WOLF//SEC
← Domain 4
OBJECTIVE 4.2 Explain

Explain the security implications of proper hardware, software, and data asset management

You can’t protect what you don’t know about. Asset management is the foundation of every other security operation — vulnerability management, patching, incident response, and access control all depend on knowing what assets exist and their state.

Asset Inventory

Hardware Assets

  • Servers, workstations, laptops, mobile devices, network equipment
  • IoTInternet of Things — Connected devices (cameras, sensors, appliances) devices, printers, cameras, HVACHeating, Ventilation, and Air Conditioning — Environmental controls for data centers controllers
  • Removable media, external drives, USBUniversal Serial Bus — Standard connector for peripherals devices
  • Challenge: Shadow ITInformation Technology — Broad term for computing infrastructure and services — devices connected to the network without ITInformation Technology — Broad term for computing infrastructure and services knowledge

Software Assets

  • Operating systems and versions, installed applications, libraries and dependencies
  • Licensed vs. unlicensed software (compliance and legal risk)
  • SaaSSoftware as a Service — Cloud: provider manages everything, you configure applications in use (sanctioned and unsanctioned)

Data Assets

  • Databases, file shares, cloud storage, email archives
  • Classified by sensitivity level (public, internal, confidential, restricted)
  • Data owners assigned for each asset

Enumeration and Classification

  • Automated discovery tools for network-connected assets
  • CMDBConfiguration Management Database — Central repository of configuration items and relationships (Configuration Management Database) as the central record
  • Each asset tagged with: owner, classification, location, criticality, lifecycle stage

Acquisition and Procurement

Secure Procurement

  • Purchase from authorized/trusted vendors only
  • Verify hardware integrity (tamper-evident packaging, supply chain verification)
  • Evaluate software security before deployment (SCASoftware Composition Analysis — Identifying vulnerable third-party dependencies, vendor security assessment)

Standardization

  • Approved hardware models and software versions reduce attack surface variety
  • Standard builds/images ensure consistent security baselines
  • Deviation from standards requires security review and approval

Assignment and Accounting

Ownership

Every asset must have an assigned owner responsible for its security.

  • Hardware: assigned to individual users or departments
  • Software: licensed and tracked
  • Data: classified with a data owner who makes access decisions

Tracking

  • Asset tags (physical and logical), serial numbers
  • Check-in/check-out procedures for mobile and shared assets
  • Geolocation tracking for mobile devices (MDMMobile Device Management — Centralized management of mobile devices)

Asset Type Taxonomy

TypeWho OwnsWho ManagesSecurity Considerations
Company-ownedOrganizationITInformation Technology — Broad term for computing infrastructure and services/security teamFull control. Baseline, harden, encrypt, monitor, patch.
LeasedLessor (vendor)ITInformation Technology — Broad term for computing infrastructure and services manages during leaseMust return in agreed condition. Data sanitization before return is critical — don’t send back a laptop with company data.
BYODBring Your Own Device — Employee uses personal device for work (Bring Your Own Device)EmployeePartial (MDMMobile Device Management — Centralized management of mobile devices container)Limited control. Containerize corporate data. Can’t enforce full-disk encryption on personal device. Remote wipe limited to corporate container.
COPECorporate-Owned, Personally Enabled — Company device with permitted personal use (Corporate Owned, Personally Enabled)OrganizationITInformation Technology — Broad term for computing infrastructure and services (MDMMobile Device Management — Centralized management of mobile devices)Full control with personal use allowed. Best balance of security and employee satisfaction.

Change of Custody Procedures

When an asset changes hands (reassignment, repair, decommission):

  • Document the transfer: Who had it, who receives it, when, why
  • Data handling: Wipe/sanitize before reassignment. User profiles from previous assignee must not be accessible.
  • Access revocation: Remove previous user’s credentials, accounts, certificates from the device
  • Inventory update: CMDBConfiguration Management Database — Central repository of configuration items and relationships reflects the new custodian immediately
  • Condition assessment: Document the state of the asset at transfer (damage, wear, configuration)
  • Chain of custody for evidence: If the device is relevant to an investigation, full forensic chain of custody applies (see 4.8)

