Key Point:
Your organisation must have a complete understanding of all assets required to deliver, maintain, or support your essential functions. This includes data, systems, people, and supporting infrastructure like power and cooling.
Overview:
Effective asset management means having a current and thorough inventory of all your organisation’s assets, such as data, hardware, software, and connected medical devices. This allows you to protect, use, and manage these assets effectively to support your essential functions.
How to Meet the Requirement:
You need to identify and document all critical assets, ensuring your inventory is up to date and accurately reflects the resources needed to maintain your essential services. These assets may include:
An information asset register should be maintained to log all the data your organisation holds, where it is located, and who is responsible for it. This helps ensure legal compliance with data protection regulations and provides a solid foundation for managing risk, especially during incidents where data is compromised or unavailable.
For hardware and software, tools can be used to help survey and catalogue assets, but keep in mind any limitations these tools may have. Your inventory should include details like asset type, location, software, ownership, maintenance arrangements, and criticality to service delivery.
Evidence to Provide:
Submit documentation such as:
Ensure your evidence is comprehensive and up to date, showing how assets are tracked, managed, and protected.
Indicators of Good Practice:
Information Asset Register (IAR):
The IAR is a key component of effective asset management. It provides a single, unified view of all information assets your organisation holds, including personal data. Keeping this register up to date helps mitigate risks and ensures compliance with data protection regulations.
Hardware and Software Assets:
Using survey tools can assist in building a comprehensive inventory of your hardware and software. These tools may not track all installed software, so manual review or supplementary methods may be necessary to maintain an accurate catalogue.
Connected Medical Devices:
Medical devices connected to your network should be logged in a dedicated register. This register should include device details, vendor information, network segmentation, and static IP addresses (if applicable). This ensures you can track and manage these devices efficiently, especially when assessing risks.
Assigning Responsibility:
Every asset should have a designated owner who is responsible for understanding where the asset is stored, how it is used, and how access is controlled. This person should also manage risks associated with the asset, such as data loss, and ensure proper procedures are followed during asset transfer or disposal.
Asset Management and Obsolete Devices:
Ensure your asset management process includes identifying and dealing with obsolete devices, as well as applying appropriate security controls when assets are reused or disposed of.
Asset Discovery Tools:
Leverage asset discovery tools to enhance your asset registers, ensuring they are accurate and up to date. These tools can synchronise data from various sources, providing a more complete picture of your organisation’s assets.
Vulnerability Management:
Regularly cross-reference sector-wide vulnerabilities with the devices and software listed in your asset inventory. This proactive approach ensures that potential security risks are identified and addressed quickly.
Ensure your organisation’s asset management processes meet the DSPT standards. If you need assistance with setting up or refining your asset registers, managing connected devices, or assessing risks related to your assets, Periculo is here to help. Contact us today to safeguard your organisation’s critical infrastructure and data!