XClose

Information Security

Menu

Technical Asset Management

This page supports policy statement 6.2 in the new Information Security Policy

Summary of Policy Requirements 

  • Make sure every system has a System Custodian. 
  • Record important information about each system’s technical assets in an inventory. 

How to Comply 

Introduction 

A technical asset is a physical or virtual component of a system, which can also be referred to as a configuration item.  Virtual assets are part of the configuration of public or private cloud infrastructure.  The custodian of a system is responsible for all the assets that are part of that system.  Heads of department are responsible for appointing System Custodians outside UCL’s Information Services Division (ISD). 

Controls 

The most important way to comply with the policy statement about technical asset management is to implement Appropriate Security Controls, the most important of which is the following baseline security control in the Configuration and Change Management category. 

Control description 

  • All systems/services/applications and constituent components are inventoried and maintained. 

Control purpose or benefit 

  • To enable effective vulnerability management, patching, lifecycle tracking, and incident response by ensuring that all assets are known, categorised, and monitored. 

Control implementation and self assessment guidance 

  • Inventory is in place 
  • Inventory contains the following 
    • Last update timestamp for every component  
    • OS name, Versions of OS,  
    • Firmware version (not required for firewalls) 
    • Software versions 
    • Hardware revision and model 
    • Hosting environment for all assets except end user devices.  Examples include the following. 
    • UCL cloud + location 
    • Public cloud + location 
    • UCL Datacentres 
  • IP address is statically configured (to support network vulnerability scanning) 
  • Details of the system/service/application API presented via AWS/Azure 
  • Details of the API directly presented by the system/service/application 
  • (Desirable but not essential) Virtual hardware, software and firmware configurations are tracked (e.g. TerraForm code in Github) and continually validated 
Good practice in ISD 

The Configuration Management practice followed by ISD is also relevant.  It is built on the configuration management database (CMDB) in UCL’s Enterprise service Management (ESM) system, MyServices.  ISD’s configuration management practice should be followed by System Custodians in ISD and may provide helpful guidance outside ISD.  System Custodians outside ISD may also be able to use the MyServices CMDB, and if that is of interest, please reach out to the MyServices platform team by creating a request in MyServices

Note that some staff outside ISD might need to request access to the configuration management practice documentation, which can be done via SharePoint when access to a particular page or site has been denied. 

Further questions 

If you have any questions that haven't been answered by the information on this page, please don’t hesitate to ask the Information Security Group.  

Policy statement 

All technical assets must have a System Custodian, who must ensure that assets are identified and documented.