Asset management is the process of identifying, tracking, and managing the physical and digital assets of an organization. An asset management program is a set of policies, procedures, and tools that help to ensure the optimal use, security, and disposal of assets. According to the Shared Assessments CTPRP Study Guide1, an asset management program should include the following components:
* Asset inventories: A comprehensive and accurate list of all assets owned, leased, or used by the organization, including hardware, software, data, and services. Asset inventories should include connections to external parties, networks, or systems that process data, as this may introduce additional risks and dependencies12.
* Asset owners: A clear assignment of roles and responsibilities for each asset, including an organizational owner who is accountable for the asset throughout its life cycle. Asset owners should ensure that assets are properly maintained, updated, secured, and disposed of in accordance with the organization's policies and standards13.
* Asset classification: A consistent and objective method of categorizing assets based on their criticality or data sensitivity. Asset classification helps to determine the appropriate level of protection, monitoring, and testing for each asset, as well as the potential impact of asset loss or compromise1 .
* Asset controls: A set of measures and mechanisms that help to safeguard assets from unauthorized access, use, modification, disclosure, or destruction. Asset controls may include physical, technical, administrative, or contractual means, such as locks, encryption, passwords, policies, or agreements1 .
The statement that is least likely to represent a component of an asset management program is D. Asset inventories should track the flow or distribution of items used to fulfill products and Services across production lines. This statement describes a supply chain management function, not an asset management function. Supply chain management is the process of planning, coordinating, and controlling the flow of materials, information, and services from suppliers to customers. Supply chain management may involve some aspects of asset management, such as inventory control, quality assurance, or vendor risk management, but it is not the same as asset management . Asset management focuses on the assets that the organization owns or uses, not the assets that the organization produces or delivers.
References:
* 1: Shared Assessments. (2020). Certified Third Party Risk Professional (CTPRP) Study Guide.
* 2: ISACA. (2019). COBIT 2019 Framework: Governance and Management Objectives. APO03 Manage enterprise architecture.
* 3: ISO. (2018). ISO/IEC 27001:2018 Information technology - Security techniques - Information security management systems - Requirements. Clause 8.1.2 Asset management roles and responsibilities.
* : NIST. (2013). NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations. RA-2 Security Categorization.
* : NIST. (2013). NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations. CM-8 Information System Component Inventory.
* : APICS. (2018). APICS Dictionary, 16th edition. Supply chain management.
* : ISACA. (2019). COBIT 2019 Framework: Governance and Management Objectives. APO13 Manage security.