Asset Management

Before engaging in an agreement with a supplier of an IT-service, an information security risk assessment is performed. Contractual agreements regarding information security are made with suppliers of IT-services. Suppliers report on their compliance with these agreements and will deliver evidence of compliance when prompted. This compliance is actively monitored by the organisation and documented. Non-compliances are treated as potential security incidents. Which suppliers the organisation has, what services they provide and the status of contracts with the supplier are documented.

The organisation must know what software is used on managed devices, including a Software “Bill-of-Materials” (BOM) of libraries and components.

Description Domain names reserved for organisational purposes cannot be released shortly after the domain name is no longer needed. A list of domain names that can never be released needs to be kept. Domain names not on this list need to remain reserved with a placeholder message that the domain is no longer in use by the organisation for 3 years before they can be released and used by other parties.

Description Planned changes are evaluated for potential security impact. The classification of all processes and systems involved in the change is reviewed and adjusted where necessary. In projects, sufficient resources including time, manpower and budget are allocated to perform a security assessment and ensure compliance with the information security policy

Emergency changes requiring immediate implementation are properly handled to ensure minimal impact on systems and IT applications. The emergency change is registered, evaluated and tested after implementation and approved by responsible management.

Available patches and/or security fixes are installed in compliance with set and approved policies (including those for operating systems, databases and installed applications) and recommendations of CERT and/or suppliers.

Description Organisations actively and passively detect assets that may not be registered in the CMDB, both within the network and outside. Discrepancies in CMDB and detected assets are resolved.

The assets making up a system that are under control of the organisation are registered and tracked in the CMDB. System owners periodically check that the information in the CMDB regarding their systems is accurate and up-to-date. System owners accurately maintain any documentation needed to deliver, describe, support and maintain the systems.

Organisations maintain an accurate and up-to-date registry of organisational hardware and software assets in a Configuration Management Database (CMDB).

The Information Systems and Processes are identified and registered. Each System and Process has an owner within the organisation. The owner is responsible for compliance with the organisational information security policy. Ownership falls to a single person and not to an organisational unit. Systems and Processes are classified according to the organisational classification policy to determine the appropriate level of protection. The classification is reviewed and updated periodically. The owner is responsible for the classification.