Things to Watch

Asset management can be difficult because there are typically at least two different asset registers in any organisation. There is the financial asset register that has a de minimus level (usually of say £500 per item) for assets to be recorded on them. The finance asset register is more concerned with matching invoices and deliveries and will have details such as 50 PCs were delivered - rather than individual assets. The IT Department will typically run an asset register and may have an automated asset management system that can tell exactly what piece of equipment is held on the corporate IT infrastructure. Each PC is often given its own 'identity' so that the Help Desk process can be effectively managed. There are often items on the IT asset register that do not appear on the Finance register and rarely are they ever reconciled - the Auditor will check how this process is managed and controlled.

In addition to these two registers there may be a software register, held to ensure that the licensing requirements in Clause 15.1.2 are met - this may be another automated process but often is not. The Auditor will check that appropriate registers are held.

There are rarely any records of the information held in the organisation - the Auditor will want to identify these to ensure that they are appropriately classified and protected.

Few organisations ever understand the concept of individual business managers being asset owners and that they are responsible and accountable for the assets that they own. They are usually unaware that they are required to define the backup processes based on the business criticality of the information, the access rights and privileges permitted to business users or that they are responsible for the business continuity planning for 'their' systems. They usually think this happens by magic and is part of the IT Department responsibilities - it isn't - but the IT Department may have done some of these tasks by default. Typically an Auditor will ask an information owner what his responsibilities are - if he does not know, how can one ensure that appropriate security is in place for 'their' assets?

Classification and marking schemes are always difficult to implement unless the organisation embeds security in its culture - just as many organisations do with Health and Safety. The Auditor will typically check on desks for confidential material that is unattended, ensure that highly classified documents are appropriately marked and handled. All staff in any organisation need to know the rules for these processes, understand them and comply with them. Typically the Auditor will ask a random sample of Auditees about the processes.

An Introduction To Information, Network and Internet Security
Things to Watch Asset management can be difficult because there are typically at least two different asset registers in any organisation. There is the financial asset register that has a de minimus level (usually of say £500 per item) for assets to be recorded on them. The finance asset register is more concerned with matching invoices and deliveries and will have details such as 50 PCs were delivered - rather than individual assets. The IT Department will typically run an asset register and may have an automated asset management system that can tell exactly what piece of equipment is held on the corporate IT infrastructure. Each PC is often given its own 'identity' so that the Help Desk process can be effectively managed. There are often items on the IT asset register that do not appear on the Finance register and rarely are they ever reconciled - the Auditor will check how this process is managed and controlled. In addition to these two registers there may be a software register, held to ensure that the licensing requirements in Clause 15.1.2 are met - this may be another automated process but often is not. The Auditor will check that appropriate registers are held. There are rarely any records of the information held in the organisation - the Auditor will want to identify these to ensure that they are appropriately classified and protected. Few organisations ever understand the concept of individual business managers being asset owners and that they are responsible and accountable for the assets that they own. They are usually unaware that they are required to define the backup processes based on the business criticality of the information, the access rights and privileges permitted to business users or that they are responsible for the business continuity planning for 'their' systems. They usually think this happens by magic and is part of the IT Department responsibilities - it isn't - but the IT Department may have done some of these tasks by default. Typically an Auditor will ask an information owner what his responsibilities are - if he does not know, how can one ensure that appropriate security is in place for 'their' assets? Classification and marking schemes are always difficult to implement unless the organisation embeds security in its culture - just as many organisations do with Health and Safety. The Auditor will typically check on desks for confidential material that is unattended, ensure that highly classified documents are appropriately marked and handled. All staff in any organisation need to know the rules for these processes, understand them and comply with them. Typically the Auditor will ask a random sample of Auditees about the processes.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security