Back

Establish, implement, and maintain an Asset Management program.


CONTROL ID
06630
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Operational management, CC ID: 00805

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain an asset management policy., CC ID: 15219
  • Assign an information owner to organizational assets, as necessary., CC ID: 12729
  • Include program objectives in the asset management program., CC ID: 14413
  • Include a commitment to continual improvement in the asset management program., CC ID: 14412
  • Include compliance with applicable requirements in the asset management program., CC ID: 14411
  • Establish, implement, and maintain classification schemes for all systems and assets., CC ID: 01902
  • Establish, implement, and maintain an asset inventory., CC ID: 06631
  • Establish, implement, and maintain a software accountability policy., CC ID: 00868
  • Establish, implement, and maintain a system redeployment program., CC ID: 06276
  • Establish, implement, and maintain a system disposal program., CC ID: 14431
  • Establish, implement, and maintain a system preventive maintenance program., CC ID: 00885
  • Refrain from protecting physical assets when no longer required., CC ID: 13484
  • Disassemble and shut down unnecessary systems or unused systems., CC ID: 06280
  • Dispose of hardware and software at their life cycle end., CC ID: 06278
  • Review each system's operational readiness., CC ID: 06275
  • Establish, implement, and maintain a data stewardship policy., CC ID: 06657
  • Establish and maintain an unauthorized software list., CC ID: 10601


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The FI should establish a clear policy on information system asset protection. Criticality of information system assets should be identified and ascertained in order to develop appropriate plans to protect them. (§ 4.1.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • To have an accurate and complete view of its IT operating environment, the FI should establish information asset management practices that include the following: (§ 3.3.1, Technology Risk Management Guidelines, January 2021)
  • establishment of policies, standards and procedures to manage information assets according to their security classification or criticality. (§ 3.3.1(d), Technology Risk Management Guidelines, January 2021)
  • life-cycle management that addresses the various stages of an information asset's life to ensure that information security requirements are considered at each stage, from planning and acquisition through to decommissioning and destruction; (21(b)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Maintaining information assets therefore necessitates a disciplined approach to information asset life-cycle management, including a comprehensive understanding of assets that support the business, as well as the potential impacts of an information security compromise of these assets. Maintenance of… (41., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • An APRA-regulated entity would typically deploy appropriate information security technology solutions which maintain the security of information assets. Examples include firewalls, network access control, intrusion detection/prevention devices, anti-malware, encryption and monitoring/log analysis to… (56., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Financial institutions should monitor and manage the life cycles of ICT assets, to ensure that they continue to meet and support business and risk management requirements. Financial institutions should monitor whether their ICT assets are supported by their external or internal vendors and developer… (3.5 55, Final Report EBA Guidelines on ICT and security risk management)
  • Policies and instructions with technical and organisational safeguards are documented, communicated and provided according to SA-01 which describe the maintenance (especially remote maintenance), deletion, updating and re-use of assets in information processing in outsourced premises or by external … (Section 5.5 PS-05 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Policies and instructions with technical and organisational safeguards for the proper handling of assets are documented, communicated and provided according to SA-01 in the respectively current version. (Section 5.4 AM-03 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The entity identifies, inventories, validates, classifies and manages information assets. (S7.1 Identifies and manages the inventory of information assets, Privacy Management Framework, Updated March 1, 2020)
  • maximize value (5.2.6 ¶ 1 Bullet 1, ITIL Foundation, 4 Edition)
  • manage risks (5.2.6 ¶ 1 Bullet 3, ITIL Foundation, 4 Edition)
  • The purpose of the IT asset management practice is to plan and manage the full lifecycle of all IT assets, to help the organization: (5.2.6 ¶ 1, ITIL Foundation, 4 Edition)
  • Manage IT-enabled investment programmes and other IT assets and services to ensure that they deliver the greatest possible value in supporting the enterprise's strategy and objectives. Ensure that the expected business outcomes of IT-enabled investments and the full scope of effort required to achie… (ME4.3 Value Delivery, CobiT, Version 4.1)
  • Create a portfolio of tactical IT plans that are derived from the IT strategic plan. The tactical plans should address IT-enabled programme investments, IT services and IT assets. The tactical plans should describe required IT initiatives, resource requirements, and how the use of resources and achi… (PO1.5 IT Tactical Plans, CobiT, Version 4.1)
  • There should be documented standards / procedures for asset management, which cover recording of hardware / software in an asset register (or equivalent). (CF.03.04.01a, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for asset management, which cover protecting the asset register. (CF.03.04.01b-1, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for asset management, which cover keeping the asset register up-to-date. (CF.03.04.01b-2, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for asset management, which cover maintaining the accuracy of details in the register. (CF.03.04.01c, The Standard of Good Practice for Information Security)
  • Office equipment shall be supported by documented standards / procedures, which cover deployment and physical protection of office equipment. (CF.12.03.01a, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for asset management, which cover recording of hardware / software in an asset register (or equivalent). (CF.03.04.01a, The Standard of Good Practice for Information Security, 2013)
  • There should be documented standards / procedures for asset management, which cover protecting the asset register. (CF.03.04.01b-1, The Standard of Good Practice for Information Security, 2013)
  • There should be documented standards / procedures for asset management, which cover keeping the asset register up-to-date. (CF.03.04.01b-2, The Standard of Good Practice for Information Security, 2013)
