What is Asset Management (ID.AM)?

Assets (e.g., data, devices, software, systems, facilities, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to objectives and risk strategy.

📚 Table of Contents


Overview

Asset Management is a foundational component of cybersecurity risk management. It involves the identification, classification, and management of assets—such as data, hardware, software, systems, facilities, services, and personnel—that are vital to an organization's operations. Effective asset management ensures that these assets are protected and utilized in alignment with the organization's risk strategy and business objectives.​


eXpress badging’s Asset Management Practices

At eXpress badging, we recognize the critical importance of asset management in maintaining the security and integrity of our services. Our practices include:​

  • Comprehensive Asset Inventory: Maintaining up-to-date records of all hardware, software, and data assets, including configurations and interdependencies.​

  • Asset Classification: Categorizing assets based on their sensitivity, criticality, and impact on business operations.​

  • Access Controls: Implementing strict access controls ensures that only authorized personnel can access specific assets.

  • Regular Audits: Conducting periodic audits to verify asset inventories' accuracy and control measures' effectiveness.​


Alignment with NIST CSF 2.0

Our asset management approach aligns with the NIST Cybersecurity Framework (CSF) 2.0, particularly the Identify Function's Asset Management (ID.AM) category. Key alignments include:​

  • ID.AM-01: Inventories of hardware managed by the organization are maintained.​

  • ID.AM-02: Inventories of software, services, and systems managed by the organization are maintained.​

  • ID.AM-03: Representations of the organization’s authorized network communication and internal and external network data flows are maintained.​

  • ID.AM-04: Inventories of services provided by suppliers are maintained.​

  • ID.AM-05: Assets are prioritized based on classification, criticality, resources, and impact on the mission.​

  • ID.AM-07: Inventories of data and corresponding metadata for designated data types are maintained.​

  • ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles.​


Asset Lifecycle Management

We manage assets throughout their entire lifecycle, from acquisition to decommissioning:​

  1. Acquisition: Assets are procured following a standardized process that includes security and compliance evaluations.​

  2. Deployment: Assets are configured and integrated into our environment with appropriate security controls.​

  3. Maintenance: Regular updates, patches, and performance monitoring are conducted to ensure asset integrity.​

  4. Decommissioning: Assets are securely retired, with data sanitization and proper disposal procedures to prevent unauthorized access.​


Roles and Responsibilities

Effective asset management requires clear delineation of roles:​

  • IT Department: Responsible for maintaining the asset inventory, implementing security controls, and conducting audits.​

  • Department Managers: Ensure that assets within their departments are used appropriately and report any discrepancies.​

  • All Employees: Adhere to asset usage policies and report any unauthorized access or anomalies.​


Continuous Improvement

We are committed to the continuous improvement of our asset management practices:​

  • Regular Training: Employees receive ongoing training on asset management policies and procedures.​

  • Policy Reviews: Asset management policies are reviewed and updated annually or as needed to adapt to new threats and technologies.​

  • Feedback Mechanisms: We encourage feedback from employees to identify areas for improvement in our asset management processes.​


By adhering to these practices, eXpress badging ensures that our asset management is robust, compliant with industry standards, and capable of supporting our mission to provide secure and reliable services.