Assets and Change Management

Question 1

Asset Management

Answer 1

Systematic process of developing, operating, maintaining, and selling assets cost-effectively

Question 2

Change management

Answer 2

Structured approach to transitioning from a current state to a desired future state

Question 3

Acquisition and Procurement

Answer 3

Structured process of sourcing, vetting, and obtaining security technologies and services

Question 4

Three Main Mobile Device Deployment Models

Answer 4

1: BYOD (Bring Your Own Device)
 Employees use personal devices for work
 Cost-effective for employers
 Drawbacks include reduced control over security and
device management

2: COPE (Corporate-Owned, Personally Enabled)
 The company provides devices for employees
 Greater control over security and standards
 Higher initial investment
 Employees may have privacy concerns or need to carry
two devices

3: CYOD (Choose Your Own Device)
 Employees select devices from a company-approved list
 Balance between employee choice and organizational
control
 Similar drawbacks to COPE in terms of initial cost and
potential privacy concerns

Question 5

Assignment/Accounting and Monitoring/Asset Tracking

Answer 5

 Clear ownership and classification of assets
 Rigorous monitoring through inventory checks and
MDM solutions

Question 6

Asset Disposal and Decommissioning processes

Answer 6

 Sanitization, destruction, certification, data retention
 Minimizes the risk of unauthorized access or data
breaches

Question 7

Change Management Importance

Answer 7

 Strict approval for every change
 Consideration of CAB insights, ownership, stakeholder
involvement, and impact analysis

Question 8

Change Management Processes best practices

Answer 8

 Schedule maintenance windows
 Thorough backout plans
 Consistent testing post-implementation

Question 9

Technical Implications of Changes management aspects

Answer 9

 Allow lists, deny lists
 Handling downtime, restarts
 Managing legacy applications and dependencies

Question 10

Conducting the acquisition and procurement process - understanding different types of purchase options

Answer 10

Company Credit Card
 Quick purchase of low-cost items
 Transaction limits and item restrictions

Individual Purchase
 Employee purchases, seeks reimbursement
 Used in emergencies or when no company credit card
is available

Purchase Order
 Formal document issued by the purchasing department
 For larger, more expensive purchases
 Dictates payment terms (NET 15, NET 30, NET 60)

Question 11

Internal Approval Process

Answer 11

 Ensures purchase alignment with company goals
 Validates budget allocation
 Assesses security and compatibility with existing
infrastructure

Question 12

Post-Approval Procurement

Answer 12

 Security checks and configurations
 User training
 Integration into the existing workflow

Question 13

Considerations when selecting Mobile Device Deployment model

Answer 13

Consider the specific needs, budget constraints, and risk appetite of your organization

Question 14

Tangible vs intangible assets

Answer 14

Tangible Assets
 Office buildings
 Computers
 Machinery

Intangible Assets
 Intellectual property
 Organization’s reputation
 Goodwill

Question 15

Assignment and Accounting of Assets

Answer 15

 Each asset assigned to a person or group, known as
owners
 Process referred to as the allocation or assignment of
ownership
 Avoids ambiguity, aids troubleshooting, upgrades, and
replacements

Question 16

Classification and Categorization

Answer 16

 Assets should be classified and categorized
 Classification based on criteria such as function and
value
 Informs maintenance, replacement, or retirement
decisions
 High-value assets may require stringent maintenance
schedules
 Low-value assets may be considered for recycling or
disposal

Question 17

Monitoring and Tracking of Assets

Answer 17

Ensures proper accounting and optimal use of assets

Asset Monitoring
 Maintaining an inventory with specifications, location,
and assigned users

Asset Tracking
 Goes beyond monitoring, involving the location, status,
and condition of assets using specialized software and
tracking technologies

Question 18

Enumeration

Answer 18

 Identifies and counts assets, especially in large
organizations or during times of asset procurement or
retirement
 Aids in maintaining an accurate inventory
 Proactive approach for risk management and resource
optimization

Question 19

Mobile Device Management (MDM)

Answer 19

 Manages and tracks mobile devices
- Smartphones
- Tablets
- Laptops
- Wearables
 Centralizes management, enforces corporate policies,
ensures software uniformity, safeguards sensitive data
 Enables remote lock and wipe of lost devices, remote
software updates, and consistent user experiences
 Reduces risks associated with unsecured or outdated
devices

Question 20

Asset Disposal and Decommissioning

Answer 20

Necessity to manage the disposal of outdated assets

Question 21

NIST Special Publication 800-88 (Guidelines for Media Sanitization

Answer 21

Provides guidance on asset disposal and decommissioning

Question 22

Sanitization and its methods used

Answer 22

 Thorough process to make data inaccessible and
irretrievable from storage medium using traditional
forensic methods
 Applies to various storage media

Methods include
1: Overwriting
2: Replacing the existing data on a storage device with
random bits of information to ensure that the original
data is obscured
3: Repeated several times to reduce any chance of the
original data being recovered
4: Overwriting can use a single pass, 7 passes, or 35
passes