Data Retention

Retention Policies by Regulation

Regulation/StandardRetention PeriodWhat’s Retained
PCI-DSSPayment Card Industry Data Security Standard — Credit card data protection standard1 year minimum (audit logs)Cardholder data environment logs, access records
SOXSarbanes-Oxley Act — US financial reporting controls law7 yearsFinancial records, audit workpapers, communications related to financial reporting
HIPAAHealth Insurance Portability and Accountability Act — US healthcare data protection law6 yearsPHIProtected Health Information — Health-related PII under HIPAA documentation, policies, risk assessments, training records
GDPRGeneral Data Protection Regulation — EU data privacy regulationNo longer than necessary (purpose limitation)Personal data — must delete when purpose is fulfilled
FERPAFamily Educational Rights and Privacy Act — US student data privacy lawVaries by record typeStudent education records — permanent for some, 5 years for others
SEC Rule 17a-46 years (first 2 accessible)Broker-dealer communications, trade records

Key Retention Concepts

  • Minimum retention: Hold at least this long (regulatory requirement)
  • Maximum retention: Delete after this point (GDPRGeneral Data Protection Regulation — EU data privacy regulation storage limitation, litigation risk from holding data too long)
  • Legal hold overrides: Retention schedules are suspended for data subject to litigation hold (see 4.8)
  • Backup retention: Applies to backups too — a backup containing data past its retention period is a compliance violation
  • Destruction verification: When retention expires, confirm data was actually destroyed across all copies including backups

Monitoring

Usage Monitoring

  • Software license compliance (overuse = legal risk, underuse = waste)
  • Hardware utilization (underutilized assets may be candidates for decommission)
  • Data access patterns (who’s accessing what, when)

State Monitoring

  • Patch level and vulnerability status
  • Configuration drift from baseline
  • End-of-life/end-of-support status tracking

Media Sanitization

When storage media is reused, donated, or disposed of, data must be irrecoverably removed.

Methods (in order of increasing assurance)

  • Clear: Overwriting with zeros/patterns. Protects against basic recovery tools. Sufficient for internal reuse.
  • Purge: More thorough — cryptographic erase, block erase (SSDSolid State Drive — Flash-based storage (no moving parts)), or degaussing (magnetic media). Protects against laboratory recovery. Suitable for leaving organizational control.
  • Destroy: Physical destruction — shredding, incineration, disintegration, melting. Highest assurance. Required for highest-sensitivity data.

Documentation and Standards

  • Certificate of sanitization/destruction for compliance audits
  • Chain of custody maintained until destruction is confirmed
  • NISTNational Institute of Standards and Technology — US standards body, publishes CSF and SP 800 series SP 800-88 (Guidelines for Media Sanitization): The authoritative standard for media sanitization
    • Defines Clear, Purge, and Destroy categories (see above)
    • Decision flow based on data sensitivity and media reuse intent
    • Requires verification after sanitization (attempt to read the media to confirm data is irrecoverable)
    • Specifies that sanitization methods vary by media type — what works for HDDHard Disk Drive — Magnetic spinning disk storage doesn’t work for SSDSolid State Drive — Flash-based storage (no moving parts)
    • Exam tip: If a question asks about the standard for secure media disposal, the answer is NISTNational Institute of Standards and Technology — US standards body, publishes CSF and SP 800 series 800-88

SSD Considerations

Traditional overwriting doesn’t reliably work on SSDs due to wear leveling. Use:

  • Manufacturer’s secure erase command
  • Cryptographic erase (destroy the encryption key)
  • Physical destruction for highest assurance

Asset Disposal and Decommissioning

  • Remove from network and all management systems
  • Revoke all access credentials and certificates
  • Sanitize or destroy storage media
  • Update asset inventory and CMDBConfiguration Management Database — Central repository of configuration items and relationships
  • Return leased equipment according to vendor procedures
  • Risk: Forgotten assets that are decommissioned from use but not from the network continue to run unpatched

Offensive Context

Asset inventory gaps are attacker opportunity. Unmanaged devices don’t get patched, monitored, or hardened. Shadow ITInformation Technology — Broad term for computing infrastructure and services creates unmonitored attack surface. Improper media disposal has led to high-profile data breaches — hard drives from decommissioned servers appearing on eBay with recoverable data. An attacker performing reconnaissance is building their own version of your asset inventory — and they’re often more thorough than the organization’s.