  • There should be documented standards / procedures for asset management, which cover maintaining the accuracy of details in the register. (CF.03.04.01c, The Standard of Good Practice for Information Security, 2013)
  • Office equipment shall be supported by documented standards / procedures, which cover deployment and physical protection of office equipment. (CF.12.03.01a, The Standard of Good Practice for Information Security, 2013)
  • Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for all endpoints. Review and update the policies and procedures at least annually. (UEM-01, Cloud Controls Matrix, v4.0)
  • All data shall be designated with stewardship with assigned responsibilities defined, documented and communicated. (DG-01, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). D… (CIS Control 4: Safeguard 4.6 Securely Manage Enterprise Assets and Software, CIS Controls, V8)
  • Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, … (CIS Control 1: Inventory and Control of Enterprise Assets, CIS Controls, V8)
  • The organization shall develop a list of assets that interface with medical devices, such as the software, hardware, and data that is essential to the intended use of the medical device. (§ 4.3.2, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • consider the need to provide information about potential significant environmental impacts associated with the transportation or delivery, use, end-of-life treatment and final disposal of its products and services. (§ 8.1 ¶ 4 d), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The service provider shall implement and operate technical, administrative, and physical Information Security controls to preserve confidentiality, accessibility, and integrity of the information assets. (§ 6.6.2 ¶ 1(a), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. (A.8.2.3 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The requirements of this document should be applied in their entirety to the IT assets determined by the organization. (Section 4.3 ¶ 3, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • the IT asset management processes, procedures and activities; (Section 7.5 ¶ 1(a) bullet 5, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall establish, implement, maintain and continually improve an IT asset management system, including the processes needed and their interactions, in accordance with the requirements of this document. (Section 4.4 ¶ 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall establish, document and maintain IT asset management plan(s) to achieve the IT asset management objectives. These IT asset management plan(s) shall be aligned with the IT asset management policy and the strategic IT asset management plan. (Section 6.2.4 ¶ 2, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • Top management shall review the organization's IT asset management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. (Section 9.3 ¶ 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • the processes and methods to be employed in managing its IT assets over their life cycles; (Section 6.2.4 ¶ 4(b), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • be implemented and be periodically reviewed and, if required, updated. (Section 5.2 ¶ 2 bullet 12, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • be available as documented information; (Section 5.2 ¶ 2 bullet 8, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • ensuring that the IT asset management policy, the strategic IT asset management plan and IT asset management objectives are established and are compatible with the strategic direction of the organization and organizational objectives; (Section 5.1 ¶ 1 bullet 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • Top management shall establish an IT asset management policy that: (Section 5.2 ¶ 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall ensure that assets used to deliver services are managed to meet the service requirements and the obligations in 6.3 c). (§ 8.2.5 ¶ 1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Procedures for handling assets should be developed and implemented in accordance with the information classification scheme adopted by the organization. (§ 8.2.3 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented. (§ 5.10 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • The organization has an asset management process in place and assets are formally managed (e.g., in a configuration management database) throughout removal, transfers, end-of-life, and secure disposal or re-use of equipment processes. (PR.DS-3.1, CRI Profile, v1.2)
  • The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy. (Asset Management (ID.AM), CRI Profile, v1.2)
  • Assets are formally managed throughout removal, transfers, and disposition. (PR.DS-3, CRI Profile, v1.2)
  • The organization has an asset management process in place and assets are formally managed (e.g., in a configuration management database) throughout removal, transfers, end-of-life, and secure disposal or re-use of equipment processes. (PR.DS-3.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • the service organization's use of technology, including its applications, infrastructure, network architecture, use of mobile devices, use of cloud technologies, and the types of external party access or connectivity to the system; (¶ 3.59 Bullet 9 Sub-Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Principle: Firms should conduct regular assessments to identify cybersecurity risks associated with firm assets and vendors and prioritize their remediation. Effective practices include establishing and implementing governance frameworks to: - identify and maintain an inventory of assets authorized… (Cybersecurity Risk Assessment, Report on Cybersecurity Practices)
  • Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy; (Section 4.D ¶ 1(2)(b), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • Transient Cyber Asset Management: Responsible Entities shall manage Transient Cyber Asset(s), individually or by group: (1) in an ongoing manner to ensure compliance with applicable requirements at all times, (2) in an on-demand manner applying the applicable requirements before connection to a BES … (Section 1. 1.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
  • Transient Cyber Asset Management: Responsible Entities shall manage Transient Cyber Asset(s), individually or by group: (1) in an ongoing manner to ensure compliance with applicable requirements at all times, (2) in an on-demand manner applying the applicable requirements before connection to a BES … (Attachment 1 Section 1. 1.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • Is there an asset management policy or program that has been approved by management? (§ D.1, Shared Assessments Standardized Information Gathering Questionnaire - D. Asset Management, 7.0)
  • Has the asset management policy or program been communicated to appropriate constituents? (§ D.1, Shared Assessments Standardized Information Gathering Questionnaire - D. Asset Management, 7.0)
  • Does the asset management policy or program have an owner to maintain and review the policy? (§ D.1, Shared Assessments Standardized Information Gathering Questionnaire - D. Asset Management, 7.0)
