5.2.1. Acquisition and Assignment

💡 First Principle: Security starts at procurement. The security capabilities of a device or software are largely determined at purchase — you can't add hardware encryption to a device that doesn't support it. Making security a procurement requirement prevents costly retrofitting later.

Acquisition/procurement — security requirements should be part of purchasing decisions. Does the hardware support encryption? Does the vendor provide timely security patches? Can the software integrate with your identity management system? Is the vendor financially stable enough to provide long-term support? Procurement checklists that include security criteria prevent acquiring assets that create unmanageable risk. For cloud services, evaluate the vendor's shared responsibility model and compliance certifications.

Assignment/accounting — every asset has an owner responsible for its security. Asset registers track: hardware (serial number, model, location, owner, warranty status), software (version, license count, installation locations, end-of-life dates), and data (classification, owner, storage location, retention period). Unassigned assets are nobody's responsibility — and nobody's responsibility means nobody patches, monitors, or decommissions them.

Enumeration — discovering and cataloging all assets on the network. Automated scanning tools, network discovery protocols (ARP, SNMP), and agent-based inventory systems maintain an up-to-date asset register. Without enumeration, shadow IT proliferates — employees deploy cloud services, personal devices join the network, and unauthorized software runs undetected. Regular enumeration catches these gaps.

CMDB (Configuration Management Database) — a centralized database tracking assets and their configurations, relationships, and history. The CMDB is the single source of truth for "what do we have and how is it configured?" It maps dependencies between assets — when you need to patch a server, the CMDB tells you which applications depend on it and who to notify.

⚠️ Exam Trap: The CMDB is not just an inventory — it tracks configurations and relationships. It tells you not only that server X exists, but what software it runs, which network segment it's on, and which services depend on it.