3.2.2. Asset Inventory and Lifecycle Management
💡 First Principle: You cannot protect what you don't know you have. Asset inventory is the foundational security control that makes all other controls possible — access controls require knowing which systems exist, vulnerability management requires knowing what software runs on them, and data protection requires knowing where data lives.
Asset inventory scope — two dimensions:
Tangible assets: Hardware (servers, workstations, laptops, network equipment, storage), physical media (hard drives, USB drives, tapes, optical disks), facilities (data centers, offices, disaster recovery sites).
Intangible assets: Software licenses, intellectual property (code, designs, trade secrets), data and information, brand and reputation, contractual rights.
Asset management requirements:
| Element | What It Captures | Why It Matters |
|---|---|---|
| Asset ID | Unique identifier | Enables tracking across systems |
| Asset type | Hardware / software / data / IP | Determines applicable controls |
| Owner | Named accountable individual | Establishes responsibility |
| Classification | Sensitivity level | Determines required protections |
| Location | Physical and/or logical location | Enables physical security and network controls |
| Dependencies | What this asset depends on; what depends on it | BIA and DR planning |
| Status | Active / end-of-life / disposed | Determines whether controls are still required |
| Value | Replacement cost, revenue contribution | Risk quantification |
Asset management lifecycle — assets have security implications at every stage:
- Procurement/acquisition — verify vendor security posture; check for supply chain risks; document asset from day one
- Deployment — apply secure baseline configuration before connecting to network; register in inventory
- Operations — maintain patch currency; audit access; monitor for anomalies
- Maintenance — change management for all modifications; document all changes
- End-of-life — plan before EOL/EOS dates; migrate or implement compensating controls
- Disposal — data destruction before release; document destruction method and date; remove from inventory
Configuration baselines — a documented, approved minimum security configuration for each asset type. Deviations require formal change management approval. Baselines are typically derived from:
- CIS Benchmarks (community-developed, vendor-neutral)
- DISA STIGs (US DoD hardening guides)
- Vendor security guides
- Internal security standards
⚠️ Exam Trap: "Shadow IT" — assets deployed without IT/security knowledge — are invisible to asset management systems and therefore receive no security controls. Unauthorized cloud deployments, personal devices used for work (BYOD without enrollment), and departmentally procured software all create shadow inventory that creates unmanaged risk.
Reflection Question: A security audit discovers that 23% of the organization's cloud workloads are not in the asset inventory and were provisioned directly by development teams. What immediate actions does the security team need to take, and what process change prevents this in the future?
