Framework Category

Asset Management

Asset Management ensures that all organizational assets—hardware, software, systems, data, and third-party services—are identified, tracked, and managed throughout their lifecycle.

It supports effective cybersecurity by maintaining accurate inventories, understanding data flows, assigning responsibilities, and prioritizing assets based on their importance to the mission.

Implementation Questions

ID.AM-03

Representations of the organization's authorized network communication and internal and external network data flows are maintained

Does your organization maintain documented baselines of expected network communication patterns and data flows for both wired and wireless networks?

Network baselines document normal communication patterns and data flows, enabling the detection of anomalies that could indicate security incidents. These baselines should include information about expected traffic volumes, protocols, source/destination pairs, and timing patterns for both wired and wireless networks.

Does your organization document and maintain baselines of expected communication patterns and data flows with third parties?

Establishing and maintaining baselines of communication and data flows with third parties helps detect anomalous activities that could indicate security incidents.

Does your organization maintain and document baseline communication and data flow patterns for all infrastructure-as-a-service (IaaS) environments?

Maintaining baselines of communication and data flows helps identify abnormal patterns that could indicate security incidents or unauthorized access within your IaaS environments. These baselines should document expected network traffic patterns, data transfer volumes, API calls, and service-to-service communications across your cloud infrastructure.

Does your organization maintain documentation of expected network ports, protocols, and services used among authorized systems?

This documentation serves as a baseline for normal network activity, allowing security teams to identify unauthorized or suspicious communications. It should include details such as port numbers, protocols (TCP/UDP), services (HTTP, SSH, etc.), and the systems that legitimately use them.

ID.AM-07

Inventories of data and corresponding metadata for designated data types are maintained

Does your organization maintain a documented inventory of designated data types of interest that require protection?

Knowing what data needs protecting is at issue here: whether you maintain a documented inventory of the designated data types that warrant safeguarding. Examples include personally identifiable information (PII), protected health information (PHI), financial account data, intellectual property, and operational technology data.

Does your organization have a process to continuously discover and analyze ad hoc data to identify new instances of sensitive data types?

Continuous data discovery is the subject: assessors want a process that keeps analyzing ad hoc data to surface new instances of sensitive data types. Continuous discovery helps prevent data sprawl and ensures that all sensitive information receives appropriate protection controls regardless of where it resides or when it was created.

Has your organization implemented a system for assigning data classifications to designated data types through tags or labels?

Data classification through tags or labels helps organizations identify and manage sensitive information according to its security requirements. By implementing a tagging system, you can ensure appropriate controls are applied based on data sensitivity levels (e.g., public, internal, confidential, restricted). This practice enables automated policy enforcement, simplifies compliance reporting, and helps prevent data leakage or mishandling.

Does your organization maintain a tracking system that records the provenance, data owner, and geolocation for all designated sensitive data types?

Sensitive-data tracking is what's being assessed: whether you maintain visibility into the provenance, owner, and geolocation of every designated sensitive data type. Such tracking is essential for data governance, regulatory compliance (like GDPR or CCPA), and enables proper incident response when data breaches occur.

ID.AM-08

Systems, hardware, software, services, and data are managed throughout their life cycles

Has your organization implemented a Secure Development Lifecycle (SDL) that integrates cybersecurity considerations at each phase for all systems, hardware, software, and services?

A Secure Development Lifecycle ensures cybersecurity is built into products from requirements through deployment and maintenance, rather than added as an afterthought. This includes security requirements gathering, threat modeling during design, secure coding practices, security testing during development, and security validation before release. It also covers post-deployment security monitoring and update processes.

Has your organization integrated cybersecurity considerations into all phases of your product development lifecycle?

Security across the product lifecycle is what's being assessed, namely whether cybersecurity is built into every phase from conception through retirement rather than added late. Effective integration includes security requirements gathering, threat modeling during design, secure coding practices during development, security testing before release, and vulnerability management post-deployment.

Does your organization have a process to identify and manage unauthorized or unapproved technology solutions (shadow IT) being used to meet business objectives?

Shadow IT refers to technology systems, software, devices, or services used within an organization without explicit IT department approval or knowledge. These unofficial solutions often emerge when employees seek to improve productivity or overcome limitations in approved tools. Examples include using personal cloud storage accounts for work files, unauthorized collaboration tools, or employee-developed applications.

Does your organization have a formal process to periodically identify and remove redundant systems, hardware, software, and services that could unnecessarily increase your attack surface?

Redundant or unnecessary systems and components expand your organization's attack surface, creating additional entry points for attackers while increasing maintenance overhead. These might include legacy systems no longer in active use, duplicate software installations, orphaned cloud resources, or services running without business justification.

Does your organization have a formal pre-deployment security hardening process for all systems, hardware, software, and services before they enter production?

Hardening before go-live is the point of this item, namely whether you run a formal pre-deployment security hardening process for systems, hardware, software, and services entering production.

Does your organization update asset inventories when systems, hardware, software, and services are moved or transferred internally?

Maintaining accurate asset inventories requires updating records whenever assets change location or ownership within the organization.

Does your organization have a documented process for securely destroying data according to your retention policy, including maintaining destruction records?

Secure disposal at the end of the data lifecycle is the concern here, namely whether you destroy data per your retention policy using appropriate methods and keep destruction records. Proper data destruction prevents unauthorized access to sensitive information that is no longer needed and demonstrates compliance with data protection regulations like GDPR or CCPA.

Does your organization have a documented procedure for securely sanitizing data storage media before hardware is retired, decommissioned, reassigned, or sent for repairs?

Data sanitization ensures that sensitive information cannot be recovered from storage media when hardware leaves your control. Without proper sanitization, confidential data, credentials, or intellectual property could be exposed to unauthorized parties even after physical possession of the hardware changes.

Does your organization provide secure methods for destroying paper documents, storage media, and other physical forms of data storage?

Proper data destruction methods prevent unauthorized access to sensitive information that may remain on physical media after disposal. Organizations should have documented procedures for securely destroying different types of media including paper shredding, hard drive degaussing or physical destruction, and secure disposal of removable media like USB drives or backup tapes.

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron