What best practices for asset management should organizations use to minimize audit risks?
Sort by:
Start with basics by implementing a Configuration Management Database (CMDB). But it doesn't have to be a sophisticated system; you could do something as simple as making a list on paper to get started. The key is to list all the assets and identify those that are essential to the organization.
Next, it is critical to know the latest installation or patch levels of these assets. You can do this by cross-referencing with websites like VirusTotal, which provide information on whether certain components are affected by vulnerabilities and how to address them, usually through patches.
To manage all this information effectively, it's best to use tools like SQL Server or Excel for quick sorting and analysis of the data, making it easier to stay on top of asset management and minimize audit risks.
In the cloud and digitalized world where more and more cloud shared responsibility models are taking away the management and maintenance aspects of hardware and software assets upto the layer of operating system (as in WebApps, containers, SaaS etc.) or leaving out OS layer as in the case of IaaS, below are the best practices to minimise audit risks:
1. Only enumerate and inventory your assets at application level.
2. Capture application criticality (Critical vs Important) via business owner and map it to a business process.
3. Demarcate all security controls deployment into two categories. Those that are applicable to be deployed for 'Important' application and those extras, that gets deployed for 'Critical' applications.
By following above 3 steps, you will reduce audit risks and findings by NOT wasting your efforts and budgets over securing 80% of the applications which are seldom classified as business 'critical' but you need to be very clear about definitions of what's important and critical for the business.
Every organization manages a variety of assets, from financial resources to hardware. But it’s not just about listing these assets in a database to keep track of numbers for audits. It’s about having a clear process, followed by automating workflows that cover all decision points throughout the asset's life cycle. This approach ensures that the right data is available when necessary to make key business decisions regarding those assets.
Holistically think about asset management governance. Include all data-generating assets, even if the organization doesn’t own them, as part of the overall strategy. Once you’ve developed this holistic approach, you can then assess where to integrate risk monitoring technology at each stage of the process and use this to break down silos across departments. Missing steps in this life cycle can lead to costly audits and business disruptions. Leaders in infrastructure and operations must address common pitfalls like incomplete processes or limited scope, which often result in underperforming asset management.