Assets and Change Management Flashcards
Asset Management
Systematic process of developing, operating, maintaining, and selling assets cost-effectively
Change management
Structured approach to transitioning from a current state to a desired future state
Acquisition and Procurement
Structured process of sourcing, vetting, and obtaining security technologies and services
Three Main Mobile Device Deployment Models
1: BYOD (Bring Your Own Device)
Employees use personal devices for work
Cost-effective for employers
Drawbacks include reduced control over security and
device management
2: COPE (Corporate-Owned, Personally Enabled)
The company provides devices for employees
Greater control over security and standards
Higher initial investment
Employees may have privacy concerns or need to carry
two devices
3: CYOD (Choose Your Own Device)
Employees select devices from a company-approved list
Balance between employee choice and organizational
control
Similar drawbacks to COPE in terms of initial cost and
potential privacy concerns
Assignment/Accounting and Monitoring/Asset Tracking
Clear ownership and classification of assets
Rigorous monitoring through inventory checks and
MDM solutions
Asset Disposal and Decommissioning processes
Sanitization, destruction, certification, data retention
Minimizes the risk of unauthorized access or data
breaches
Change Management Importance
Strict approval for every change
Consideration of CAB insights, ownership, stakeholder
involvement, and impact analysis
Change Management Processes best practices
Schedule maintenance windows
Thorough backout plans
Consistent testing post-implementation
Technical Implications of Changes management aspects
Allow lists, deny lists
Handling downtime, restarts
Managing legacy applications and dependencies
Conducting the acquisition and procurement process - understanding different types of purchase options
Company Credit Card
Quick purchase of low-cost items
Transaction limits and item restrictions
Individual Purchase
Employee purchases, seeks reimbursement
Used in emergencies or when no company credit card
is available
Purchase Order
Formal document issued by the purchasing department
For larger, more expensive purchases
Dictates payment terms (NET 15, NET 30, NET 60)
Internal Approval Process
Ensures purchase alignment with company goals
Validates budget allocation
Assesses security and compatibility with existing
infrastructure
Post-Approval Procurement
Security checks and configurations
User training
Integration into the existing workflow
Considerations when selecting Mobile Device Deployment model
Consider the specific needs, budget constraints, and risk appetite of your organization
Tangible vs intangible assets
Tangible Assets
Office buildings
Computers
Machinery
Intangible Assets
Intellectual property
Organization’s reputation
Goodwill
Assignment and Accounting of Assets
Each asset assigned to a person or group, known as
owners
Process referred to as the allocation or assignment of
ownership
Avoids ambiguity, aids troubleshooting, upgrades, and
replacements
Classification and Categorization
Assets should be classified and categorized
Classification based on criteria such as function and
value
Informs maintenance, replacement, or retirement
decisions
High-value assets may require stringent maintenance
schedules
Low-value assets may be considered for recycling or
disposal
Monitoring and Tracking of Assets
Ensures proper accounting and optimal use of assets
Asset Monitoring
Maintaining an inventory with specifications, location,
and assigned users
Asset Tracking
Goes beyond monitoring, involving the location, status,
and condition of assets using specialized software and
tracking technologies
Enumeration
Identifies and counts assets, especially in large
organizations or during times of asset procurement or
retirement
Aids in maintaining an accurate inventory
Proactive approach for risk management and resource
optimization
Mobile Device Management (MDM)
Manages and tracks mobile devices
- Smartphones
- Tablets
- Laptops
- Wearables
Centralizes management, enforces corporate policies,
ensures software uniformity, safeguards sensitive data
Enables remote lock and wipe of lost devices, remote
software updates, and consistent user experiences
Reduces risks associated with unsecured or outdated
devices
Asset Disposal and Decommissioning
Necessity to manage the disposal of outdated assets
NIST Special Publication 800-88 (Guidelines for Media Sanitization
Provides guidance on asset disposal and decommissioning
Sanitization and its methods used
Thorough process to make data inaccessible and
irretrievable from storage medium using traditional
forensic methods
Applies to various storage media
Methods include
1: Overwriting
2: Replacing the existing data on a storage device with
random bits of information to ensure that the original
data is obscured
3: Repeated several times to reduce any chance of the
original data being recovered
4: Overwriting can use a single pass, 7 passes, or 35
passes
Degaussing
Utilizes a machine called a degausser to produce a
strong magnetic field that can disrupt magnetic
domains on storage devices like hard drives or tapes
Renders data on the storage medium unreadable and
irretrievable
Permanent erasure of data but makes the device
unusable
After degaussing, a device can no longer be used to
store data
Secure erase
