What is Asset Management (ID.AM)?

Assets (e.g., data, devices, software, systems, facilities, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to objectives and risk strategy.

Table of Contents

ID.AM-1:

Inventories of physical devices managed by the organization are maintained? Yes!

All computer devices with IP addresses are tracked within our server mapping and inventory document titled"Asset Device and Resource Catalog."

Computer Device Catalog includes:

  1. Servers
  2. Backup hardware
  3. Personal Computers (PC)
  4. Laptops
  5. Mobile Phones and Tablets
  6. Portable Storage Devices (Thumb and Portable Drives)

On-Prem Computer Device List Lifecycle

  1. An IP-addressed device (desktop computer, laptop, server) is received and placed into inventory via our accounting software Asset List, including all pertinent asset information.
  2. The new device is added to the network list of devices and enabled with licensed cybersecurity software; if not already enabled
  3. Applicable devices are added to the external cyber-monitoring list; if not already enabled
  4. Devices are removed from the list based on user or diagnostic determination of end-of-life (EOL)
  5. EOL devices are inactivated, hard drives destroyed if applicable, and removed from all associated lists

Portable Hard and Thumb Drives Lifecycle

  1. Only authorized Operations Information Technology (OTS) staff or vetted contracted IT staff can use company-procured and vetted devices that can access computer ports via various communication methods, cable, or direct connection from the peripheral (portable storage device/PSD), allowing data to flow from and to the device; only for OTS relevant work; no other employees or contractors are permitted PSD use
    1. All devices are scanned using licensed cybersecurity software before being placed in service
    2. Any IT contractor that comes on-premise can not use their portable devices as the rule
      1. In rare and approved OTS-vetted cases, IT contractor PDSs may be approved for temporary use or procured by OTS for use
    3. Any non-vetted device must be stored off-premise while working, with no exceptions
    4. OTS immediately enters any procured PSD device into a Portable Device Registry upon entering the company premises
    5. If non-projected relevant PII data exits, and with assignee approval, the data is either permanently deleted/wiped off the drive or the device is retained and returned with a no-use statement and must be removed from company premises immediately
    6. Customer-relevant PII Data (data and photos) can not be submitted using PSD.  If one is provided, it is returned without a vetting; only files provided via MFTP are permitted
  2. All vetted devices are signed-out and assigned to an employee for use
    1. Any other person can not use the device, at any time, for any reason, and there are consequences regarding a sharing breach
    2. The device must be in possession or control of the signee at all times, with no exception
  3. All devices are returned to OTS for re-scanning
    1. If it's an asset of eXpress badging, it is placed within our safe/secured location
    2. If it's an employee shared-device, it is wiped/deleted of any PII Data and is returned/signed out upon the employee leaving the company premise, with the device
    3. OTS scans all customer or contractor devices, the PII data is confirmed to be the customer's asset, and any other discovered PII data is addressed and removed if applicable before being returned to the customer or contractor

Mobile Device Lifecycle (Phones and Tablets)

  1. Devices are connected to email via enabled MS Office 365 accounts for key employees
  2. Devices can not be plugged into any on-prem computer device's USB/Data port without approval from leadership staff
  3. Customers and Contractors are instructed not to provide any PII-compliant data ever, and in cases where customers or contractors fail to follow this instruction, the email is permanently deleted
  4. All employee MS Office 365 email accounts are inactivated immediately upon termination

Physical Security

FYI: Physical Access Control and CCTV hardware are managed by building management

ID.AM-2:

Inventories of software and services managed by the organization are maintained? Yes!

All computer software and services are tracked within our server mapping and inventory document titled"Asset Device and Resource Catalog."

Desktop/Server Applications:

Each assigned computer device operates using various licensed software.  All require user log-ins, and none are enabled with single sign-on. Several other processes track user and software assignment, licenses, installation, upgrades, and removal.

User PII Applicable Software Applications

  • Computer and Server OS
  • Communication and Software Systems
    • Networking
    • E-mail
    • Collaboration
    • Databases
    • Presentation
  • Desktop Photo ID Management Software
  • PCI Compliant Accounting Software
  • Employee Time and Attendance
  • Antivirus and Cybersecurity Protection Software
  • FYI: Physical Access Control and CCTV software are managed by building management

ID.AM-3:

Representations of the organization’s authorized network communication and network data flows are maintained? Yes!

ebs_behind_the_firewall_network-1

Network Whiteboard

  • Dedicated Fiber - Port to Port
  • Failover ISP Modem/Router Appliances
  • Appliance Firewall /Router
  • Appliance WiFi Access Point 
  • Appliances Network Switch 
  • Physical Server
    • Virtual Server Configured
  • Virtual Server
    • Encrypted at Rest
    • Mass data export monitored
    • Realtime Cloud Backup Service (Offsite/DATTO/Every 14 Hours)
    • Full Metal (local) Backup Appliance (DATTO/nightly)
  • Network Segmented PC - (SentinelOne EndPoint Encrypted at Rest)
  • Desktops and Servers are NOT secured with Bluetooth and Com Port Monitoring (Disabled Currently)
    • Company policy bans any portable storage device from being on-premise
    • Company policy bans any mobile device (phone/tablet) from being connected to any computer com-port
  • MS Office is not enabled by default with two-factor or encryption.  Users can enable it but are told to use our ShareFile tool as it is more secure
  • Operates on a Dedicated Segmented Network
  • All files sent over the network are sent using HTTPS in-transit encryption

ID.AM-4:

Inventories of external assets and suppliers are maintained? Yes!

