Man working on computer

How you can best manage your data and assets in a time where information security threats are everywhere? What is asset management and where do you start with it? Let’s start with a basic definition. Asset management is properly defining and categorizing an organization’s assets. A well-developed asset management plan can help you make strategic moves to increase your organizational security. With any plan for IT asset management in place, you should have established processes for receiving and transferring assets, migrating virtual systems, detecting and responding to incidents, continuous monitoring, and applying patches and updates to address vulnerabilities.

How Can You Benefit from an IT Asset Management Plan?

NIST Special Publication 1800-5 on IT asset management explains the benefits of a thorough asset management plan in six parts:

  1. Proper asset management increases the ability for your organization to respond to security alerts quickly as the location, configuration, and owner of various devices can be accessed quickly.
  2. Your organization can turn its focus to the most valuable assets and therefore increase cybersecurity resilience.
  3. When you conduct an audit, auditors will have detailed information about your systems because of well-managed assets.
  4. It helps to better define your budget as you can determine which software license are actually utilized and which you pay for, but do not use.
  5. Your employees will be able to use your asset management plan to know what is installed and any alerts or errors that might come up, so that you can minimize help desk response times.
  6. Any patching that needs to be done on your software can be done correctly and reduce attack surfaces of devices with a well-developed IT asset management structure.

These benefits arise from a well-developed asset management plan that follows guidelines set up by publications such as NIST. When you face the difficulty of IT asset management, you might find yourself looking for guidance on how to responsibly track the status and configurations of your assets.

Strategic Asset Management Plan Outline

Overview – A description of your vision for and explanation of asset management should be listed as a
general overview for your organization to gain initial understanding. What is the purpose of asset
management and who does this plan apply to? Is there any introductory or background information that
your organization needs to know?

Definitions – In your asset management plan, you’ll most likely use language that is specific to IT
processes. These terms need to be properly defined for your organization. In these definitions, you can
simply list processes, structures, and terms that must be explained to understand your IT asset
management plan.

Asset Tracking – What assets will you be tracking? To what extent should your organization expect
these assets to be tracked? Include any categories of assets that will be included in your strategic asset
management plan such as computers, handheld devices, or networking equipment.

Policies – While this is not an extensive list of policies to include, it is a starting point for your organization to develop a thorough, strategic asset management plan. Include any additional IT asset management policies you have developed in this section.

  • Asset Acquisition Processing Policy – What are the processes for requesting new or
    replacement IT assets? Include any forms for IT acquisition in this section or as an addendum to this plan. How should purchases be made and approved? Answers to these questions and any other information regarding the tagging, processing, or acquisition of assets can be included.
  • Transfer of Assets Policy – In your asset management plan, include who is responsible for the documentation of any transfers of IT assets within your organization. What should be documented during the transfer? Where should it be documented? Can assets be transferred outside of certain facilities? What are the inspection techniques for transfers?
  • Disposal of Assets Policy – When it’s time to dispose of technology assets, who is responsible for proper disposal? In this section, explain what requests need to be made, what defines an asset that should be disposed, and any specifics regarding technology with sensitive data. Is there a company your organization is contracted to dispose technology with? Include these details and any updates that need to be made to the system after asset disposal.
  • Theft/Loss of Assets Policy – In your theft or loss policy, include how an employee should
    report theft or loss of an IT asset. Define how an employee should determine whether an asset has been lost or stolen. This section should lay out your policy on theft plainly and include any consequences of theft or loss.
  • Support and Management of Assets Policy – Proper patching, assessment, and
    management of technology assets should be conducted regularly. Describe what your processes of review will look like and how often your employees can expect assets to be updated and managed. Policies regarding the verification of status should also be included in this section of your asset management plan.
  • Auditing of Assets Policy – Include your policy on third-party auditing of your IT assets as it relates to the security and documentation of your assets. Whether you perform an audit of assets every six months, every year, or every two years – you need to properly define what your employees can expect regarding the auditing of your assets.

