5.2. Hardware, Software, and Data Asset Management

💡 First Principle: You can't protect what you don't know you have — like a warehouse manager without an inventory, you won't notice when something goes missing. Asset management creates and maintains a comprehensive inventory of every piece of hardware, software, and data the organization owns or manages. Without it, you can't patch what you don't know is running, retire what you don't know exists, or respond to incidents involving unknown assets.

What happens without asset management? Shadow IT proliferates — employees deploy unapproved cloud services, personal devices connect to the network, and unauthorized software runs on servers. When a vulnerability is announced, you don't know how many systems are affected. When a device is compromised, you don't know what data it could access. Asset management is the foundation that every other security operation depends on.

The lifecycle matters because security requirements change at each stage: procurement decisions affect security capabilities, deployment must follow hardening standards, operation requires patching and monitoring, and disposal must prevent data leakage. Miss any stage and you create risk.