systems go out of warranty

Now with some cross matching against other systems you can do things like:

  • Find out which systems have not been on the network for a while and find out where they are (are they in a cupboard, if they are, can they be redeployed saving the cost of purchasing a new system, configuring, etc).
  • Find out which systems are nearing the end of their warranty (if they are going to be out of support, a new system can be pro-actively ordered reducing downtime and for asset management purposes you won’t need to upgrade them, saving time and resources)
  • etc.

All of these are strategies that can be translated to security wins:

  • If you know the system is in storage, you know it requires updates to be compliant or if it is to be deployed to new staff, the status of the device must be updated.
  • If a system is old, there is a good chance that it may have legacy software which may be a security risk

With this intelligence, the asset management would provide a return on investment and help achieve security goals.