Question 23

Degaussing

Answer 23

 Utilizes a machine called a degausser to produce a
strong magnetic field that can disrupt magnetic
domains on storage devices like hard drives or tapes
 Renders data on the storage medium unreadable and
irretrievable
 Permanent erasure of data but makes the device
unusable
 After degaussing, a device can no longer be used to
store data

Question 24

Secure erase

Answer 24

 Deletes data and ensures it can’t be recovered
 Implemented in firmware level of storage devices

Question 25

Cryptographic Erase (CE)

Answer 25

 Utilizes encryption technologies for data sanitization
 Destroys or deletes encryption keys, rendering data
unreadable
 Quick and efficient method of sanitization
 Supports device repurposing without data leakage

Question 26

Destruction and methods

Answer 26

Goes beyond sanitization, ensures physical device is unusable

Used for high-security environments, especially with Secret or Top-Secret data

Recommended methods
 Shredding
 Pulverizing
 Melting
 Incinerating

Question 27

Certification

Answer 27

 Acts as proof that data or hardware has been securely
disposed of
 Important for organizations with regulatory
requirements
 Creates an audit log of sanitization, disposal, or
destruction

Question 28

Data retention

Answer 28

 Strategically deciding what to keep and for how long
 Data has a lifecycle from creation to disposal

Reasons to retain data
 Regulatory requirements
 Historical analysis
 Trend prediction

Question 29

Dispute resolution

Answer 29

 Retaining everything is not feasible due to costs and
security risks
 The more you store, the more you must secure
 Clutter and excessive data require additional security
measures

Question 30

Data Protection

Answer 30

 All data needs protection from potential data breaches
 More data requires more extensive security measures
 Leads to higher costs and resource allocation
 Excessive data complicates retrieval and analysis

Question 31

Change is essential but requires

Answer 31

 Precision
 Planning
 Structured approach

Question 32

Challenges of Change

Answer 32

 Unplanned or poorly coordinated changes can lead to
resistance and confusion
 Even seemingly simple changes, like software upgrades,
can cause issues
 Existing processes become disrupted by changes,
impacting efficiency

Question 33

Change Advisory Board (CAB)

Answer 33

 Body of representatives from various parts of an
organization that is responsible for evaluation of any
proposed changes
 Evaluates proposed changes before approval, assesses
viability, impacts, and alignment with objectives

Question 34

Change Owner

Answer 34

 Individual or team responsible for initiating change
request
 Advocates for the change, details reasons, benefits, and
challenges
 Key in presenting the case for the change

Question 35

Impact Analysis

Answer 35

 Integral part of the Change Management process
 Essential before implementing proposed changes
 Assesses potential fallout, immediate effects, long-term
impacts
 Identifies challenges and prepares for maximizing
benefits

Question 36

Five Main Steps in Change Management

Answer 36

1: Preparing for the Change

2: Creating a Vision for the Change

3: Implementing the Change

4: Verifying the Change

5: Documenting the Change

Question 37

Key Aspects of the Change Management Process

Answer 37

1: Scheduled Maintenance Window
 Designated timeframes for implementing changes
 Reduces potential disruptions to daily operations
 Allows flexibility for emergency changes

2: Backout Plan
 Pre-determined strategy to revert systems to their
original state in case of issues during change
implementation
 Acts as a safety net for ensuring quick return to normal
operations

3: Testing the Results
 Validates the success of the change by conducting tests
on systems and operational processes after
implementation
 Ensures desired outcomes and identifies areas needing
further adjustments

Question 38

Technical Implications of Changes

Answer 38

1: Technical Implications of Changes
Allow Lists and Deny Lists

Allow List
 Specifies entities permitted to access a resource

Deny List
 Lists entities prevented from accessing a resource
 Review both lists when proposing changes to prevent
unintended access restrictions or grants
 Essential for maintaining system functionality and
security

2: Restricted Activities
 Certain tasks labeled as ‘restricted’ due to their impact
on system health or security
 Verify proposed changes for any restricted activities
 Prevent data breaches and operational disruptions by
understanding restrictions

3: Downtime
 Any change, even minor, carries the risk of causing
downtime
 Estimate potential downtime and assess its negative
effects against benefits
 Schedule changes during maintenance windows to
minimize impacts on end users

4: Service and Application Restarts
 Some changes, like installing security patches, require
service or application restarts
 Restarting critical services can be disruptive, potentially
causing data loss
or backlog
 Consider the implications of restarts, especially for key
servers

5: Legacy Applications
 Older software or systems still in use due to
functionality and user needs
 Legacy applications are less flexible and more sensitive
to changes
 Minor updates can lead to malfunctions or crashes, so
assess their compatibility.

6: Dependencies
 Interconnected systems create dependencies, where
changes in one area affect others
 Mapping dependencies is crucial before implementing
changes
 Prevents cascading effects, outages, or disruptions in
various parts of your network

Question 39

Version Control

Answer 39

 Tracks and manages changes in documents, software,
and other files
 Allows multiple users to collaborate and revert to
previous versions when needed
 Ensures changes do not create chaos and helps track
project evolution
 Preserves past iterations and ensures continuity and
stability