This article is part four in a twelve-part series on information security fundamentals for small and medium-sized businesses.
A television news station in Buffalo, New York used to open each newscast by asking its viewers a simple question:
It’s eleven o’clock. Do you know where your children are?
Talk about fear, uncertainty, and doubt! The audience stayed glued to the screen while news anchors regaled them with reports of the terrible things that happened around the world that day. All the while, those same viewers could rest easy, knowing that their children were tucked safely in bed, protected from whatever dangers might lie beyond their doors.
Still, this question illustrates an important point: if something has value to you, you need to keep track of it.
Small business owners deploy servers to process their business data, and they deploy network devices to send that data across the Internet. They deploy workstations, laptops, and smartphones to their employees to access that data. Some business owners even provide their employees with flash drives and removable hard drives to backup critical data and move it from one location to another.
If you’re a small business owner, ask yourself this question: Do you know where all of your IT assets are?
IT asset management is essential in reducing risk and effectively managing your budget, and every business owner should begin by taking an IT asset inventory. Task someone in your organization with tracking down each IT asset that stores, processes, and/or transmits business data.
The inventory should contain the make and model of each device, the name of the employee that each device has been assigned to, and any other relevant information that you need to keep track of your IT assets− not to mention plan for their replacement.
Once your IT asset inventory is complete, the next step is to schedule as recurring asset inventory process. Asset ownership will change with every employee hire, transfer, and separation you perform. Equipment will be retired and replaced. In some cases, IT assets will even be lost or stolen. You need to keep your asset inventory current, and a recurring asset inventory process is a simple way to accomplish this goal.
If you read the previous article in this series, you’re already aware of the importance of policies, procedures, and standards. Make sure that your documentation includes asset management considerations. Your Acceptable Use Policy may need to be updated to include language around handling company IT assets.
Likewise, you may need to define IT asset handling procedures that contain details around requesting and returning IT assets, as well as how IT assets are to be handled when taken off-site. What steps do you take to remove sensitive data from hard drives before disposing of old equipment? What steps should employees take to protect laptops and smartphones while traveling? Write down your expectations and communicate them to your employees.
Another key policy related to IT asset management is your Information Classification Policy. Does your organization process and/or store customer credit card data? What about electronic protected health information? Allowing your employees to store this data on laptops and tablets could result in a very costly data breach, a breach that could have been avoided had you documented your expectations in policy and trained your employees against those policies.
To recap, every business owner should do the following:
- • Generate an IT asset inventory
- • Review your IT asset inventory at least quarterly
- • Document an Acceptable Use Policy
- • Document an Information Classification Policy
- • Document IT asset handling procedures
In the next article, we’ll tackle Human Resources Security Management.