- Basic Security Principles
- Data Management: Determine and Maintain Ownership
- Data Standards
- Data Security, Protection, Sharing, and Dissemination
- Classifying Information and Supporting Assets
- Asset Management and Governance
- Determine Data Security Controls
- Laws, Standards, Mandates and Resources
- Exam Prep Questions
- Answers to Exam Prep Questions
- Need to Know More?
Asset Management and Governance
The job of asset management and governance is to align the goals of IT to the business functions of the organization, to track assets throughout their lifecycle, and to protect the assets of the organization. Asset management can be defined as any system that inventories, monitors, and maintains items of value. Assets can be both tangible and intangible. Assets can include the following:
You can think of asset management as a structured approach of deploying, operating, maintaining, upgrading, and disposing of assets cost-effectively. Asset management is required for proper risk assessment. Before you can start to place a value on an asset you must know what it is and what it is worth. Its value can be assessed either quantitatively or qualitative. A quantitative approach requires:
Estimation of potential losses and determination of single loss expectancy (SLE)
Completion of a threat frequency analysis and calculation of the annual rate of occurrence (ARO)
Determination of the annual loss expectancy (ALE)
A qualitative approach does not place a dollar value on the asset and ranks it as high, medium, or low concern. The downside of performing qualitative evaluations is that you are not working with dollar values, so it is sometimes harder to communicate the results of the assessment to management.
One key asset is software. CISSP candidates should understand common issues related to software licensing. Because software vendors usually license their software rather than sell it, and license it for a number of users on a number of systems, software licenses must be accounted for by the purchasing organization. If users or systems exceed the licensed number, the organization can be held legally liable.
As we move into an age where software is being delivered over the Internet and not with media (CD), software asset management is an important concern.
Intellectual property rights issues have always been hard to enforce. Just consider the uproar that Napster caused years ago as the courts tried to work out issues of intellectual property and the rights of individuals to share music and files. The software industry has long dealt with this same issue. From the early days of computing, some individuals have been swapping, sharing, and illegally copying computer software. The unauthorized copying and sharing of software is considered software piracy, which is illegal. Many don’t think that the copy of that computer game you gave a friend is hurting anyone. But software piracy is big business, and accumulated loss to the property’s owners is staggering. According to a 2008 report on intellectual property to the United States Congress, in just one raid in June 2007, the FBI recovered more than two billion dollars worth of illegal Microsoft and Symantec software. Internationally, losses from illegal software are estimated to be in excess of $200 billion.
Microsoft and other companies are actively fighting to protect their property rights. Some organizations have formed the Software Protection Association, which is one of the primary bodies that work to enforce licensing agreements. The Business Software Alliance (BSA) and the Federation Against Software Theft are international groups targeting software piracy. These associations target organizations of all sizes from small, two-person companies to large multinationals.
Software companies are making clear in their licenses what a user can and cannot do with their software. As an example, Microsoft Windows XP allowed multiple transfers of licenses whereas Windows 8 and 10 have different transfer rules. As an example, Windows 8 allows only one transfer. The user license states, “The first user of the software may reassign the license to another device one time.” Some vendors even place limits on virtualization. License agreements can actually be distributed in several different ways, including the following:
Click-wrap license agreements—Found in many software products, these agreements require you to click through and agree to terms to install the software product. These are often called contracts of adhesion; they are “take it or leave it” propositions.
Master license agreements—Used by large companies that develop specific software solutions that specify how the customer can use the product.
Shrink-wrap license agreements—Created when software started to be sold commercially and named for the fact that breaking the shrink wrap signifies your acceptance of the license.
Even with licensing and increased policing activities by organizations such as the BSA, improved technologies make it increasingly easy to pirate software, music, books, and other types of intellectual property. These factors and the need to comply with two World Trade Organization (WTO) treaties led to the passage of the 1998 Digital Millennium Copyright Act (DMCA). Here are some salient highlights:
The DMCA makes it a crime to bypass or circumvent antipiracy measures built into commercial software products.
The DMCA outlaws the manufacture, sale, or distribution of any equipment or device that can be used for code-cracking or illegally copying software.
The DMCA provides exemptions from anti-circumvention provisions for libraries and educational institutions under certain circumstances; however, for those not covered by such exceptions, the act provides penalties up to $1,000,000 and 10 years in prison.
The DMCA provides Internet service providers exceptions from copyright infringement liability enabling transmission of information across the Internet.
The equipment lifecycle begins at the time equipment is requested to the end of its useful life or when it is discarded. The equipment lifecycle typically consist of four phases:
Acquisition and implementation
Operation and maintenance
Disposal and decommission
While some may think that much of the work is done once equipment has been acquired, that is far from the truth. There will need to be some established support functions. Routine maintenance is one important item. Without routine maintenance equipment will fail, and those costs can be calculated. Items to consider include:
Delayed or canceled orders
Cost of repair
Cost of rental equipment
Cost of emergency services
Cost to replace equipment or reload data
Cost to pay personnel to maintain the equipment
Technical support is another consideration. The longer a piece of equipment has been in use the more issues it may have. As an example, if you did a search for exploits for Windows 7 or Windows 10 which do you think would return more results? Most likely Windows 7. This all points to the need for more support the longer the resource has been in use.