AST-01: Asset Governance

There is no evidence of a capability to facilitate an IT Asset Management (ITAM) program to implement and manage asset management controls.

Asset Management (AST) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.
• Asset inventories are performed in an ad hoc manner.
• Software licensing is tracked as part of IT asset inventories.
• Data process owners maintain limited network diagrams to document the flow of sensitive/regulated data that is specific to their initiative.
• IT personnel work with data/process owners to help ensure secure practices are implemented throughout the System Development Lifecycle (SDLC) for all high-value projects.

Asset Management (AST) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Asset management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
• IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for asset management.
• Administrative processes and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
• Asset management is formally assigned as an additional duty to existing IT/cybersecurity personnel.
• Technology assets are categorized according to data classification and business criticality.
• Inventories cover technology assets in scope for statutory, regulatory and/ or contractual compliance, which includes both physical and virtual assets.
• Software licensing is tracked as part of IT asset inventories.
• Users are educated on their responsibilities to protect technology assets assigned to them or under their supervision.
• IT/cybersecurity personnel maintain network diagrams to document the flow of sensitive/regulated data across the network.
• Technologies are configured to protect data with the strength and integrity commensurate with the classification or sensitivity of the information and mostly conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides), including cryptographic protections for sensitive/regulated data.

Asset Management (AST) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy and prioritizes the objectives of the security function to determine prioritized and authoritative guidance for asset management practices, within the broader scope of cybersecurity and data protection operations.
• The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the organization. This CONOPS for asset management may be incorporated as part of a broader operational plan for the cybersecurity and data privacy program.
• A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to facilitate the implementation of secure and compliant practices to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data. Compliance requirements for data backups are identified and documented.
• A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program, including asset management. The steering committee establishes a clear and authoritative accountability structure for asset management operations.
• An IT Asset Management (ITAM) function, or similar function, governs asset management to help ensure compliance with requirements for asset management.
• An ITAM function, or similar function, maintains an inventory of IT assets, covering both physical and virtual assets, as well as centrally managed asset ownership assignments.
• An ITAM function, or similar function, conducts ongoing “technical debt” reviews of hardware and software technologies to remediate outdated and/ or unsupported technologies.
• Technology assets and data are categorized according to data classification and business criticality criteria.
• A Cybersecurity Supply Chain Risk Management (C-SCRM) function oversees supply chain risks including the removal and prevention of certain technology services and/ or equipment designated as supply chain threats by a statutory or regulatory body.
• Data/process owners document where sensitive/regulated data is stored, transmitted and processed, generating Data Flow Diagrams (DFDs) and network diagrams to document the flow of data.
• Anti-theft software is installed on laptops and mobile devices to track assets removal from facilities. If possible, alerting is enabled for sensitive/regulated assets.
• Technologies are configured to protect data with the strength and integrity commensurate with the classification or sensitivity of the information and conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides), including cryptographic protections for sensitive/regulated data.
• The Human Resources (HR) department ensures that every user accessing a system that processes, stores, or transmits sensitive/regulated data is cleared and regularly trained in proper data handling practices.

Asset Management (AST) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement.

• Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
• Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
• Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
• Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
• Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
• Both business and technical stakeholders are involved in reviewing and approving proposed changes.

Asset Management (AST) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions.
• Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes.