Creating an asset lifecycle

Keeping track of your physical and digital assets is an important step in maintaining the security of your environment.

An asset lifecycle has three key stages that need to be covered: purchase or development, maintenance, and decommission. Below are details of how each step should be designed.

Purchase and development

Record new assets

The beginning of the lifecycle starts with creating a process to record new hardware and software assets. This allows you to start from the beginning, and then move onto recording existing assets once you are done. This also prevents any new assets from falling through the gaps.

Identifying existing assets can be a challenge. See our embedding existing assets guide for some details on how you can include these in your lifecycle.

Identifying existing assets

Creating a new asset recording process will take effort from multiple groups within the organisation. It's important that the process and tools used work for each group and meet everyone's needs.

The following details should be recorded for each asset:

  • type of asset
  • asset owner, or someone responsible for keeping the asset maintained
  • vendor, developer, or person responsible for supplying patches
  • location of the asset, both physical and network (or digital) location
  • unique reference number or serial number to identify the right physical asset
  • system that the asset supports
  • end-of-life or end-of-support date (if set), and
  • software versions and enabled services.

To make sure you are including all the right IT assets, make sure you are covering the following:

  • user devices such as desktops, mobile phones, tablets, and laptops
  • peripheral equipment such as keyboards, docking stations, printers, fax machines, and scanners
  • network equipment such as routers, switches, and access cameras
  • system infrastructure including locally hosted and cloud hosted servers and supporting components, backups, and supporting network components
  • software including the types of software used and any licenses.

Harden new assets

After the asset has been recorded, it needs to be hardened before it's used. This is a great way to embed other security controls into the life of the asset. Hardening means:

  • removing default accounts or changing their default passwords
  • disabling any unused services and closing unnecessary ports, and
  • updating the software to the latest release.

See our other critical control guides for details on hardening assets. 

Critical Controls 

Maintenance

Tie in your patching and vulnerability management processes

Keeping a record of all assets can help you make sure all your assets are patched, and there are no unknown assets on your network.

Your asset records can help you understand where you should be getting your patches from and who in the organisation is responsible for applying those patches. As new assets are bought or developed, ensure that these are incorporated into existing patching processes. By cross referencing against the asset list, you can ensure that patching processes cover all existing assets.

Creating a patching process

A vulnerability management process should help your organisation identify any unpatched or insecure assets on your network. Your asset record can be a valuable tool for this process so you can confirm if any assets found are yours, or if they need to be investigated.

Plan for legacy systems

Unsupported assets need to be replaced as soon as possible to reduce the risk to your environment. Vendors often announce these dates well in advance to give their customers time to migrate off. This date needs to be recorded and communicated once it is announced so the organisations can assess the systems they support and what the options are for mitigating or migrating.

Mitigating legacy systems

Decommissioning

Remove assets

Once an asset has reached the end of its life, you need to follow a decommissioning process to remove it from your environment. Every asset will be different. Here are some key points to consider:

  • Ensure the asset is no longer in use. Before you plan to turn it off, take steps to re-route any traffic or use to other assets.
  • Review your asset retention standards and requirements. Before you start disposing of assets, be sure to consider any data retention standards that apply to you and your oragnisation. You want to make sure you can restore data from a backup, even if the original assets that supported the system are gone.
  • Turn off the asset and remove any related dependencies. An asset can depend on multiple components for function. This includes DNS records, firewall rules, physical wiring, and even other assets. Physical assets will need to be powered off, and any digital breadcrumbs will need to be removed.
  • Save and secure any brand-related or public dependencies. Some dependencies that an asset uses may also be used by other people, such as domain names and static IP addresses. These are often associated directly with your organisation and are used as a symbol of trust so others know they are communicating with you. If these are no longer going to be used, don't delete them. Instead, re-direct them to your new assets. By staying in control of these assets, you reduce the risks of an attacker using these branded assets to attack or scam others.

Dispose of assets

After you have gone through the steps of removing the asset from your environment, you can consider how to dispose of any related physical hardware. When disposing of physical devices, it is important to ensure that you do not leave your organizations’ information on them:

  1. Sanitise the asset, or securely remove all data from the asset. This is especially the case for any assets that hold sensitive information. If you’re unsure what data was on the device, it's better to go through a sanitisation process to be safe.
  2. Destroying or selling the device. If your organisation is considering selling the asset, you need to be confident that the asset has been completely sanitised of data. If the asset contained sensitive data, you may want to avoid this risk and just opt to destroy the asset. You can contact a professional asset destruction company to assist and make sure they are properly destroyed.

If your organisation is going to re-use or re-purpose the asset inside the organisation, it is important to still make sure it is sanitised. That way you know you are starting from a clean asset.