Principle: A3 Asset Management
Everything required to deliver, maintain or support networks and information systems necessary for the operation of essential functions is determined and understood. This includes data, people and systems, as well as any supporting infrastructure (such as power or cooling).
This means obtaining a clear understanding of service dependencies in order to manage security risks to the network and to information systems supporting essential functions. Assets may include but are not limited to physical assets, software, data, essential staff and utilities. These should all be clearly identified and recorded, with records maintained so that it is possible to understand what things are important to the delivery of the essential function and why. Asset records should also be used to monitor the connection of assets across the network as well as to help facilitate an audit as part of your assurance function.
Policy
The following requirements are placed on government departments:
- Government organisations shall meet the Cyber Assessment Framework (CAF) requirements of the relevant Government Profile under this principle.
- HM Treasury’s Managing Public Money document outlines the requirement for each public sector organisation to devise an appropriate asset management strategy defining how it acquires, maintains, tracks, deploys and disposes of the various kinds of assets it uses.
- Departments shall understand and maintain a record of internal IP ranges as a part of implementing an effective asset management regime. Where IP ranges relate to digital providers including cloud services, departments shall maintain an understanding of legitimate connections and monitor these appropriately.
This requirement originated in the 2018 Minimum Cyber Security Standard and has been retained due to its criticality in the protection of government systems and data.
Guidance
- Within the NCSC’s 10 steps to cyber security guidance, the Asset Management section focuses on asset management holistically and its integration into your organisation. It covers understanding your critical services and functions and identifying the associated data and technology dependencies for prioritising their protection.
- The NCSC’s core Asset management guidance will help you define an effective asset management approach. It provides core security considerations, such as the asset’s classification, the availability of asset information as well as tools and processes for ensuring that asset registers are continually updated to reflect the true state of the environment. It additionally provides data sources and scanning techniques which may be used to validate asset data and detect changes to the environment.
Further information
Further information can be found on NCSC’s CAF Guidance webpage.