Cybersecurity Practice #5: IT Asset Management The process by which organizations manage IT assets is generally referred to as IT asset management (ITAM). ITAM is critical to ensuring that proper cyber hygiene controls are in place across all assets in the organization. ITAM increases the visibility of cybersecurity professionals in the organization and reduces unknowns.
Cybersecurity Practice 5: IT Asset Management Data that may be affected Medium SubPractices Large SubPractices
Passwords, PHI 5.M.A 5.M.B 5.M.C 5.M.D 5.L.A 5.L.B
Inventory of Endpoints and Servers Procurement Secure Storage for Inactive Devices Decommissioning Assets Automated Discovery and Maintenance Integration with Network Access Control
ITAM processes should be Ransomware Attacks Loss of Theft of Equipment or Data implemented for endpoints, servers, Key Mitigated Insider, Accidental or Intentional Data Loss and networking equipment. The Risks Attacks Against Connected Medical Devices that cybersecurity practices in this section May Affect Patient Safety assist and support every other cybersecurity practice identified in this publication. ITAM cybersecurity practices can be difficult to implement and sustain, but they should be incorporated into every lifecycle stage of IT operations to maintain data accuracy and integrity. For each asset, the lifecycle includes procurement, deployment, maintenance, and decommissioning. Though each type of asset is used differently during its lifecycle, the lifecycle itself is consistent. The financial sector, as part of its public–private partnership with NIST National Cybersecurity Center of Excellence (NCCOE), has written a detailed ITAM practice guide: IT Asset Management. 22 Though specific to the financial sector, the methods discussed in the guide are easily applied to the HPH sector.
Sub-Practices for Medium-Sized Organizations 5.M.A
Inventory of Endpoints and Servers
NIST FRAMEWKORK REF: ID.AM-1
The first ITAM component that should be implemented is a buildout of the inventory repository. This critical technology component provides a normalized, consistent approach that organizations can use to store inventory data. Important data elements should be captured for each asset in the ITAM, including the following:
AssetID (primary key)
22. Michael Stone et al., IT Asset Management, (NIST Special Publication 1800-5b, October 2015, Rockville, MD), https://nccoe.nist.gov/sites/default/files/library/sp1800/fs-itam-nist-sp1800-5bdraft.pdf. 52
