IDENTIFY: Asset Management (ID.AM)

Learning Objectives

By the end of this lesson, you will be able to:

• Identify and catalog all cybersecurity-relevant assets in your startup environment
• Implement lightweight asset management processes that provide visibility without bureaucracy
• Establish clear asset ownership and accountability throughout your organization
• Create asset lifecycle management that scales with startup growth
• Build asset inventories that support risk assessment and security decision-making

Introduction: You Can’t Protect What You Don’t Know You Have

The first rule of cybersecurity is simple: you can’t protect what you don’t know exists. Yet most startups have only a vague idea of their actual asset inventory. They know about their main servers and applications, but what about that staging environment someone spun up last month? Or the shared Google Drive with customer data? Or the GitHub repository with API keys in the commit history?

Startups face unique asset management challenges. Your infrastructure changes constantly. New tools get adopted without formal approval. Shadow IT flourishes in the name of productivity. Remote work means assets are distributed across home offices and coffee shops.

This lesson shows you how to gain visibility into your real asset landscape and maintain that visibility as you grow, without creating bureaucratic overhead that slows down your business.

Understanding ID.AM: Asset Management

NIST CSF 2.0 ID.AM Outcomes

ID.AM-01: Inventories of hardware managed by the organization are maintained

ID.AM-02: Inventories of software and services managed by the organization are maintained

ID.AM-03: Representation of the organization’s authorized network communication and internal network flows is maintained

ID.AM-04: Inventories of services provided by suppliers that are part of the supply chain are maintained

ID.AM-05: Assets are prioritized based on classification, criticality, resources, and business functions

ID.AM-06: Inventories include cybersecurity and privacy control implementation and configuration information

ID.AM-07: Inventories are updated and reviewed as part of a risk management process

Startup Asset Categories

Physical Assets:

• Employee devices (laptops, phones, tablets)
• Office infrastructure (routers, printers, IoT devices)
• Servers and networking equipment (if on-premises)
• Mobile devices and wearables
• Development hardware and test equipment

Digital Assets:

• Source code and intellectual property
• Customer data and business records
• Configuration data and system credentials
• Digital certificates and cryptographic keys
• Backup data and archived information

Cloud Assets:

• Virtual machines and containers
• Cloud storage and databases
• SaaS application instances and configurations
• API endpoints and microservices
• Cloud networking and security groups

Information Assets:

• Customer lists and business contacts
• Financial records and transaction data
• Employee information and HR records
• Business plans and strategic documents
• Legal contracts and compliance records

Service Assets:

• Third-party SaaS applications
• Cloud infrastructure services
• Managed security services
• Development and collaboration tools
• Communication and productivity platforms

Building Your Asset Inventory

Phase 1: Discovery and Initial Cataloging

Week 1: Automated Discovery

Use automated tools to identify the obvious assets:

Network Discovery:

# Basic network scanning (use carefully and only on your own networks)
nmap -sn 192.168.1.0/24  # Discover devices on network
arp-scan -l              # Show devices that have communicated recently

Cloud Asset Discovery:

• AWS: Use AWS Config or AWS Systems Manager Inventory
• Google Cloud: Use Cloud Asset Inventory API
• Azure: Use Azure Resource Manager and Azure Graph
• Multi-cloud: Tools like CloudQuery or Steampipe

SaaS Discovery:

• Review company credit card statements for SaaS subscriptions
• Check Google Workspace or Office 365 admin panels for connected apps
• Use tools like Zylo, Intello, or BetterCloud for SaaS discovery
• Review single sign-on (SSO) provider for connected applications

Code and Repository Discovery:

• GitHub, GitLab, Bitbucket organization inventories
• Check for personal repositories with company code
• Docker registries and container repositories
• Package manager accounts (npm, pip, Maven)

Week 2: Manual Investigation

Discover the assets automation missed:

Interview Key Personnel:

• Developers about development environments and tools
• Operations about infrastructure and monitoring tools
• Sales/Marketing about CRM and marketing automation
• Finance about accounting and payment processing
• HR about employee management and benefits platforms

Shadow IT Investigation:

• Review browser bookmarks on company devices
• Check productivity tool usage (Notion, Airtable, etc.)
• Identify file sharing services in use
• Review mobile device app installations

Data Flow Mapping:

• Trace customer data through your systems
• Identify where sensitive data gets stored
• Map data backup and disaster recovery assets
• Locate configuration files with credentials

Asset Inventory Template

# Asset Inventory - [Date]

## Physical Assets
| Asset ID | Type | Owner | Location | Criticality | Last Updated |
|----------|------|-------|----------|-------------|--------------|
| PHY001 | MacBook Pro | John Smith | Remote | High | 2024-01-15 |
| PHY002 | Office Router | IT Admin | Office | Medium | 2024-01-10 |

## Cloud Infrastructure
| Asset ID | Service | Provider | Environment | Owner | Criticality |
|----------|---------|----------|-------------|-------|-------------|
| CLD001 | EC2 Instance | AWS | Production | DevOps Team | Critical |
| CLD002 | RDS Database | AWS | Production | Backend Team | Critical |

## Applications & Services
| Asset ID | Application | Type | Environment | Data Classification | Owner |
|----------|-------------|------|-------------|-------------------|-------|
| APP001 | Customer Portal | Web App | Production | Confidential | Product Team |
| APP002 | Internal CRM | SaaS | Production | Internal | Sales Team |

## Data Assets
| Asset ID | Data Type | Location | Classification | Retention | Owner |
|----------|-----------|----------|----------------|-----------|-------|
| DAT001 | Customer Records | Database | Confidential | 7 years | Legal Team |
| DAT002 | Source Code | GitHub | Proprietary | Indefinite | Engineering |

