There’s a common security adage that goes “You can’t protect what you don’t know,” and so it’s no surprise that an accurate and up-to-date Asset Inventory is critical to the operation of a Security Management program. The ISO/IEC guidance for implementing an ISMS, for example, recommends starting with “assets with their intrinsic vulnerabilities” as the foundation of your risk assessment; similarly, Asset Management is required in one form or another by SOC 2, HIPAA, and GDPR.
However, for growing companies, it can be painful or inefficient to run Asset Management effectively. This is because:
As a result of these difficulties, companies can find themselves with an incomplete inventory, racing to get evidence together for an audit, or worse - lacking the context to properly identify and mitigate risks or respond to disruptions and incidents.
We built Aptible Comply’s Asset Management system to address each of these pain points, automating the four main activities for Asset Management:
1. Automatically identifying new assets - Aptible Comply integrates with existing tools where you’re already managing assets - such as GSuite to identify people, or Single Sign-On providers like Okta to identify SaaS tools - to automatically identify and suggest additions to your Asset Inventory. Rather than finding out months later that a new system is in use at your organization that should have been tracked and managed in your inventory, you’ll instead receive a notification when Comply detects a new asset that is potentially in-scope of your ISMS and may need to be added to your inventory.
2. Automatically identifying asset lifecycle events - Beyond just detecting new assets, Aptible Comply’s integrations can detect important changes to those assets that may trigger compliance events. For example, retiring an asset likely requires properly disposing of data, just as offboarding an employee should trigger an Access Control Review of the systems they used. Aptible Comply helps you stay on top of important changes to your assets, understand and act on your compliance requirements in the wake of those events, and create an audit log attached to the asset itself of all related compliance activities over its lifecycle.
3. Delegating to Responsible Parties - Compliance duties originating from asset lifecycle events and reviews are best managed by the individual or team with the most context about the asset itself. Aptible Comply empowers you to delegate workflows relating to asset lifecycle events and reviews to asset owners without having to leave the asset inventory. In turn, Comply surfaces all the relevant policies, procedures, definitions, and examples necessary for those asset owners to complete the work successfully. This results in a better and less disruptive experience for your asset owners while also ensuring you’re getting the data you need to protect your company’s most important systems.
4. Continuous status checks - Proper Asset Management shouldn’t be left to manual reviews only. Wherever possible, auditors prefer to see systems configured to enforce controls, such as multifactor authentication on critical assets or branch protection for sensitive code repositories. Aptible Comply integrates with your assets to perform status checks to ensure that these policies are being enforced correctly, and surfacing exceptions that require your attention. This layer of continuous monitoring means you can rest easy between reviews, knowing that you’ll be notified if any of your controls are modified or removed for any reason.
In short, Aptible Comply’s Asset Management tool provides a central place for companies to align on what needs to be done around asset management, automating as much of the process as possible, and streamlining the rest. This lowers the barrier to completion without lowering the bar of security.
To see how Aptible Comply can automate your Asset Management, try it now!