A8 Asset Management

00:01

Listen, 11.4

00:03

a eight Asset management

00:08

In this lesson, we will cover an understanding of Control, said a eight

00:13

in relation item is as well as understanding examples of the controls and documentation required for each.

00:25

A eight asset management is made up of three control areas.

00:30

The first control area is 8.1 responsibility for assets.

00:36

The first control in this area

00:39

is a 8.1 point one

00:42

inventory of assets.

00:45

This control stipulates that an inventory or a list or a database

00:51

off all of your information assets

00:53

as well as your hardware and software assets, must be maintained.

00:59

It is important to keep the detail off these assets

01:04

as well as the owners of the assets.

01:10

You can leverage off tools such as your S, C, C M

01:15

or configuration management databases

01:18

to build these acid lists.

01:23

The next control is 8.1 point two

01:26

ownership of assets

01:29

as mentioned,

01:30

each asset needs to have a specific owner defined and assigned to that asset.

01:37

That owner can make decisions

01:40

regarding that assets.

01:42

It needs to be informed when control changes occur

01:46

regarding that s it.

01:49

The inventory and ownership of assets is an extremely important input into your information security risk management program.

02:00

The next control is a 8.1 point three

02:05

the acceptable use off assets.

02:08

If you work in an organization, you are probably familiar with this control

02:14

as un a periodic basis. You are required to read,

02:17

acknowledge and accept your organization's acceptable use policy.

02:23

This acceptable use policy is specific to the assets that are owned by the organization

02:30

but which the organization gives you rights to use for your job responsibilities.

02:36

This policy will stipulate certain Do's and dont's around these assets,

02:40

such as not using your personal work computer

02:45

to browse social media websites

02:47

to use it for other personal work or work outside of your current job,

02:53

or to download movies from turn sites and so forth.

03:00

The last control in the first control area

03:02

is a 8.1 point four

03:06

the return of assets.

03:09

When assets are issued to users within the organization,

03:14

it is important that these assets are returned within a timely basis,

03:19

either when the user is no longer working for the organization

03:23

upon handing in their resignation

03:25

or when the user has changed roles within the organization.

03:30

I said it's need to be tracked with whatever user they are assigned to throughout their life cycle

03:37

to help ensure that assets are returned by that user. When do

03:46

the second control area

03:47

is a 8.2

03:50

information classifications?

03:53

The first control in this area is 8.2 point one.

04:00

The classifications of information.

04:02

This control stipulates that your organization should establish a classification scheme and have this formally documented in a classifications. Policy

04:13

guidelines around what types of information

04:16

and which classifications should be applied to these different types should be documented and communicated to the relevant stock.

04:25

Your organization

04:27

will most likely already have an existing classification scheme,

04:30

depending on the industry that you fall in whether you're in government or private sector.

04:36

But generally the levels look something like

04:40

top secret secret and public information.

04:46

8.2 point two.

04:49

Labeling off information assets

04:54

for each asset or piece of information that is classified,

04:59

an appropriate and corresponding label should be applied.

05:03

This is true for documented information, such as documents that exist in a PDF or word document

05:11

as well as were possible information within systems and databases.

05:17

8.2 point three

05:19

Handling off assets.

05:23

This is the third control in the second control area,

05:26

and the handling of assets control

05:29

stipulates that all assets that are labeled and classified must be handled and protected in line with their classifications.

05:39

This policy should stipulate

05:42

for each classification of level off information

05:46

how that information should be handled and protected when it is being worked with,

05:50

transferred or sent,

05:53

as well as when it is stored or disposed off.

06:01

He lost control area

06:04

is 8.3. Media handling

06:09

the first control is 8.3 point one.

06:13

The management of removable media

06:16

removable media

06:18

implies any media that could be used to store information,

06:23

and that is also easily transportable,

06:26

such as flash drives, DVDs,

06:30

external hard drives,

06:31

even your cell phones

06:33

and so forth.

06:35

It is important to establish a policy to govern the management off this removable media.

06:44

It is especially important to ensure that any removable media that is used to transport your highest level of classified information

06:53

is properly equipped and guided to do so securely.

06:58

For example,

07:00

removable media should be

07:01

encrypted,

07:03

appropriately labeled to ensure that only the

07:06

correct level or classification of information is stored on that media

07:13

that media

07:15

is not lost or carelessly left lying around

07:18

that media is possible protected where possible,

07:23

that laptops are hard.

07:25

The hard drives of laptops are encrypted

07:28

to prevent information disclosure due to loss or theft.

07:33

The next next control is 8.3 point two.

07:39

The disposal of media

07:42

When an acid reaches end of life,

07:45

any storage media contained within that acid first needs to be appropriately sanitized and have all information stored on that media purged

07:58

the disposal of media needs to cater for the type of media.

08:03

For example,

08:05

a hard drive would have a different information sanitization procedure

08:11

to a solid state drive.

08:13

Sometimes the most effective method for ensuring that information cannot be accessed from storage media

08:20

is to destroy the media.

08:24

They will need to be evidence of this process and that this has been

08:28

conducted throughout the period under review. If a third party is used to dispose off media

08:35

and perform the information sanitization,

08:39

robust evidence off this as well as the controls to ensure that the third party is trustworthy and acting as required,

08:46

must be maintained.

08:48

Disposal of media also extends to your physically printed documents

08:54

a lot of sensitive information ends up being printed

08:56

and can be left lying around.

09:00

It is important to provide employees with a way to securely dispose of this information

09:05

and ensure that it is traded.

09:11

The last control pertains to a 8.3 point to physical media transfer.

09:20

Sometimes it is required for physical storage media to be transferred.

09:24

Often this media will contain information on it.

09:28

This control requires that a policy and guidelines for the transfer of media be established.

09:35

Security controls must also be established and implemented for this media,

09:41

for example,

09:41

encryption of the media,

09:43

anti tempering devices around the media

09:46

and chain of custody ease.

09:58

During this video, we covered the three control areas that make up control, said a eight,

10:03

which is acid management.

10:05

We took a look at a different controls.

10:09

Within this control. States

10:11

looked at some examples of controls

10:13

and also any documentation that would be required to support