IT Audit and Governance

🛡️ The ABCs of Cybersecurity Audit: Focusing on Asset Management - The Definitive Edition 🛠️

Hello Cyber Warriors! 👋 Today, we're taking a comprehensive look at Asset Management within cybersecurity audits, enriched with references to industry standards and frameworks. Buckle up, because we're about to get technical! 🎯
---
📋 ID.AM-1: Physical Device Inventory 🖥️
- Function: IDENTIFY
- Category: Asset Management
- Audit: Physical devices and systems within the organisation are inventoried.
- Guidance: The data, personnel, devices, systems, and facilities that enable the organisation to achieve business purposes are identified and managed consistently.

ID.AM-1 Checklist:
1. 🧾 Create a device registry
- Example: Use a centralised asset management system to record all servers, laptops, and mobile devices.
2. 🕵️‍♀️ Use network scanning tools
- Example: Employ tools like Nmap to scan for devices connected to your network.
3. 🔄 Regularly update the inventory
- Example: Automate alerts to review the inventory every quarter.
4. 🎫 Label all devices
- Example: Use QR codes to label devices for quick scanning and identification.

📝 ID.AM-2: Software Inventory 📦
- Function: IDENTIFY
- Category: Asset Management
- Audit: Software platforms and applications within the organisation are inventoried.
- Guidance: The data, personnel, devices, systems, and facilities that enable the organisation to achieve business purposes are identified and managed consistently.

ID.AM-2 Checklist:
1. 📜 Create a software registry
2. 🛡️ List all security certificates
3. ⏲️ Track expiration dates
4. 🛠️ Update or remove outdated software
- Example: Use vulnerability scanners to identify software that needs updating or removal.

🌐 ID.AM-3: Data Flow Mapping 🗺️
- Function: IDENTIFY
- Category: Asset Management
- Audit: Organisational communication and data flows are mapped.
- Guidance: The data, personnel, devices, systems, and facilities that enable the organisation to achieve business purposes are identified and managed consistently.

ID.AM-3 Checklist:
1. 📈 Identify data entry and exit points
- Example: Pinpoint where customer data enters via the CRM and exits via email reports.
2. 🚦 List all data transformation processes
- Example: Document how raw sales data is transformed into actionable insights.
3. 🔄 Regularly review and update the map
- Example: Audit the data flow map after any significant infrastructure changes.

🌍 ID.AM-4: External Systems Catalogue 📚
- Function: IDENTIFY
- Category: Asset Management
- Audit: External information systems are catalogued.
- Guidance: The data, personnel, devices, systems, and facilities that enable the organisation to achieve business purposes are identified and managed consistently.

ID.AM-4 Checklist:
1. 📝 List all third-party systems
- Example: Catalogue all SaaS tools like Salesforce, AWS, and Slack.
2. 🛡️ Verify their security posture
- Example: Check if the vendors are GDPR-compliant or hold relevant security certifications.
3. 🤝 Establish security SLAs (Service Level Agreements)
- Example: Negotiate SLAs that require vendors to notify you within 24 hours of a security incident.

🎯 ID.AM-5: Resource Prioritisation ⚖️
- Function: IDENTIFY
- Category: Asset Management
- Audit: Resources are prioritised based on their classification, criticality, and business value.
- Guidance: The data, personnel, devices, systems, and facilities that enable the organisation to achieve business purposes are identified and managed consistently.

ID.AM-5 Checklist:
1. 🏷️ Classify all resources
2. 📊 Perform a risk assessment
- Example: Use the FAIR framework to assess the financial impact of losing specific assets.
3. 👑 Prioritise critical assets

🎭 ID.AM-6: Cybersecurity Roles and Responsibilities 🤝
- Function: IDENTIFY
- Category: Asset Management
- Audit: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders are established.

www.tg-me.com/us/IT Audit and Governance/com.IT_Audit/343

2.4K viewsMr Moon, Oct 12, 2023 at 09:41

🛡️ The ABCs of Cybersecurity Audit: Focusing on Asset Management - The Definitive Edition 🛠️

Hello Cyber Warriors! 👋 Today, we're taking a comprehensive look at Asset Management within cybersecurity audits, enriched with references to industry standards and frameworks. Buckle up, because we're about to get technical! 🎯
---
📋 ID.AM-1: Physical Device Inventory 🖥️
- Function: IDENTIFY
- Category: Asset Management
- Audit: Physical devices and systems within the organisation are inventoried.
- Guidance: The data, personnel, devices, systems, and facilities that enable the organisation to achieve business purposes are identified and managed consistently.

ID.AM-1 Checklist:
1. 🧾 Create a device registry
- Example: Use a centralised asset management system to record all servers, laptops, and mobile devices.
2. 🕵️‍♀️ Use network scanning tools
- Example: Employ tools like Nmap to scan for devices connected to your network.
3. 🔄 Regularly update the inventory
- Example: Automate alerts to review the inventory every quarter.
4. 🎫 Label all devices
- Example: Use QR codes to label devices for quick scanning and identification.

📝 ID.AM-2: Software Inventory 📦
- Function: IDENTIFY
- Category: Asset Management
- Audit: Software platforms and applications within the organisation are inventoried.
- Guidance: The data, personnel, devices, systems, and facilities that enable the organisation to achieve business purposes are identified and managed consistently.

ID.AM-2 Checklist:
1. 📜 Create a software registry
2. 🛡️ List all security certificates
3. ⏲️ Track expiration dates
4. 🛠️ Update or remove outdated software
- Example: Use vulnerability scanners to identify software that needs updating or removal.

🌐 ID.AM-3: Data Flow Mapping 🗺️
- Function: IDENTIFY
- Category: Asset Management
- Audit: Organisational communication and data flows are mapped.
- Guidance: The data, personnel, devices, systems, and facilities that enable the organisation to achieve business purposes are identified and managed consistently.

ID.AM-3 Checklist:
1. 📈 Identify data entry and exit points
- Example: Pinpoint where customer data enters via the CRM and exits via email reports.
2. 🚦 List all data transformation processes
- Example: Document how raw sales data is transformed into actionable insights.
3. 🔄 Regularly review and update the map
- Example: Audit the data flow map after any significant infrastructure changes.

🌍 ID.AM-4: External Systems Catalogue 📚
- Function: IDENTIFY
- Category: Asset Management
- Audit: External information systems are catalogued.
- Guidance: The data, personnel, devices, systems, and facilities that enable the organisation to achieve business purposes are identified and managed consistently.

ID.AM-4 Checklist:
1. 📝 List all third-party systems
- Example: Catalogue all SaaS tools like Salesforce, AWS, and Slack.
2. 🛡️ Verify their security posture
- Example: Check if the vendors are GDPR-compliant or hold relevant security certifications.
3. 🤝 Establish security SLAs (Service Level Agreements)
- Example: Negotiate SLAs that require vendors to notify you within 24 hours of a security incident.

🎯 ID.AM-5: Resource Prioritisation ⚖️
- Function: IDENTIFY
- Category: Asset Management
- Audit: Resources are prioritised based on their classification, criticality, and business value.
- Guidance: The data, personnel, devices, systems, and facilities that enable the organisation to achieve business purposes are identified and managed consistently.

ID.AM-5 Checklist:
1. 🏷️ Classify all resources
2. 📊 Perform a risk assessment
- Example: Use the FAIR framework to assess the financial impact of losing specific assets.
3. 👑 Prioritise critical assets

🎭 ID.AM-6: Cybersecurity Roles and Responsibilities 🤝
- Function: IDENTIFY
- Category: Asset Management
- Audit: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders are established.

BY IT Audit and Governance