  • Is there a standard for managing information processing assets? (§ D.2.2, Shared Assessments Standardized Information Gathering Questionnaire - D. Asset Management, 7.0)
  • Is the procedure for managing information assets reviewed at least annually? (§ D.2.2.12, Shared Assessments Standardized Information Gathering Questionnaire - D. Asset Management, 7.0)
  • Oversight of IT architecture product development, use, and refinement. (App A Objective 2:9a Bullet 9, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management implemented policies, standards, and procedures to govern all aspects of ITAM, including information and technology assets. Assess whether those processes include the following: (App A Objective 4:2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Policies, standards, and procedures. (III.B Action Summary ¶ 2 Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management uses appropriate inventory mechanisms to effectively document, track, and oversee the entity's information and technology assets, including its hardware and software. As part of the technology asset inventory, determine whether management considers IT assets that do not … (App A Objective 4:3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Assess whether each IT asset is captured in the entity's ITAM inventory, tracked throughout its operational life, and prepared for physical removal at the end of its useful life. Determine whether management implemented policies, standards, and procedures to identify assets and their EOL time frames… (App A Objective 4:4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management of network infrastructure (e.g., network and connectivity, remote access, and telecommunications management) and server and device management (e.g., servers, storage, and devices). (App A Objective 2:9c Bullet 5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Systems and software operating in the cloud for which the entity is responsible as well as those managed by the entity on its premises. (App A Objective 15:3a Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management should have appropriate ITAM processes to track, manage, and report on the entity's information and technology assets. (III.B Action Summary ¶ 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management implements appropriate ITAM processes to track, manage, report on the entity's information and technology assets. (III.B, "IT Asset Management") (App A Objective 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Maintenance of management plans that cover hardware, software, and security devices. (App A Objective 16:4d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Identify and manage the data, personnel, devices, systems, and facilities that enable you to achieve business purposes in accordance with their relative importance to business objectives and your risk strategy; (§ 314.4 ¶ 1(c)(2), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
  • The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy. (ID.AM Asset Management, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • The plan should also indicate requirements for the timely replacement of components in the case of an emergency. If possible, replacements for hard-to-obtain critical components should be kept in inventory. (§ 6.2.6.2 ICS-specific Recommendations and Guidance ¶ 2, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the risk strategy of the licensee. (Section 27-62-4(d)(2) b., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Identification and management of the data, personnel, devices, systems and facilities that enable such licensee to achieve such licensee's business purposes in accordance with their relative importance to such licensee's business objectives and risk strategy; (Part VI(c)(4)(B)(ii), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy. (§ 8604.(d)(2) b., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • Identify and manage the data, personnel, devices, systems, and facilities that enable the licensee to achieve business purposes in accordance with their relative importance to business objectives and the licensee's risk strategy; (§431:3B-203(2)(B), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Identifying and managing the data, personnel, devices, systems, and facilities that enable the licensee to achieve business purposes in accordance with their relative importance to business objectives and risk strategy. (Sec. 18.(2)(B), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • Identify and manage the data, personnel, devices, systems, and facilities that enable the licensee to achieve its business purposes in accordance with the data, personnel, devices, systems, and facilities relative importance to the licensee’s business objectives and risk strategy. (507F.4 4.b.(2), Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy. (§2504.D.(2)(b), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Identify and manage the data, personnel, devices, systems and facilities that enable the licensee to achieve its business purposes in accordance with their relative importance to business objectives and the licensee's risk management strategy; (§2264 4.B.(2), Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • Identifying and managing the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy. (Sec. 555.(4)(b)(ii), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy; (§ 60A.9851 Subdivision 4(2)(ii), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Identify and manage the data, personnel, devices, systems and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization’s risk strategy; (§ 83-5-807 (4)(b)(ii), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy. (§ 420-P:4 IV.(b)(2), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • asset inventory and device management; (§ 500.03 Cybersecurity Policy (c), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with the business' relative importance to business objectives and the organization's risk strategy; (26.1-02.2-03. 4.b.(2), North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy; (Section 3965.02 (D)(2)(b), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • identifying and managing the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy; (SECTION 38-99-20. (D)(2)(b), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • Identify and manage the data, personnel, devices, systems, and facilities that enable the licensee to achieve the licensee's business objectives in accordance with the relative importance of the data, personnel, devices, systems, and facilities to the licensee's business objectives and risk strategy… (§ 56-2-1004 (4)(B)(ii), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • Identify and manage the data, personnel, devices, systems, and facilities that enable the licensee to achieve its business purposes, taking into consideration the relative importance of the data, personnel, devices, systems, and facilities to the business objectives and risk strategy of the licensee… (§ 601.952(3)(b)2., Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)