How to Build an IT Asset Management Plan

by Sarah Harvey / January 22nd, 2020

How you can best manage your data and assets in a time where information security threats are everywhere? What is asset management and where do you start with it? Let’s start with a basic definition. Asset management is properly defining and categorizing an organization’s assets. A well-developed asset management plan can help you make strategic moves to increase your organizational security. With any plan for IT asset management in place, you should have established processes for receiving and transferring assets, migrating virtual systems, detecting and responding to incidents, continuous monitoring, and applying patches and updates to address vulnerabilities.

How Can You Benefit from an IT Asset Management Plan?

NIST Special Publication 1800-5 on IT asset management explains the benefits of a thorough asset management plan in six parts:

  1. Proper asset management increases the ability for your organization to respond to security alerts quickly as the location, configuration, and owner of various devices can be accessed quickly.
  2. Your organization can turn its focus to the most valuable assets and therefore increase cybersecurity resilience.
  3. When you conduct an audit, auditors will have detailed information about your systems because of well-managed assets.
  4. It helps to better define your budget as you can determine which software license are actually utilized and which you pay for, but do not use.
  5. Your employees will be able to use your asset management plan to know what is installed and any alerts or errors that might come up, so that you can minimize help desk response times.
  6. Any patching that needs to be done on your software can be done correctly and reduce attack surfaces of devices with a well-developed IT asset management structure.

These benefits arise from a well-developed asset management plan that follows guidelines set up by publications such as NIST. When you face the difficulty of IT asset management, you might find yourself looking for guidance on how to responsibly track the status and configurations of your assets.

Strategic Asset Management Plan Outline

Overview – A description of your vision for and explanation of asset management should be listed as a
general overview for your organization to gain initial understanding. What is the purpose of asset
management and who does this plan apply to? Is there any introductory or background information that
your organization needs to know?

Definitions – In your asset management plan, you’ll most likely use language that is specific to IT
processes. These terms need to be properly defined for your organization. In these definitions, you can
simply list processes, structures, and terms that must be explained to understand your IT asset
management plan.

Asset Tracking – What assets will you be tracking? To what extent should your organization expect
these assets to be tracked? Include any categories of assets that will be included in your strategic asset
management plan such as computers, handheld devices, or networking equipment.

Policies – While this is not an extensive list of policies to include, it is a starting point for your organization to develop a thorough, strategic asset management plan. Include any additional IT asset management policies you have developed in this section.

  • Asset Acquisition Processing Policy – What are the processes for requesting new or
    replacement IT assets? Include any forms for IT acquisition in this section or as an addendum to this plan. How should purchases be made and approved? Answers to these questions and any other information regarding the tagging, processing, or acquisition of assets can be included.
  • Transfer of Assets Policy – In your asset management plan, include who is responsible for the documentation of any transfers of IT assets within your organization. What should be documented during the transfer? Where should it be documented? Can assets be transferred outside of certain facilities? What are the inspection techniques for transfers?
  • Disposal of Assets Policy – When it’s time to dispose of technology assets, who is responsible for proper disposal? In this section, explain what requests need to be made, what defines an asset that should be disposed, and any specifics regarding technology with sensitive data. Is there a company your organization is contracted to dispose technology with? Include these details and any updates that need to be made to the system after asset disposal.
  • Theft/Loss of Assets Policy – In your theft or loss policy, include how an employee should
    report theft or loss of an IT asset. Define how an employee should determine whether an asset has been lost or stolen. This section should lay out your policy on theft plainly and include any consequences of theft or loss.
  • Support and Management of Assets Policy – Proper patching, assessment, and
    management of technology assets should be conducted regularly. Describe what your processes of review will look like and how often your employees can expect assets to be updated and managed. Policies regarding the verification of status should also be included in this section of your asset management plan.
  • Auditing of Assets Policy – Include your policy on third-party auditing of your IT assets as it relates to the security and documentation of your assets. Whether you perform an audit of assets every six months, every year, or every two years – you need to properly define what your employees can expect regarding the auditing of your assets.

Responsibilities – Define the responsibilities of each party in your organization concerning IT asset
management. Whether it’s categorized by organizational groups or specific titles/employees, you can
outline how each party is expected to play a role in the strategic management of your assets.

Policy Compliance – Explain the importance of compliance with these asset management policies and
the verification process that will take place to confirm your employees are complying. In this section, also
define any consequences employees will face as a response to non-compliance.

Risk-Based Approach to an Asset Management Plan

While your customized asset management plan will be tailored to your organization’s security needs, this tool can be helpful in giving you a path towards security compliance. Organizing and maintaining an asset inventory works as a foundation for a through information security program. You can organize your asset inventory in many different ways: individually, systematically, or through portfolios. Every organization will define their assets according to their needs, but it is recommended that the selection process be based upon risk. At what risk level is each asset? By classifying and analyzing assets according to what critical risk stage they’re in, you can help measure the effectiveness of your security strategies.

If you’re serious about implementing information security practices, you need to be mindful of the importance of proper asset management. Don’t let undetected vulnerabilities and mismanaged risks be the problems that plague your information security plan. Instead, use asset management tools and perform regular penetration testing to protect your valuable assets. Contact KirkpatrickPrice today to learn how we can help you achieve your information security goals!

More Resources

How Can Penetration Testing Protect Your Assets?

Why Bother With An Information Security Program?

What Should You Really Be Penetration Testing?