Know About ISO/IEC 27002 Asset Management Control Themes

The asset management controls are spread across all four control themes namely, Organizational (A.5), People (A.6), Physical (A.7), and Technological (A.8) and are by nature preventive. In this blog, I shall be focusing on the asset management controls belonging to the organizational and technological themes while describing the remaining controls in subsequent blogs related to other operational capabilities that merge with asset management.

Let us first define the term, “information asset” – any piece of valuable information to the organization, for example, trade secrets, intellectual property, strategic plans, employee information, client information, etc. Before planning to establish an information security management system (ISMS), it is of utmost importance to create an asset inventory.

The information asset profiling method outlined by The CERT Survivable Enterprise Management group at the Software Engineering Institute, Carnegie Mellon University, comes with useful guidelines and templates to create a detailed description of your organization’s information assets as well as its supporting assets which are termed as “asset containers”.

This useful method helps to define the asset, describe the asset, identify its owners and custodians, state its security requirements in terms of confidentiality, integrity, and availability and finally discuss its valuation.

**note that for the remainder of this blog, the term “asset” refers to information assets and associated or supporting assets.

From the security controls point-of-view, the controls which help in protecting information and its associated (or supporting) assets revolve around:

• Creating an inventory of assets and managing them
• The acceptable use of assets
• Return of assets (in case of an employee leaving the organization)
• Managing user end-point devices

Let us take a look at some of the guidelines for implementing these asset management controls.

5.9 Index of Information and Other Related Assets

It is important for any organization to create an inventory of information assets and their associated assets (or asset containers with the specific location) including the asset owners. This inventory should be maintained at planned intervals. All the relevant information must be documented and reviewed for its accuracy, timeliness, and consistency.

An asset owner is a person responsible for managing the asset. The owner assumes the responsibilities and accountability for safeguarding that asset. Some of these responsibilities can be delegated to the asset custodian(s) while ensuring that the owner remains accountable for the management of the asset and its protection.

Custodians help owners in implementing specific controls, processes, and policies for managing and safeguarding assets. It, therefore, becomes essential to identify asset owner(s) and custodian(s) for each information, hardware, software, network, and people asset listed in the asset inventory.

The asset owner is responsible for the following tasks and a topic-specific policy on asset management should contain points with regard to:

1. Creating and maintaining the inventory of information and associated assets
2. Ensuring that the information asset is classified appropriately according to the data classification policy followed in the organization. The supporting (or associated) assets of the information asset will receive the same classification level.
3. Reviewing the identified information and supporting assets regularly (including the classification level associated with the asset)
4. Enforcing an inventory update (which can be automated) when installing, changing, or removing an asset
5. Establishing the requirements for acceptable use of assets and access restrictions corresponding to the classification of the asset
6. Secure deletion or disposal of assets
7. Identifying and managing security and privacy risks associated with the assets
8. Extending support to the asset custodians and relevant personnel in managing the assets

5.10 Acceptable Use of Information and Other Associated Assets

In Asset Management Controls, the organization must have a topic-specific policy on the acceptable use of assets to provide clear direction on the:

1. Information security practices to be followed when using and handling assets
2. Expected and unacceptable behavior in protecting, using, and handling assets
3. Permitted and prohibited use of information and supporting assets
4. User activities being monitored by the organizations when using and handling assets

Further, based on the classification level associated with the asset and its security requirements (in reference to the risks assessed), when preparing the acceptable use policy (and/or procedures) organizations should consider:

1. Various access restrictions (access control policies) according to the level of classification for the assets
2. The record of authorized users of those assets (authorization could be based on the roles or attributes of the user as per the access control policy)
3. Guidelines for protecting copies (either temporary or permanent copies) of the original information asset in accordance with the protection guidelines for the original asset
4. Manufacturer’s specification for storing the asset containers
5. Method for marking copies of the storage media (electronic or physical) to notify the authorized person
6. Practices for secure disposal or deletion of assets
7. Identification of third-party assets used and/or associated with any of the organization’s assets and adding specific clauses in the contractual agreements of the vendors (for example, cloud service providers) concerning the acceptable use and handling of these assets
8. Specific requirements when working in a collaborative environment

5.11 Return of Assets

This Asset Management control applies to all the personnel and interested parties (or stakeholders) of the organization in the event of change or termination of their employment, contract, or agreement. All the provisioned assets must be returned and de-provisioned. The asset management policy should include a clear direction on:

1. The assets to be returned namely, user endpoint devices, portable storage media, specialist equipment, authentication hardware – tokens, mechanical keys, physical copies of information, etc.
2. Guidelines for tracing, transferring, and securely deleting relevant information where personal devices (or equipment) are used
3. Restricting the use of information held on assets not owned by the organization by means of access rights and cryptography
4. Documenting information from the personnel or interested parties is important for the ongoing operations of the organization
5. Preventing personnel serving the notice period (and thereafter), from unauthorized copying or transferring of relevant information

8.1 User Endpoint Devices

To ensure that the information asset which is stored, processed, or transmitted by the user endpoint device must remain protected, a topic-specific policy should guide users on the secure configuration and handling of user endpoint devices (i.e. asset containers). This should include:

1. The type and classification level of the information asset permitted to be stored, processed, and handled by the user endpoint devices
2. Process for registering the user endpoint devices, requirements for its physical protection, access control restrictions, enabling storage device encryption, taking regular backups
3. Recommended practices for configuring device software (specific versions), updating (or patching) the software, and restrictions on installing other software on the devices. (All these checks can be automated by the system administrator)
4. Rules for connecting to information services, public networks, or other networks off-premises
5. Restrictions on the usage of web services and web applications, ensuring protection against malware, use of removable devices (or disabling of physical ports)
6. Notice on monitoring end-user behavior, remote disabling, deletion, or lockout of the device
7. Guidelines for partitioning the system (if supported) on the user endpoint device to separate organization data and personal data.
8. Recommended practices (when using personal (or BYOD) devices) for
   a. logging off active sessions and terminating services no longer needed
   b. protecting devices from unauthorized access (physical and logical control) and not leaving devices with sensitive information unattended
   c. using devices in public places, open offices, and meeting places
   d. protecting devices against theft, especially when traveling
   e. using software to separate and protect business data from personal data
   f. accessing business information
   g. remote wiping of data in case of theft or when the user is no longer authorized to access the data
   h. preventing disputes regarding intellectual property and software licensing agreements
   i. configuring wireless connections
   j. appropriate network bandwidth usage (for example, when taking backups or updating software packages) in case of wired or wireless connections

The relevant legal, statutory, regulatory, contractual, and other security requirements should be considered while drafting the policy.

References:

• Stevens, J. F., Caralli, R. A., & Willke, B. J. (2005). Information asset profiling. CARNEGIE-MELLON UNIV PITTSBURGH PA SOFTWARE ENGINEERING INST.
• ISO/IEC 27002:2022 Standard-Information security, cybersecurity, and privacy protection — Information security controls