Deletes data and ensures it can’t be recovered
Implemented in firmware level of storage devices
Cryptographic Erase (CE)
Utilizes encryption technologies for data sanitization
Destroys or deletes encryption keys, rendering data
unreadable
Quick and efficient method of sanitization
Supports device repurposing without data leakage
Destruction and methods
Goes beyond sanitization, ensures physical device is unusable
Used for high-security environments, especially with Secret or Top-Secret data
Recommended methods
Shredding
Pulverizing
Melting
Incinerating
Certification
Acts as proof that data or hardware has been securely
disposed of
Important for organizations with regulatory
requirements
Creates an audit log of sanitization, disposal, or
destruction
Data retention
Strategically deciding what to keep and for how long
Data has a lifecycle from creation to disposal
Reasons to retain data
Regulatory requirements
Historical analysis
Trend prediction
Dispute resolution
Retaining everything is not feasible due to costs and
security risks
The more you store, the more you must secure
Clutter and excessive data require additional security
measures
Data Protection
All data needs protection from potential data breaches
More data requires more extensive security measures
Leads to higher costs and resource allocation
Excessive data complicates retrieval and analysis
Change is essential but requires
Precision
Planning
Structured approach
Challenges of Change
Unplanned or poorly coordinated changes can lead to
resistance and confusion
Even seemingly simple changes, like software upgrades,
can cause issues
Existing processes become disrupted by changes,
impacting efficiency
Change Advisory Board (CAB)
Body of representatives from various parts of an
organization that is responsible for evaluation of any
proposed changes
Evaluates proposed changes before approval, assesses
viability, impacts, and alignment with objectives
Change Owner
Individual or team responsible for initiating change
request
Advocates for the change, details reasons, benefits, and
challenges
Key in presenting the case for the change
Impact Analysis
Integral part of the Change Management process
Essential before implementing proposed changes
Assesses potential fallout, immediate effects, long-term
impacts
Identifies challenges and prepares for maximizing
benefits
Five Main Steps in Change Management
1: Preparing for the Change
2: Creating a Vision for the Change
3: Implementing the Change
4: Verifying the Change
5: Documenting the Change
Key Aspects of the Change Management Process
1: Scheduled Maintenance Window
Designated timeframes for implementing changes
Reduces potential disruptions to daily operations
Allows flexibility for emergency changes
2: Backout Plan
Pre-determined strategy to revert systems to their
original state in case of issues during change
implementation
Acts as a safety net for ensuring quick return to normal
operations
3: Testing the Results
Validates the success of the change by conducting tests
on systems and operational processes after
implementation
Ensures desired outcomes and identifies areas needing
further adjustments
Technical Implications of Changes
1: Technical Implications of Changes
Allow Lists and Deny Lists
Allow List
Specifies entities permitted to access a resource
Deny List
Lists entities prevented from accessing a resource
Review both lists when proposing changes to prevent
unintended access restrictions or grants
Essential for maintaining system functionality and
security
2: Restricted Activities
Certain tasks labeled as ‘restricted’ due to their impact
on system health or security
Verify proposed changes for any restricted activities
Prevent data breaches and operational disruptions by
understanding restrictions
3: Downtime
Any change, even minor, carries the risk of causing
downtime
Estimate potential downtime and assess its negative
effects against benefits
Schedule changes during maintenance windows to
minimize impacts on end users
4: Service and Application Restarts
Some changes, like installing security patches, require
service or application restarts
Restarting critical services can be disruptive, potentially
causing data loss
or backlog
Consider the implications of restarts, especially for key
servers
5: Legacy Applications
Older software or systems still in use due to
functionality and user needs
Legacy applications are less flexible and more sensitive
to changes
Minor updates can lead to malfunctions or crashes, so
assess their compatibility.
6: Dependencies
Interconnected systems create dependencies, where
changes in one area affect others
Mapping dependencies is crucial before implementing
changes
Prevents cascading effects, outages, or disruptions in
various parts of your network
Version Control
Tracks and manages changes in documents, software,
and other files
Allows multiple users to collaborate and revert to
previous versions when needed
Ensures changes do not create chaos and helps track
project evolution
Preserves past iterations and ensures continuity and
stability
Key elements of proper documentation
Updating diagrams to provide a visual representation
of system architecture
Revising policies and procedures to address issues or
improvements
Updating change requests and trouble tickets to reflect
successful completion
Proper documentation is critical for clarity and
accountability