a eight Asset management
In this lesson, we will cover an understanding of Control, said a eight
in relation item is as well as understanding examples of the controls and documentation required for each.
A eight asset management is made up of three control areas.
The first control area is 8.1 responsibility for assets.
The first control in this area
inventory of assets.
This control stipulates that an inventory or a list or a database
off all of your information assets
as well as your hardware and software assets, must be maintained.
It is important to keep the detail off these assets
as well as the owners of the assets.
You can leverage off tools such as your S, C, C M
or configuration management databases
to build these acid lists.
The next control is 8.1 point two
each asset needs to have a specific owner defined and assigned to that asset.
That owner can make decisions
regarding that assets.
It needs to be informed when control changes occur
regarding that s it.
The inventory and ownership of assets is an extremely important input into your information security risk management program.
The next control is a 8.1 point three
the acceptable use off assets.
If you work in an organization, you are probably familiar with this control
as un a periodic basis. You are required to read,
acknowledge and accept your organization's acceptable use policy.
This acceptable use policy is specific to the assets that are owned by the organization
but which the organization gives you rights to use for your job responsibilities.
This policy will stipulate certain Do's and dont's around these assets,
such as not using your personal work computer
to browse social media websites
to use it for other personal work or work outside of your current job,
or to download movies from turn sites and so forth.
The last control in the first control area
the return of assets.
When assets are issued to users within the organization,
it is important that these assets are returned within a timely basis,
either when the user is no longer working for the organization
upon handing in their resignation
or when the user has changed roles within the organization.
I said it's need to be tracked with whatever user they are assigned to throughout their life cycle
to help ensure that assets are returned by that user. When do
the second control area
The first control in this area is 8.2 point one.
The classifications of information.
This control stipulates that your organization should establish a classification scheme and have this formally documented in a classifications. Policy
guidelines around what types of information
and which classifications should be applied to these different types should be documented and communicated to the relevant stock.
will most likely already have an existing classification scheme,
depending on the industry that you fall in whether you're in government or private sector.
But generally the levels look something like
top secret secret and public information.
Labeling off information assets
for each asset or piece of information that is classified,
an appropriate and corresponding label should be applied.
This is true for documented information, such as documents that exist in a PDF or word document
as well as were possible information within systems and databases.
Handling off assets.
This is the third control in the second control area,
and the handling of assets control
stipulates that all assets that are labeled and classified must be handled and protected in line with their classifications.
This policy should stipulate
for each classification of level off information
how that information should be handled and protected when it is being worked with,
transferred or sent,
as well as when it is stored or disposed off.
He lost control area
is 8.3. Media handling
the first control is 8.3 point one.
The management of removable media
implies any media that could be used to store information,
and that is also easily transportable,
such as flash drives, DVDs,
external hard drives,
even your cell phones
It is important to establish a policy to govern the management off this removable media.
It is especially important to ensure that any removable media that is used to transport your highest level of classified information
is properly equipped and guided to do so securely.
removable media should be
appropriately labeled to ensure that only the
correct level or classification of information is stored on that media
is not lost or carelessly left lying around
that media is possible protected where possible,
that laptops are hard.
The hard drives of laptops are encrypted
to prevent information disclosure due to loss or theft.
The next next control is 8.3 point two.
The disposal of media
When an acid reaches end of life,
any storage media contained within that acid first needs to be appropriately sanitized and have all information stored on that media purged
the disposal of media needs to cater for the type of media.
a hard drive would have a different information sanitization procedure
to a solid state drive.
Sometimes the most effective method for ensuring that information cannot be accessed from storage media
is to destroy the media.
They will need to be evidence of this process and that this has been
conducted throughout the period under review. If a third party is used to dispose off media
and perform the information sanitization,
robust evidence off this as well as the controls to ensure that the third party is trustworthy and acting as required,
Disposal of media also extends to your physically printed documents
a lot of sensitive information ends up being printed
and can be left lying around.
It is important to provide employees with a way to securely dispose of this information
and ensure that it is traded.
The last control pertains to a 8.3 point to physical media transfer.
Sometimes it is required for physical storage media to be transferred.
Often this media will contain information on it.
This control requires that a policy and guidelines for the transfer of media be established.
Security controls must also be established and implemented for this media,
encryption of the media,
anti tempering devices around the media
and chain of custody ease.
During this video, we covered the three control areas that make up control, said a eight,
which is acid management.
We took a look at a different controls.
Within this control. States
looked at some examples of controls
and also any documentation that would be required to support
and be used as evidence for these controls.