RB Consultancy Logo
Call NOW

Cyber Security Consultancy: Asset Management Guide

RB Consultancy

Cyber Security Consultancy: Asset Management Guide

Why Asset Management Matters for Data Protection

Why Asset Management Matters for Data Protection

 

Introduction

Imagine the business is thriving. Clients are happy, services delivered, and systems working well. There’s trust in the underlying software. But some things aren’t documented or very well known. Then it happens….

One day, you learn that a flaw in a forgotten piece of software has exposed data – millions of records, stolen silently. A critical patch has been missed, because no one really knew the software was there. The headlines spiral. Investigations begin. Regulatory fines are severe. Trust, reputation, and finances all take a massive hit.

This introduction is based on a well-publicised data breach, caused by an unpatched vulnerability in a web application – which exposed the personal data of millions of people and resulted in millions of dollars of penalties. In this article we focus on the theme of asset management – we reference a specific case study, provide general guidance and make recommendations.

 

What is Asset Management?

Asset Management is about knowing what you have, understanding its value, and protecting it accordingly – without knowing what you have, you can’t protect it. Effective security identifies information assets, applies a value, and safeguards them – from purchase to disposal. Visibility of physical and informational assets is vital for cyber (and operational) resilience. Major incidents can also be avoided.

 

Relatable Case Study 

  • Organisation: Equifax (US-based credit reporting agency)
  • Incident: – In 2017, Equifax suffered a huge data breach affecting 147 million individuals. Attackers exploited a known vulnerability in Apache Struts – a web application framework – which had not been patched. The breach exposed sensitive personal data.
  • Financial Implications: Equifax agreed to a $575 million settlement. Additional costs included legal fees, remediation, and reputational damage.
  • Links with Asset Management:
    • Unmanaged assets – vulnerability management will be impacted if assets are unmanaged, typically leading to missing security updates and cyber-attack exploitation
    • Lack of asset ownership – no clear accountability for system can lead to delays in identifying and mitigating the risk
    • Poor visibility of critical assets – having a limited view of assets can lead to slow response and inability to contain incidents 
  • Source Information: 

Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach

 

General Guidance

  • Maintain an (up to date) asset register – covering physical, digital and cloud-based assets
  • Assign ownership for each asset to ensure accountability and oversight
  • Track software and devices – including BYOD and company owned
  • Ensure any sensitive assets are clearly identifiable 
  • Check and enforce encryption 
  • Have remote wipe capabilities for portable devices 

 

Recommended Actions

  1. Keep it simple and secure
  2. Use a risk assessment to determine appropriate action
  3. Maintain records relating to company and personal assets in use 
  4. Have an information asset list, record retention periods and review against stored data
  5. Determine policy relating to removable media and encryption standards
  6. Apply remote wipe and consider location tracking for portable devices (where possible)
  7. Seek guidance and support from a Certified Information System Security Professional (CISSP) and IASME Certification Body for Cyber Assurance – such as RB Consultancy Ltd

 

How We Help

At RB Consultancy Ltd, we support organisations by:

  • Providing templates, guidance and experience to support
  • Explaining what security measures are available and how they can help 
  • Collaborating to implement security controls 
  • Assessing and issuing certifications – such as Cyber Essentials and Cyber Assurance 
  • Contact us for consultancy and certification support

 

Conclusion

Effective asset management can help avoid major security incidents. Equifax’s data breach helps to highlight how overlooked assets and undocumented systems can expose organisations to financial and reputational consequences. 

Cyber resilience includes knowing what you have and understanding its value. It’s beneficial to take a structured approach to asset management, encouraging proactive tracking, ownership and encryption. A risk-based approach can help identify the specific security controls, measures and steps to take for any organisation of any size.

RB Consultancy Ltd helps organisations understand the importance of asset management – we support the implementation of appropriate measures to help build cyber resilience. We are an IASME Certification Body and NCSC Assured Service Provider who provide services to empower and protect organisations. Holding CISSP and ISO 27001 lead implementer certification, you can Contact Us for assistance with cyber security resilience.

 

 

This blog is written by Remo Belisari, Managing Director of RB Consultancy Ltd. He is an experienced cyber security professional and cyber advisor. Remo holds certifications in CISSP, ISSAP, ISO 27001, Cyber Essentials, and IASME Cyber Assurance. He has many years of experience in IT and cybersecurity. He has supported organisations worldwide. His work includes helping a Fortune 500 company in the USA and over 100 organisations across the UK. The views in this blog are his own. They do not necessarily reflect the views of RB Consultancy Ltd, its clients, partners, or affiliates. The content is for general information only.