Responsibilities – Define the responsibilities of each party in your organization concerning IT asset
management. Whether it’s categorized by organizational groups or specific titles/employees, you can
outline how each party is expected to play a role in the strategic management of your assets.

Policy Compliance – Explain the importance of compliance with these asset management policies and
the verification process that will take place to confirm your employees are complying. In this section, also
define any consequences employees will face as a response to non-compliance.

Risk-Based Approach to an Asset Management Plan

While your customized asset management plan will be tailored to your organization’s security needs, this tool can be helpful in giving you a path towards security compliance. Organizing and maintaining an asset inventory works as a foundation for a through information security program. You can organize your asset inventory in many different ways: individually, systematically, or through portfolios. Every organization will define their assets according to their needs, but it is recommended that the selection process be based upon risk. At what risk level is each asset? By classifying and analyzing assets according to what critical risk stage they’re in, you can help measure the effectiveness of your security strategies.

If you’re serious about implementing information security practices, you need to be mindful of the importance of proper asset management. Don’t let undetected vulnerabilities and mismanaged risks be the problems that plague your information security plan. Instead, use asset management tools and perform regular penetration testing to protect your valuable assets. Contact KirkpatrickPrice today to learn how we can help you achieve your information security goals!

More Resources

How Can Penetration Testing Protect Your Assets?

Why Bother With An Information Security Program?

What Should You Really Be Penetration Testing?

Independent Audit Verifies CBOSS’ PCI Compliance

Boardman, OH – CBOSS, a payment processor, today announced that it has once again completed its PCI audit and received their Report on Compliance (RoC). This report verifies that CBOSS adheres to the Payment Card Industry Security Data Standard’s twelve requirements and has the proper internal controls and processes in place to deliver high quality services to its clients.

KirkpatrickPrice, a licensed CPA and PCI QSA firm, performed the audit and appropriate testing of CBOSS’ controls that are relevant to the storing and transmitting of information from credit, debit, or other payment cards. The PCI Data Security Standard is a complex security standard that focuses on security management, policies, procedures, network architecture, software design, and other critical protective procedures.  These security standards are relevant to any merchant or service provider that uses, stores or transmits information from a payment card. In accordance with the PCI Security Standards Council, KirkpatrickPrice’s Qualified Security Assessors assisted CBOSS in becoming PCI compliant.

“CBOSS is committed to delivering robust, secure solutions for payment processing to all our customers,” stated Mike Lendvay, Security & Compliance Manager for CBOSS, Inc. “To that end, we strive to make security and reliability integral to every aspect of our operations. We appreciate the KirkpatrickPrice’s thoroughness and we are proud to have met or exceeded all the requirements they validated.”

“Many of CBOSS’ clients rely on their systems to process or store sensitive data and protect information,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “As a result, CBOSS has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the accounts receivables management services provided by CBOSS.”

About CBOSS

The expertise of CBOSS’ specialists empowers all of its clients to focus on their core business.

Since 1994 over 700 businesses and government agencies have looked to CBOSS to deliver feature-rich services and solutions that are cost-effective, reliable and secure.  CBOSS is the leading provider of PCI DSS-compliant, secure online payment solutions for various industries, including healthcare, government and regulated industries. Visit us at www.cboss.com

On December 17, 2019, Citrix released information about a vulnerability tracked as CVE-2019-19781. This vulnerability lies in Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway. Will this the Citrix vulnerability impact your organization?

What We Know About CVE-2019-19781

CVE-2019-19781 allows unauthenticated remote attackers to execute arbitrary code on the exposed system. Because of where the Citrix vulnerability resides on the network, the importance of patching is critical. A permanent patch was not released by Citrix until January 20 – meaning Citrix left this vulnerability unpatched for over a month. Citrix did provide configuration steps to reduce the risk of exploitation for CVE-2019-19781 and stressed the importance of those mitigation steps, plus the Cybersecurity and Infrastructure Security Agency (CISA) released a tool, available on GitHub, to check for this Citrix vulnerability.

