Domain 4

4.2 Asset Management

Explain the security implications of proper hardware, software, and data asset management.

0% Complete

1

4.2.1 Acquisition & Procurement

Acquisition and procurement is the strategic process of selecting, evaluating, and purchasing hardware, software, and services while ensuring they align with an organization's security posture and compliance requirements.

Third-Party Risk Management Security begins before a product enters the environment by evaluating the vendor's own security practices. - Vendor Assessment: Reviewing a provider’s security history, financial stability, and technical capabilities using questionnaires or audits. - Supply Chain Security: Ensuring that hardware (like servers) or software (like code libraries) has not been tampered with during manufacturing or transit. - Supply Chain Analysis: Identifying dependencies on "fourth-party" vendors to prevent a single point of failure in the broader ecosystem.

Procurement Documentation Formal legal and technical documents define the relationship between an organization and its providers. - Request for Proposal (RFP): A formal invitation for vendors to submit a bid, detailing how they will meet specific security and technical requirements. - Statement of Work (SOW): A detailed document outlining the specific tasks, deliverables, and timelines a vendor must satisfy. - Service Level Agreement (SLA): Specifically defines performance metrics such as uptime (e.g., "99.9%"), response times, and penalties for failure. - Memorandum of Understanding (MOU): A non-binding agreement expressing a mutual intent to work together toward a common goal. - Interconnection Security Agreement (ISA): Outlines the technical security requirements for establishing a direct connection between two organizations' networks.

Hardware and Software Lifecycle Managed procurement ensures that assets are supportable and secure throughout their entire lifespan. - End-of-Life (EOL): The point when a manufacturer stops producing or selling a product; it may still receive security updates for a limited time. - End-of-Service-Life (EOSL): The critical date when a vendor stops providing all support, including security patches, making the asset a significant risk. - Patch Management: Integration of procurement with security operations to ensure newly acquired software can be updated and audited.

Hardware Roots of Trust Procurement must verify the physical integrity of components to prevent "counterfeit" hardware. - Trusted Platform Module (TPM): A dedicated microcontroller that provides hardware-based security functions like disk encryption and secure boot. - Hardware Security Module (HSM): A physical device used for secure key management and high-speed cryptographic processing.

Quick recall - SLA: Focuses on performance and uptime metrics. - ISA: Focuses on technical security controls for network interconnections. - SOW: Focuses on deliverables and "work to be done." - EOSL: The highest risk phase; no more security patches are issued. - Supply Chain: Evaluates the entire path from manufacture to delivery.

2

4.2.2 Assignment & Accounting

Ownership, classification.

3

4.2.3 Monitoring & Asset Tracking

4

4.2.4 Disposal & Decommissioning

Sanitization, destruction, retention.