OBJECTIVE 4.2 Explain
Explain the security implications of proper hardware, software, and data asset management
You can’t protect what you don’t know about. Asset management is the foundation of every other security operation — vulnerability management, patching, incident response, and access control all depend on knowing what assets exist and their state.
Asset Inventory
Hardware Assets
- Servers, workstations, laptops, mobile devices, network equipment
- IoT devices, printers, cameras, HVAC controllers
- Removable media, external drives, USB devices
- Challenge: Shadow IT — devices connected to the network without IT knowledge
Software Assets
- Operating systems and versions, installed applications, libraries and dependencies
- Licensed vs. unlicensed software (compliance and legal risk)
- SaaS applications in use (sanctioned and unsanctioned)
Data Assets
- Databases, file shares, cloud storage, email archives
- Classified by sensitivity level (public, internal, confidential, restricted)
- Data owners assigned for each asset
Enumeration and Classification
- Automated discovery tools for network-connected assets
- CMDB (Configuration Management Database) as the central record
- Each asset tagged with: owner, classification, location, criticality, lifecycle stage
Acquisition and Procurement
Secure Procurement
- Purchase from authorized/trusted vendors only
- Verify hardware integrity (tamper-evident packaging, supply chain verification)
- Evaluate software security before deployment (SCA, vendor security assessment)
Standardization
- Approved hardware models and software versions reduce attack surface variety
- Standard builds/images ensure consistent security baselines
- Deviation from standards requires security review and approval
Assignment and Accounting
Ownership
Every asset must have an assigned owner responsible for its security.
- Hardware: assigned to individual users or departments
- Software: licensed and tracked
- Data: classified with a data owner who makes access decisions
Tracking
- Asset tags (physical and logical), serial numbers
- Check-in/check-out procedures for mobile and shared assets
- Geolocation tracking for mobile devices (MDM)
Asset Type Taxonomy
| Type | Who Owns | Who Manages | Security Considerations |
|---|---|---|---|
| Company-owned | Organization | IT/security team | Full control. Baseline, harden, encrypt, monitor, patch. |
| Leased | Lessor (vendor) | IT manages during lease | Must return in agreed condition. Data sanitization before return is critical — don’t send back a laptop with company data. |
| BYOD (Bring Your Own Device) | Employee | Partial (MDM container) | Limited control. Containerize corporate data. Can’t enforce full-disk encryption on personal device. Remote wipe limited to corporate container. |
| COPE (Corporate Owned, Personally Enabled) | Organization | IT (MDM) | Full control with personal use allowed. Best balance of security and employee satisfaction. |
Change of Custody Procedures
When an asset changes hands (reassignment, repair, decommission):
- Document the transfer: Who had it, who receives it, when, why
- Data handling: Wipe/sanitize before reassignment. User profiles from previous assignee must not be accessible.
- Access revocation: Remove previous user’s credentials, accounts, certificates from the device
- Inventory update: CMDB reflects the new custodian immediately
- Condition assessment: Document the state of the asset at transfer (damage, wear, configuration)
- Chain of custody for evidence: If the device is relevant to an investigation, full forensic chain of custody applies (see 4.8)
Data Retention
Retention Policies by Regulation
| Regulation/Standard | Retention Period | What’s Retained |
|---|---|---|
| PCI-DSS | 1 year minimum (audit logs) | Cardholder data environment logs, access records |
| SOX | 7 years | Financial records, audit workpapers, communications related to financial reporting |
| HIPAA | 6 years | PHI documentation, policies, risk assessments, training records |
| GDPR | No longer than necessary (purpose limitation) | Personal data — must delete when purpose is fulfilled |
| FERPA | Varies by record type | Student education records — permanent for some, 5 years for others |
| SEC Rule 17a-4 | 6 years (first 2 accessible) | Broker-dealer communications, trade records |
Key Retention Concepts
- Minimum retention: Hold at least this long (regulatory requirement)
- Maximum retention: Delete after this point (GDPR storage limitation, litigation risk from holding data too long)
- Legal hold overrides: Retention schedules are suspended for data subject to litigation hold (see 4.8)
- Backup retention: Applies to backups too — a backup containing data past its retention period is a compliance violation
- Destruction verification: When retention expires, confirm data was actually destroyed across all copies including backups
Monitoring
Usage Monitoring
- Software license compliance (overuse = legal risk, underuse = waste)
- Hardware utilization (underutilized assets may be candidates for decommission)
- Data access patterns (who’s accessing what, when)
State Monitoring
- Patch level and vulnerability status
- Configuration drift from baseline
- End-of-life/end-of-support status tracking
Media Sanitization
When storage media is reused, donated, or disposed of, data must be irrecoverably removed.
Methods (in order of increasing assurance)
- Clear: Overwriting with zeros/patterns. Protects against basic recovery tools. Sufficient for internal reuse.
- Purge: More thorough — cryptographic erase, block erase (SSD), or degaussing (magnetic media). Protects against laboratory recovery. Suitable for leaving organizational control.
- Destroy: Physical destruction — shredding, incineration, disintegration, melting. Highest assurance. Required for highest-sensitivity data.
Documentation and Standards
- Certificate of sanitization/destruction for compliance audits
- Chain of custody maintained until destruction is confirmed
- NIST SP 800-88 (Guidelines for Media Sanitization): The authoritative standard for media sanitization
- Defines Clear, Purge, and Destroy categories (see above)
- Decision flow based on data sensitivity and media reuse intent
- Requires verification after sanitization (attempt to read the media to confirm data is irrecoverable)
- Specifies that sanitization methods vary by media type — what works for HDD doesn’t work for SSD
- Exam tip: If a question asks about the standard for secure media disposal, the answer is NIST 800-88
SSD Considerations
Traditional overwriting doesn’t reliably work on SSDs due to wear leveling. Use:
- Manufacturer’s secure erase command
- Cryptographic erase (destroy the encryption key)
- Physical destruction for highest assurance
Asset Disposal and Decommissioning
- Remove from network and all management systems
- Revoke all access credentials and certificates
- Sanitize or destroy storage media
- Update asset inventory and CMDB
- Return leased equipment according to vendor procedures
- Risk: Forgotten assets that are decommissioned from use but not from the network continue to run unpatched
Offensive Context
Asset inventory gaps are attacker opportunity. Unmanaged devices don’t get patched, monitored, or hardened. Shadow IT creates unmonitored attack surface. Improper media disposal has led to high-profile data breaches — hard drives from decommissioned servers appearing on eBay with recoverable data. An attacker performing reconnaissance is building their own version of your asset inventory — and they’re often more thorough than the organization’s.