Hosted Systems Catalog Includes:

  • Accounting Software Portal and Backup
  • Browsers, Approved 
    • Firefox
    • Google Chrome*
    • MS Edge
  • Business Operation System management
  • Communication and Software Systems
    • Networking
    • E-mail
    • Collaboration
    • Databases
    • Presentation
  • CRM, Support  Ticketing, and Knowledgebase Sofware Tools
  • Cybersecurity Sofware Tools
  • Employee Background Vetting Sofware Tools
  • Employee Profiling Sofware Tools
  • Grammar and spell-checking Sofware Tools
  • Online shopping accounts
  • Password Vault Sofware Tools
  • Phone/Reception Sofware Tools
  • Remote Support Assistance Sofware Tools
  • Recruiting Sofware Tools
  • Sales Tax Collection, Payment, and Reporting
  • Secure Document Signature
    • Credit Card Account Access
    • Checking Account Access
    • Savings/Investment Account Access
    • Credit Card Process AccountsBanking
  • Secure File Share Tools
  • Self-Hosted Photo ID Management Sofware Tools
    • portal.veonics.com
  • Virtual Meeting Sofware Tools
  • Web Hosting Services
    • Product Hosting
    • Website Hosting          

    ID.AM-5: 

    Assets are prioritized based on classification, criticality, resources, and organizational value? Yes!

    eXpress badging tracks resources in a secured Asset Device and Resource Catalog that assigns a criticality assessment value regarding the impact of each on business operations and continuity. Our catalogs are updated when needed and reviewed quarterly.

    We will not publish the Catalog entirely, and upon clearance, we may provide a redacted version for security purposes.

      ID.AM-6: Dropped (moved to GV.RR-02, GV.RR-03, and GV.RR-04) 

      Are cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) established? Yes!

      Security Plan Accountability

      What is the scope of work and accountability for each person?

      1. Executive Team Governance
        1. to ensure all training and assessment is ongoing, relevant, and up to date for all employees and associated non-employees
        2. to engage all identified cybersecurity stakeholders in the event of a breach
        3. to participate in all relevant breach meetings, resolution approvals, execution of initiatives, and to manage all accountabilities through the completion of the issue
      2. Director Team Compliance
        1. to provide training and assessment for all employees and associated non-employees
        2. to protect the entire network from fraudulent breaches by internal and external bad actors
        3. to keep the company's number one core value, "Security First, Family Always," as their number one core value
        4. to participate in all relevant breach meetings, resolution approvals, execution of initiatives, and to manage all accountabilities through the completion of the issue
      3. Contracted IT Team Compliance
        1. to protect our servers, desktops, laptops, and AWS instances from virus intrusion using provided Endpoint Antivirus Protect tools
        2. to test our on-premise server and AWS instances for network vulnerabilities; and to provide a threat assessment
        3. to provide both on-premise server and AWS instances penetration testing and assessment services
        4. to participate in all relevant breach meetings, resolution approvals, execution of initiatives, and to manage all accountabilities through the completion of the issue
        5. will limit or exclude access when necessary to any company or company-customer-related PII data
        6. will ensure that any contractor employee, or subcontractor, will comply with all current NIST Cybersecurity Framework guidelines that apply to services performed
      4. Contracted Cyber Protection Team
        1. in addition to the above, Contracted IT Team Compliance terms
        2. for a PCI Forensic Investigator to investigate the existence and extent of an actual or reasonably suspected Data Breach involving payment card data and for a Qualified Security Assessor to certify and assist in attesting to the Insured Organization's PCI compliance, as required by a Merchant Services Agreement;
      5. Contracted Legal Counsel
        1. in addition to the above, Contracted IT Team Compliance terms
        2. for an attorney to provide necessary legal advice to the Insured Organization (eXpress badging) to evaluate its obligations pursuant to Breach Notice Laws or a Merchant Services Agreement;
      6. Contracted Insurance Team
        1. in addition to the above, Contracted IT Team Compliance terms
        2. to notify those individuals whose Personally Identifiable Information was potentially impacted by a Data Breach;
        3. to provide a call center to respond to inquiries about a Data Breach;
        4. to provide a credit monitoring, identity monitoring, or other personal fraud or loss prevention solution, to be approved by the Underwriters, to individuals whose Personally Identifiable Information was potentially impacted by a Data Breach; and
        5. public relations and crisis management costs directly related to mitigating harm to the Insured Organization are approved in advance by the Underwriters at their discretion.

      ID.AM-07:

      Sensitive data and corresponding metadata are inventoried and tracked? Yes 

      Sensitive Data

      1. Employee Data
        1. Account Software tracks most employee data, and access only with assigned user rights (Groups)
        2. Related files are stored in a rights-protected HR section of our Server
        3. Hosted software is accessed
      2. Customer PCI Compliant Data
        1. Account Software that is PCI compliant is used to enter data and process payment
        2. Hosted Payment Processing software is used for transactions that are not conducted through accounting software
        3. eXpress badging PCI policy bans anyone from writing down any PCI-compliant data or speaking it out load.
      3. Customer PII Compliant Data
      4. Contractor and Partner Compliant Data

      ID.AM-08:

      Systems, devices, and software are managed throughout their life cycle, including pre-deployment checks, preventive maintenance, transfers, end-oflife, and disposition (formerly PR.DS-3, PR.IP-2, PR.MA-1, and PR.MA-2)