Asset Management Controls
Purpose
Bramble maintains an inventory of systems and technology assets from purchase through disposition, to ensure secured use, regardless of the asset’s location.
Scope
This control applies to all Bramble endpoint workstations as well as virtual assets within our hosting providers.
Ownership
- IT Operations owns the workstation assets portion of this control
- Infrastructure owns the system and service portions of this control
Controls
Control Number | Control Title | Control Statement | Goal | TOD | TOE |
---|---|---|---|---|---|
AST-04 | Network Diagrams & Data Flow Diagrams (DFDs) | Bramble Group Corp. has implemented mechanisms to maintain network architecture diagrams that: - Contain sufficient detail to assess the security of the network’s architecture; - Reflect the current state of the network environment; and - Document all sensitive data flows. |
Does the organization maintain network architecture diagrams that: - Contain sufficient detail to assess the security of the network’s architecture; - Reflect the current state of the network environment; and - Document all sensitive data flows? |
1. Inspect formal policies, procedures or other relevant documentation to support the assessment of security against the network architecture and reflect the current state of the network environment and sensitive data flows. 2. Interview key organizational personnel within Bramble to discuss high level workflows that support the assessment of security against the network architecture and the documentation of the current state of the network environment and sensitive data flows. |
1. Examine relevant documentation and network diagrams to assess that sufficient detail is provide to outline the security of the network architecture. 2. Examine relevant policies and documentation against the network diagram to determine if it sufficiently defines the current state of the network environment and all sensitive data flows. |
AST-09 | Secure Disposal or Re-Use of Equipment | Mechanisms exist to securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components. | Does the organization securely destroy media when it is no longer needed for business or legal reasons? | 1. Inspect formal policies, procedures or other relevant documentation that outline mechanisms used to securely destroy media when no longer needed for business or legal purposes. | 1. Examine data destruction policies, procedures and configurations for evidence that the procedures, policies and configurations facilitate implementation and adherence of media destruction when no longer needed for business or legal purposes. |
- Test of Design - (TOD) – verifies that a control is designed appropriately and that it will prevent or detect a particular risk.
- Test of Operating Effectiveness - (TOE) - used for verifying that the control is in place and it operates as it was designed.