A8 Asset Management

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:01
Listen, 11.4
00:03
a eight Asset management
00:08
In this lesson, we will cover an understanding of Control, said a eight
00:13
in relation item is as well as understanding examples of the controls and documentation required for each.
00:25
A eight asset management is made up of three control areas.
00:30
The first control area is 8.1 responsibility for assets.
00:36
The first control in this area
00:39
is a 8.1 point one
00:42
inventory of assets.
00:45
This control stipulates that an inventory or a list or a database
00:51
off all of your information assets
00:53
as well as your hardware and software assets, must be maintained.
00:59
It is important to keep the detail off these assets
01:04
as well as the owners of the assets.
01:10
You can leverage off tools such as your S, C, C M
01:15
or configuration management databases
01:18
to build these acid lists.
01:23
The next control is 8.1 point two
01:26
ownership of assets
01:29
as mentioned,
01:30
each asset needs to have a specific owner defined and assigned to that asset.
01:37
That owner can make decisions
01:40
regarding that assets.
01:42
It needs to be informed when control changes occur
01:46
regarding that s it.
01:49
The inventory and ownership of assets is an extremely important input into your information security risk management program.
02:00
The next control is a 8.1 point three
02:05
the acceptable use off assets.
02:08
If you work in an organization, you are probably familiar with this control
02:14
as un a periodic basis. You are required to read,
02:17
acknowledge and accept your organization's acceptable use policy.
02:23
This acceptable use policy is specific to the assets that are owned by the organization
02:30
but which the organization gives you rights to use for your job responsibilities.
02:36
This policy will stipulate certain Do's and dont's around these assets,
02:40
such as not using your personal work computer
02:45
to browse social media websites
02:47
to use it for other personal work or work outside of your current job,
02:53
or to download movies from turn sites and so forth.
03:00
The last control in the first control area
03:02
is a 8.1 point four
03:06
the return of assets.
03:09
When assets are issued to users within the organization,
03:14
it is important that these assets are returned within a timely basis,
03:19
either when the user is no longer working for the organization
03:23
upon handing in their resignation
03:25
or when the user has changed roles within the organization.
03:30
I said it's need to be tracked with whatever user they are assigned to throughout their life cycle
03:37
to help ensure that assets are returned by that user. When do
03:46
the second control area
03:47
is a 8.2
03:50
information classifications?
03:53
The first control in this area is 8.2 point one.
04:00
The classifications of information.
04:02
This control stipulates that your organization should establish a classification scheme and have this formally documented in a classifications. Policy
04:13
guidelines around what types of information
04:16
and which classifications should be applied to these different types should be documented and communicated to the relevant stock.
04:25
Your organization
04:27
will most likely already have an existing classification scheme,
04:30
depending on the industry that you fall in whether you're in government or private sector.
04:36
But generally the levels look something like
04:40
top secret secret and public information.
04:46
8.2 point two.
04:49
Labeling off information assets
04:54
for each asset or piece of information that is classified,
04:59
an appropriate and corresponding label should be applied.
05:03
This is true for documented information, such as documents that exist in a PDF or word document
05:11
as well as were possible information within systems and databases.
05:17
8.2 point three
05:19
Handling off assets.
05:23
This is the third control in the second control area,
05:26
and the handling of assets control
05:29
stipulates that all assets that are labeled and classified must be handled and protected in line with their classifications.
05:39
This policy should stipulate
05:42
for each classification of level off information
05:46
how that information should be handled and protected when it is being worked with,
05:50
transferred or sent,
05:53
as well as when it is stored or disposed off.
06:01
He lost control area
06:04
is 8.3. Media handling
06:09
the first control is 8.3 point one.
06:13
The management of removable media
06:16
removable media
06:18
implies any media that could be used to store information,
06:23
and that is also easily transportable,
06:26
such as flash drives, DVDs,
06:30
external hard drives,
06:31
even your cell phones
06:33
and so forth.
06:35
It is important to establish a policy to govern the management off this removable media.
06:44
It is especially important to ensure that any removable media that is used to transport your highest level of classified information
06:53
is properly equipped and guided to do so securely.
06:58
For example,
07:00
removable media should be
07:01
encrypted,
07:03
appropriately labeled to ensure that only the
07:06
correct level or classification of information is stored on that media
07:13
that media
07:15
is not lost or carelessly left lying around
07:18
that media is possible protected where possible,
07:23
that laptops are hard.
07:25
The hard drives of laptops are encrypted
07:28
to prevent information disclosure due to loss or theft.
07:33
The next next control is 8.3 point two.
07:39
The disposal of media
07:42
When an acid reaches end of life,
07:45
any storage media contained within that acid first needs to be appropriately sanitized and have all information stored on that media purged
07:58
the disposal of media needs to cater for the type of media.
08:03
For example,
08:05
a hard drive would have a different information sanitization procedure
08:11
to a solid state drive.
08:13
Sometimes the most effective method for ensuring that information cannot be accessed from storage media
08:20
is to destroy the media.
08:24
They will need to be evidence of this process and that this has been
08:28
conducted throughout the period under review. If a third party is used to dispose off media
08:35
and perform the information sanitization,
08:39
robust evidence off this as well as the controls to ensure that the third party is trustworthy and acting as required,
08:46
must be maintained.
08:48
Disposal of media also extends to your physically printed documents
08:54
a lot of sensitive information ends up being printed
08:56
and can be left lying around.
09:00
It is important to provide employees with a way to securely dispose of this information
09:05
and ensure that it is traded.
09:11
The last control pertains to a 8.3 point to physical media transfer.
09:20
Sometimes it is required for physical storage media to be transferred.
09:24
Often this media will contain information on it.
09:28
This control requires that a policy and guidelines for the transfer of media be established.
09:35
Security controls must also be established and implemented for this media,
09:41
for example,
09:41
encryption of the media,
09:43
anti tempering devices around the media
09:46
and chain of custody ease.
09:58
During this video, we covered the three control areas that make up control, said a eight,
10:03
which is acid management.
10:05
We took a look at a different controls.
10:09
Within this control. States
10:11
looked at some examples of controls
10:13
and also any documentation that would be required to support
10:18
and be used as evidence for these controls.
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By