Asset Management (AST)

Purpose

Maintains an inventory of systems and technology assets from purchase through disposition, to ensure secured use, regardless of the asset's location.

Scope

This control applies to all endpoint workstations as well as virtual assets within our hosting providers.

Ownership

IT Operations owns the workstation assets portion of this control
Infrastructure owns the system and service portions of this control

Controls

Network Diagrams & Data Flow Diagrams (DFDs)

Control Statement: Has implemented mechanisms to maintain network architecture diagrams that:

Contain sufficient detail to assess the security of the network's architecture;
Reflect the current state of the network environment; and
Document all sensitive data flows.

Goal: Does the organization maintain network architecture diagrams that:

Contain sufficient detail to assess the security of the network's architecture;
Reflect the current state of the network environment; and
Document all sensitive data flows?

Test of Design

Inspect formal policies, procedures or other relevant documentation to support the assessment of security against the network architecture and reflect the current state of the network environment and sensitive data flows.
Interview key organizational personnel within FormAssembly to discuss high level workflows that support the assessment of security against the network architecture and the documentation of the current state of the network environment and sensitive data flows.

Test of Operating Effectiveness

Examine relevant documentation and network diagrams to assess that sufficient detail is provide to outline the security of the network architecture.
Examine relevant policies and documentation against the network diagram to determine if it sufficiently defines the current state of the network environment and all sensitive data flows.

Secure Disposal or Re-Use of Equipment

Statement: Mechanisms exist to securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components.

Goal: Does the organization securely destroy media when it is no longer needed for business or legal reasons?

Test of Design

Inspect formal policies, procedures or other relevant documentation that outline mechanisms used to securely destroy media when no longer needed for business or legal purposes.

Test of Operating Effectiveness

Examine data destruction policies, procedures and configurations for evidence that the procedures, policies and configurations facilitate implementation and adherence of media destruction when no longer needed for business or legal purposes.

Definitions

Test of Design - (TOD) – verifies that a control is designed appropriately and that it will prevent or detect a particular risk.
Test of Operating Effectiveness - (TOE) - used for verifying that the control is in place and it operates as it was designed.

PreviousSecurity Controls NextBusiness Continuity and Disaster Recovery (BCD)

Last updated 1 year ago

Asset Management (AST)

Purpose

Maintains an inventory of systems and technology assets from purchase through disposition, to ensure secured use, regardless of the asset's location.

Scope

This control applies to all endpoint workstations as well as virtual assets within our hosting providers.

Ownership

IT Operations owns the workstation assets portion of this control
Infrastructure owns the system and service portions of this control

Controls

Network Diagrams & Data Flow Diagrams (DFDs)

Control Statement: Has implemented mechanisms to maintain network architecture diagrams that:

Contain sufficient detail to assess the security of the network's architecture;
Reflect the current state of the network environment; and
Document all sensitive data flows.

Goal: Does the organization maintain network architecture diagrams that:

Contain sufficient detail to assess the security of the network's architecture;
Reflect the current state of the network environment; and
Document all sensitive data flows?

Test of Design

Inspect formal policies, procedures or other relevant documentation to support the assessment of security against the network architecture and reflect the current state of the network environment and sensitive data flows.
Interview key organizational personnel within FormAssembly to discuss high level workflows that support the assessment of security against the network architecture and the documentation of the current state of the network environment and sensitive data flows.

Test of Operating Effectiveness

Examine relevant documentation and network diagrams to assess that sufficient detail is provide to outline the security of the network architecture.
Examine relevant policies and documentation against the network diagram to determine if it sufficiently defines the current state of the network environment and all sensitive data flows.

Secure Disposal or Re-Use of Equipment

Goal: Does the organization securely destroy media when it is no longer needed for business or legal reasons?

Test of Design

Inspect formal policies, procedures or other relevant documentation that outline mechanisms used to securely destroy media when no longer needed for business or legal purposes.

Test of Operating Effectiveness

Examine data destruction policies, procedures and configurations for evidence that the procedures, policies and configurations facilitate implementation and adherence of media destruction when no longer needed for business or legal purposes.

Definitions

Test of Design - (TOD) – verifies that a control is designed appropriately and that it will prevent or detect a particular risk.
Test of Operating Effectiveness - (TOE) - used for verifying that the control is in place and it operates as it was designed.

PreviousSecurity Controls NextBusiness Continuity and Disaster Recovery (BCD)

Last updated 1 year ago