Assets and Change Management Flashcards
Asset Management
Systematic process of developing, operating, maintaining, and selling assets cost-effectively
Change management
Structured approach to transitioning from a current state to a desired future state
Acquisition and Procurement
Structured process of sourcing, vetting, and obtaining security technologies and services
Three Main Mobile Device Deployment Models
1: BYOD (Bring Your Own Device)
Employees use personal devices for work
Cost-effective for employers
Drawbacks include reduced control over security and
device management
2: COPE (Corporate-Owned, Personally Enabled)
The company provides devices for employees
Greater control over security and standards
Higher initial investment
Employees may have privacy concerns or need to carry
two devices
3: CYOD (Choose Your Own Device)
Employees select devices from a company-approved list
Balance between employee choice and organizational
control
Similar drawbacks to COPE in terms of initial cost and
potential privacy concerns
Assignment/Accounting and Monitoring/Asset Tracking
Clear ownership and classification of assets
Rigorous monitoring through inventory checks and
MDM solutions
Asset Disposal and Decommissioning processes
Sanitization, destruction, certification, data retention
Minimizes the risk of unauthorized access or data
breaches
Change Management Importance
Strict approval for every change
Consideration of CAB insights, ownership, stakeholder
involvement, and impact analysis
Change Management Processes best practices
Schedule maintenance windows
Thorough backout plans
Consistent testing post-implementation
Technical Implications of Changes management aspects
Allow lists, deny lists
Handling downtime, restarts
Managing legacy applications and dependencies
Conducting the acquisition and procurement process - understanding different types of purchase options
Company Credit Card
Quick purchase of low-cost items
Transaction limits and item restrictions
Individual Purchase
Employee purchases, seeks reimbursement
Used in emergencies or when no company credit card
is available
Purchase Order
Formal document issued by the purchasing department
For larger, more expensive purchases
Dictates payment terms (NET 15, NET 30, NET 60)
Internal Approval Process
Ensures purchase alignment with company goals
Validates budget allocation
Assesses security and compatibility with existing
infrastructure
Post-Approval Procurement
Security checks and configurations
User training
Integration into the existing workflow
Considerations when selecting Mobile Device Deployment model
Consider the specific needs, budget constraints, and risk appetite of your organization
Tangible vs intangible assets
Tangible Assets
Office buildings
Computers
Machinery
Intangible Assets
Intellectual property
Organization’s reputation
Goodwill
Assignment and Accounting of Assets
Each asset assigned to a person or group, known as
owners
Process referred to as the allocation or assignment of
ownership
Avoids ambiguity, aids troubleshooting, upgrades, and
replacements
Classification and Categorization
Assets should be classified and categorized
Classification based on criteria such as function and
value
Informs maintenance, replacement, or retirement
decisions
High-value assets may require stringent maintenance
schedules
Low-value assets may be considered for recycling or
disposal
Monitoring and Tracking of Assets
Ensures proper accounting and optimal use of assets
Asset Monitoring
Maintaining an inventory with specifications, location,
and assigned users
Asset Tracking
Goes beyond monitoring, involving the location, status,
and condition of assets using specialized software and
tracking technologies
Enumeration
Identifies and counts assets, especially in large
organizations or during times of asset procurement or
retirement
Aids in maintaining an accurate inventory
Proactive approach for risk management and resource
optimization
Mobile Device Management (MDM)
Manages and tracks mobile devices
- Smartphones
- Tablets
- Laptops
- Wearables
Centralizes management, enforces corporate policies,
ensures software uniformity, safeguards sensitive data
Enables remote lock and wipe of lost devices, remote
software updates, and consistent user experiences
Reduces risks associated with unsecured or outdated
devices
Asset Disposal and Decommissioning
Necessity to manage the disposal of outdated assets
NIST Special Publication 800-88 (Guidelines for Media Sanitization
Provides guidance on asset disposal and decommissioning
Sanitization and its methods used
Thorough process to make data inaccessible and
irretrievable from storage medium using traditional
forensic methods
Applies to various storage media
Methods include
1: Overwriting
2: Replacing the existing data on a storage device with
random bits of information to ensure that the original
data is obscured
3: Repeated several times to reduce any chance of the
original data being recovered
4: Overwriting can use a single pass, 7 passes, or 35
passes
Degaussing
Utilizes a machine called a degausser to produce a
strong magnetic field that can disrupt magnetic
domains on storage devices like hard drives or tapes
Renders data on the storage medium unreadable and
irretrievable
Permanent erasure of data but makes the device
unusable
After degaussing, a device can no longer be used to
store data
Secure erase
Deletes data and ensures it can’t be recovered
Implemented in firmware level of storage devices