Citrix 2019 Breach

This isn’t Citrix’s first security incident. In March 2019, the FBI informed Citrix that “they had reason to believe that international cyber criminals gained access to the internal Citrix network.” It was speculated the attackers used password spraying to gain access, impacting over 200 government agencies, oil and gas firms, and technology companies.

Forbes reports that Citrix provides VPN access and credentials to 400,000 organizations worldwide and 98% of the Fortune 500. When an organization like Citrix has a vulnerability, it’s not insignificant. Our penetration testers and auditors are watching this vulnerability closely.

More Resources

National Vulnerability Database Details on CVE-2019-19781 

Think Like a Hacker: Common Vulnerabilities Found in Networks

Reviewing Your Information Security Program for 2020

Why is Compliance is a Top 3 Initiative?

It’s no secret that the cyber threat landscape is evolving at an alarming rate. Now more than ever, businesses must implement compliance initiatives to avoid the growing threats of a cyberattack in the new decade. As a leader of your organization, it’s your responsibility to see this through. In this webinar, you’ll learn from KirkpatrickPrice President, Joseph Kirkpatrick, about everything you need to know about leading compliance initiatives.

According to a 2019 survey conducted by The Conference Board, “U.S. CEOs rank cybersecurity as their #1 concern.” Now, why is that? Take a look at just a few statistics that IBM’s 2019 Cost of a Data Breach report included:

  • The global average total cost of a data breach is $3.92 million
  • The global average size of a data breach is 25,575 records
  • The global average time to identify and contain a breach is 279 days
  • Inadvertent data breaches from human error and system glitches are still the root cause for nearly half (49%) of the data breaches studied in the report
  • If a third party caused the data breach, the cost increased by more than $370,000

As security incidents and data breaches are on the rise, C-suite executives must carry more of the responsibility to ensure that their organizations are prepared for the advancing threats of malicious individuals and groups.

6 Steps for Leading a Successful Compliance Initiative

While this list isn’t exhaustive and should be formatted to meet your business and industry needs, the following six steps can guide executives toward leading a successful compliance initiative, help prepare organizations against cyber threats, and ensure compliance.

  1. Connect the goal to your business’ purpose
  2. Accept responsibility
  3. Define priorities
  4. Choose the team
  5. Determine S.M.A.R.T. goals
  6. Enforce accountability

Want to dive deeper into these insights? Watch the full webinar on-demand now!

Independent Audit Verifies National Commercial Services’ Internal Controls and Processes

Van Nuys, CA – National Commercial Services (NCS) an experienced and specialized subrogation and commercial collection agency, today announced that it has completed its annual SOC 1 Type II audit. This attestation verifies that NCS has the proper internal controls and processes in place to deliver high quality services to its clients.

KirkpatrickPrice, a licensed CPA firm, performed the audit and appropriate testing of NCS’ controls that may affect its clients’ financial statements. SOC 1 Type II is a reporting on the controls at a service organization that was established by the American Institute of Certified Public Accountants (AICPA). This report is in compliance with the SSAE 18 auditing standards and focuses on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place. The SOC 1 Type II audit report includes NCS’ description of controls as well as the detailed testing of its controls over a minimum six-month period.

“NCS is committed to providing our clients with the most secure, while efficient, collection and subrogation services nationally. Completing the SOC 1 Type II audit is part of the regulatory framework recommended to provide secure services to both our clients and the public. NCS will continue to renew our SOC certification on an annual basis to verify that we stay abreast of industry and standard improvements,” said Natalie Mansour, Vice President and Chief Operating Officer of NCS.

“Many of NCS’ clients rely on them to protect consumer information,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “As a result, NCS has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the managed solutions provided by NCS.”

About National Commercial Services

National Commercial Services (NCS) is a California Certified Corporation located in Los Angeles County. With 23 years of experience in the fields of Subrogation and Commercial Collections, NCS is a Premier Sponsor of the National Association of Subrogation Professionals and is licensed and bonded in every mandated state. NCS is dedicated to compliance with Federal and State Specific Fair Debt Collection, TCPA, PCI, and all best practices protocol.