Lifecycle management: identifying existing assets
Understanding what assets are in your environment is a basic part of most security programmes. It's hard to be able to review your risks and apply effective controls if you don't know what's happening within your environment.
Keeping an up-to-date list of assets is harder than it seems, often organisations get pwned via systems they had forgotten, hadn’t decommissioned properly, or shadow IT systems set up by users unofficially.
Including existing assets in your lifecycle
Assets can be physical devices, or virtual. Both types of assets need to be managed appropriately, and there can be some different considerations for physical vs virtual assets. Once you have a lifecycle and procedures in place for managing assets, you can start including your existing ones and start turning your assets from unknown to recorded.
To identify the assets you have, you can start with performing network scans and a physical system asset inventory, previous purchase orders may help you in this task. Every asset you come across needs to have all the asset details recorded, or be removed and disposed of.
Maintenance of an asset list is an ongoing task. You may wish to consider techniques such as network scanning on a regular basis, to detect things that are not on your asset list. This could indicate that something has been deployed into your environment without following the correct processes, and should be investigated.
Auditing your existing assets
After you record the existing assets, you should check with the asset owners on their current hardening status. It might have been a while since the assets were deployed, and they may not have been previously hardened.
Sometimes your risk profile changes over time, and the configurations that were appropriate previously may no longer be the case.