General security

An asset management guide for information security professionals

Graeme Messina
January 4, 2018 by
Graeme Messina

Managing a business from an information security professional’s point of view means there needs to be some form of asset classification within the operational structures of the company.  The process of classifying assets requires a system or multiple systems for assigning different assets into relevant groups.

These groups are devised and based on what the asset is, as well as their defining attributes. Rules are then applied to each asset group to help keep track of those particular items, which brings in an accountability structure to make the management and visibility of these items much easier to track.

Companies are then able to apply asset classification systems against this information, which allows different departments within a company to properly account for each of these valuable asset items. There are many asset types that relate to information security and information technology.

In this article, we will take a look at some of the most common asset types, as well as their defining characteristics.

What is an asset?

In the realm of information security and information technology, an asset is anything of value to a business that is related to information services. These can take the form of a device, data or information, or even as people or software systems within the structure of a business. Anything that has value and supports the operation of a business can be considered an asset.

It is therefore very important for an asset classification system to be implemented, monitored and followed closely. This will allow you, as an information security specialist, to take stock of your company’s requirements and create the appropriate strategies needed to maintain all of the information systems required to allow your business to operate efficiently.

What is an information asset?

An information asset is a definable piece of information, stored in any form, that could be seen as valuable to an organization. This could range from a database full of employee or client information, to a payroll system with monthly salary and wage information. Confidential items such as intellectual property and proprietary designs are also information assets which must be maintained and safeguarded.

An information asset could also be described as a dataset of information arranged and managed as a single, valuable entity. It is for this reason that information is treated just like any other corporate asset with value. It is fair to say that an organization's information assets have financial value as well as informational and strategic value, by virtue of their importance to the company. That same perceived value of company assets tends to increase directly in proportion to the number of employees or clients affected in the event of an informational asset outage.

What is a physical asset?

Physical assets are items such as equipment that add value to an organization. These can be fixed or non-current, depending on how your company has defined its physical asset register. A common practice within a company is to document any and all hardware and equipment within the enterprise, affixing to each item a physical asset tag. This makes the equipment’s life cycle easy to monitor and manage from an operational and financial perspective, and will allow for asset tracking and management to take place seamlessly. This is especially important from the vantage point of an IT professional, where there are massive volumes of assets to monitor.

Physical assets have a measurable lifecycle and need to be monitored so the maximum value of each item can be extracted to the benefit of the organization. Physical asset management can also benefit the company by making the current state of hardware and equipment easy to view as a snapshot, without having to perform a physical audit. Once a physical asset has reached the end of its lifecycle, it can then be decommissioned and replaced with new items.

What is people asset management?

As an information technology professional with a strong focus on cybersecurity, you must understand the biggest dangers to your environment and assets are likely to come from within your organization. Not all threats are intentional, however. Sometimes, a user may accidentally reveal a sensitive password to an external party, or divulge confidential information that compromises security within a company. Much like other assets, people must be categorized and managed to ensure they are granted appropriate access and security levels.

Because the people within your organization handle all of the assets we have looked at thus far, their access must be closely monitored. This must be done so support can be given in the event of a systems, equipment or accessibility issue, or if a critical outage occurs. In order for your company to do well, your people need to have access to the appropriate assets and be able to use them effectively. It is for this reason that people asset management is such an important aspect of asset management. Without effective employees, your organization will grind to a halt.

What are critical assets?

A critical asset can be any of the aforementioned assets: informational assets, physical assets, people assets or software assets. These are all valuable assets needed to maintain financial systems, business operations or other mission-critical systems, where failure is serious enough to affect ongoing operations. These consequences make it worthwhile to have active system monitoring, such as asset control in place, to ensure that any and all precautions are taken to avert a disaster.

It is important to make the distinction between the severe consequences of a critical asset’s failure versus the actual probability of it failing. Although critical assets have the potential to become an extreme and perilous consequence in the event of failure, it doesn't necessarily mean that the asset is especially unreliable or unstable. Critical assets could be specific facilities, systems, or specialized or standard equipment which, if destroyed, removed, or taken offline or out of service, would have a direct impact on the organization in question. The same could be said of people assets who possess confidential and proprietary information, and whose absence would cause destabilization within the business.

Asset management systems as risk aversion tools

The ultimate goal for any information security professional is to mitigate risk and avert potential threats You should strive to maintain seamless business operations, while safeguarding all of your company’s valuable assets. There are a variety of systems available to help you monitor and manage assets within the modern enterprise, so finding the right tool to take control of these systems is of critical importance to any information technology department. Not only does this guarantee the safeguarding of your company’s assets, but it also ensures all assets are monitored and managed if needed.

What is the business value of asset management?

Asset management systems allow for the optimization of existing equipment and infrastructure, and will ensure the organization can continue to get the most value from their existing assets. Having the right management procedures in place will also ensure your company is able to predict upcoming requirements going into the future, while minimizing risks and potential down time.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

It is for these reasons that understanding how to classify an asset is so important; it will allow you to manage your department more efficiently, while safeguarding your company from any potential risks to the operation. It will also highlight your skills as an information security specialist, and show how you add value to the business.

Graeme Messina
Graeme Messina

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.