Identify, classify and risk assess all your hardware and software assets.
Options to consider:
- Conduct periodic physical checks (floor to book exercises) to ensure the accuracy of the hardware asset inventory.
- Use asset discovery tools to help you identify all assets within the network.
- Put processes in place to capture new assets you acquire.
- Assign ownership for each individual asset.
- Apply appropriate security classifications based on the sensitivity of the information you are processing.
- Keep records to show that you review both the inventories themselves and the risks associated with the assets on a periodic basis.
- Train owners on how to risk assess hardware and software assets.
- Create a checklist for staff to follow when they review asset inventories.
- Identify your critical assets and suppliers and any interdependencies.
Keep records showing secure disposal of hardware assets (eg destruction logs and certificates).
Options to consider:
- Wipe, degauss or securely destroy hardware that contains personal information.
- Document the procedure for the secure disposal of assets.
- Maintain evidence of management approval and sign-off prior to disposing of assets.
- Store hardware assets awaiting destruction in a locked area with limited access.
- Keep a destruction log which details all hardware assets that are destroyed.
- Obtain certificates from third parties who securely destroy hardware assets on your behalf.
- Conduct internal audits to check you follow the correct process for disposal.
- Carry out due diligence checks or audits on third parties to assess whether they maintain the security of hardware assets during the disposal process.