What is this theme about?
An asset is a resource or an item of property that is owned or controlled by your organisation and has a value. In order for you to apply the Cyber Baseline controls, it is important you understand what assets you have.
Business assets can include:
-
information or data
-
-
customer details
-
mailing lists
-
billing and payroll
-
reports
-
emails
-
intellectual property etc
-
-
-
hardware
-
-
laptops and computers
-
thin clients
-
servers
-
mobile phone
-
tablets
-
firewalls
-
routers
-
-
Please note, personal devices used by staff for business purposes -often known as “Bring Your Own Device” or BYOD, must be included in the asset register.
-
Software
-
-
Operating Systems such as Windows, macOS, IOS, Android, Linux
-
Commercial applications and other software programs such as, internet browsers, anti-malware, office applications, accounts packages etc
-
Commercial extensions and plugins for software e.g., to add features to email clients or internet browsers
-
Server software including operating systems, virtualisation software (hypervisors), virtual desktop software, email software, databases etc
-
-
Cloud services are third party services (these are covered in theme 1, Organisation) but they are also important assets because they contain or interact with organisational data and services.
-
Cloud services are located on servers elsewhere and accessed via an internet connection. They can include:
-
-
storage and software solutions
-
development platforms
-
IT infrastructure
-
-
An asset register is a document or series of documents that lists what you have, where it is and who is in charge of it.
IASME can provide an asset register template that can be adapted for most organisations.
It is recommended that you take these steps:
-
Keep an up-to-date asset register of your devices used to create, read, store and process data.
-
Maintain a software inventory and implement this as an *approved list of software that can be installed on your devices.
-
By understanding what software you use, it will help you understand when it becomes *unsupported and no longer receiving security updates.
Explainers
What is an ‘approved list’?
An ‘approved list’ is a list of software that is identified as necessary and appropriate for use within the organisation and is approved to be installed on your devices. You can achieve this with a technical solution or maintain a documented software asset register.
*What does supported or unsupported software mean?
All software contains errors -often called, ‘vulnerabilities’ which cyber criminals can potentially use as openings to access data. Within a piece of software’s functioning life span, as soon as an error or ‘vulnerability’ is discovered, the manufacturer creates some additional code to correct the error. This is known as ‘patching’. All modern software will need to ‘update’ on a regular basis as part of its maintenance. This ‘support’ ensures that all critical and high updates are installed within 14 days of the update being made available by the software vendor. When software gets to a certain age, the manufacturer will cease to create and send out patches. At this point, the software is classed as no longer supported or ‘end of life’ (EOL). It is no longer secure to use and not compliant for Cyber Baseline.