Day 32 — Bringing in the New Year
By creating our software asset inventory.
OK, so I’m pretty boring these days — blame COVID :). Today I continued my work toward HIPAA Compliance with building out our Asset Inventory.
Asset management is the collection of processes that relates to how you track and protect the data you care about. “Asset” is a broad concept–it is often used to describe any thing of value to an organization that requires some level of protection (including people). But when we talk about “asset management,” we are usually referring to protecting our data and the systems they are stored on, processed by, or transmitted through.
Similar to our vendor assessment from the last couple days, the asset inventory is critical to our information security, as we use a lot of 3rd party tools to store, process, and transmit our data.
Today’s Problem to Solve
Our software asset inventory includes the following:
- Code Repositories
For each of these, I needed to identify the following information (based on our policy for asset management):
- the name of the asset;
- the owner of the asset;
- a description of the asset;
- the purpose of the asset;
- the asset’s status (including whether Active or Inactive);
- the highest classification level of the data that the asset will store, process, or transmit;
- the impact on our organization if we were to lose the use of the asset;
- the impact that we would suffer if we were to lose the confidentiality, integrity, or availability of the asset (or its data);
- the asset’s business-continuity properties (Maximum Tolerable Downtime, Recovery Point Objective, and Recovery Time Objective), if applicable; and
- the workforce members and teams that are authorized to access the asset.
None of this is hard work, it’s just really, really tedious.
It turns out we use a lot of software! Here’s how it breaks down:
I build this out in a spreadsheet formatted to answer the questions identified above. Here’s a sample:
Repeat this 60 times and the software asset inventory is (basically) complete.
We need to make some changes to some of the systems in our asset inventory, specifically what type of data we’re storing in them. We also need to make sure we have appropriate access controls to them so that only authorized users have access.
Happy New Year!