## Third-Party Services
| Asset ID | Service Name | Vendor | Data Access | Contract End | Owner |
|----------|-------------|---------|-------------|--------------|-------|
| SRV001 | Slack | Slack Technologies | Internal Comms | Annual | IT Admin |
| SRV002 | Stripe | Stripe Inc | Payment Data | Monthly | Finance |

Asset Classification Framework

Criticality Levels:

Critical (Tier 1):

• Business cannot operate without this asset
• Compromise would cause significant financial loss
• Contains sensitive customer or business data
• Required for regulatory compliance

Examples: Production databases, payment systems, customer-facing applications

Important (Tier 2):

• Business operations would be significantly impacted
• Compromise would cause moderate financial loss
• Contains internal business information
• Supports critical business processes

Examples: Development environments, internal tools, backup systems

Standard (Tier 3):

• Business operations would be minimally impacted
• Compromise would cause limited financial loss
• Contains general business information
• Supports non-critical business processes

Examples: Testing systems, marketing tools, archived data

Low (Tier 4):

• Business operations would not be significantly affected
• Minimal financial impact from compromise
• Contains public or non-sensitive information
• Nice-to-have but not essential

Examples: Demo systems, documentation sites, public marketing materials

Data Classification:

Restricted:

• Customer personal information and payment data
• Employee personal and financial information
• Proprietary source code and trade secrets
• Legal documents and contracts

Confidential:

• Internal business plans and strategies
• Customer lists and business intelligence
• Financial reports and budgets
• Employee directories and org charts

Internal:

• Company policies and procedures
• Project plans and status reports
• Internal communications and documents
• Non-public business information

Public:

• Marketing materials and website content
• Press releases and public announcements
• Open source code and documentation
• Public financial reports and statements

Implementing Asset Management Processes

Lightweight Asset Management Workflow

New Asset Onboarding:

1. Discovery: New asset identified through automated scanning or manual reporting
2. Registration: Asset details captured in inventory system
3. Classification: Criticality and data classification assigned
4. Ownership: Asset owner and responsible team identified
5. Security: Basic security controls and monitoring configured
6. Documentation: Asset documented and stakeholders notified

Regular Asset Review:

• Daily: Automated asset discovery scans
• Weekly: New asset processing and updates
• Monthly: Asset owner verification and updates
• Quarterly: Comprehensive asset review and cleanup

Asset Lifecycle Management:

• Deployment: Security configuration and monitoring setup
• Operation: Regular updates, monitoring, and maintenance
• Modification: Change management and security review
• Decommissioning: Secure data removal and asset disposal

Asset Owner Responsibilities

Asset Owner Definition: The person responsible for the business function the asset supports and its security posture.

Primary Responsibilities:

• Maintenance: Keep asset information current and accurate
• Security: Ensure appropriate security controls are implemented
• Access: Manage who has access to the asset and data
• Compliance: Ensure asset meets regulatory and policy requirements
• Lifecycle: Plan for asset updates, changes, and eventual retirement

Asset Owner Assignment Matrix:

Asset Management Tools and Automation

Startup-Friendly Tools:

Free/Open Source:

• Network Discovery: Nmap, arp-scan, Lansweeper Free
• Cloud Inventory: Native cloud tools (AWS Config, GCP Asset Inventory)
• Documentation: Notion, Confluence, GitHub wikis
• Spreadsheet Management: Google Sheets, Airtable

Commercial Solutions:

• Lightweight: Device42, Lansweeper, ManageEngine AssetExplorer
• Comprehensive: ServiceNow, Flexera, Snow Software
• Cloud-focused: CloudHealth, CloudCheckr, Densify

Security-Integrated:

• Vulnerability Management: Qualys VMDR, Rapid7 InsightVM, Tenable.io
• CSPM (Cloud Security): Prisma Cloud, CloudGuard, Orca Security
• SIEM Integration: Splunk, Elastic Security, Microsoft Sentinel

Automation Approaches:

Basic Automation (0-25 employees):

• Scheduled network scans with email alerts
• Cloud provider native inventory tools
• Spreadsheet templates with automated formulas
• Simple scripts for common discovery tasks

Intermediate Automation (25-100 employees):

• Asset discovery tools with dashboard reporting
• API integration between cloud services and inventory
• Automated asset labeling and classification
• Integration with configuration management tools

Advanced Automation (100+ employees):

• Comprehensive CMDB with automated discovery
• Integration with ITSM and security tools
• Automated compliance and vulnerability reporting
• Machine learning for asset classification and risk scoring

Network Architecture and Data Flow Mapping

Network Communication Mapping

Purpose: Understanding authorized network communication helps identify unauthorized connections, plan security controls, and respond to incidents effectively.

Startup Network Mapping Approach:

Phase 1: High-Level Architecture

graph TD
    A[Users] --> B[Load Balancer]
    B --> C[Web Servers]
    C --> D[Application Servers]
    D --> E[Database Servers]
    
    F[Employees] --> G[VPN Gateway]
    G --> H[Internal Network]
    H --> I[File Servers]
    H --> J[Development Environment]

Phase 2: Detailed Flow Documentation

Phase 3: Security Control Mapping

Data Flow Mapping

Customer Data Journey:

1. Collection: Web forms, API calls, file uploads
2. Processing: Application servers, data transformation
3. Storage: Primary database, backup systems, logs
4. Transmission: API responses, reports, integrations
5. Archival: Long-term storage, compliance retention
6. Disposal: Secure deletion, certificate of destruction

Internal Data Flows:

• Development: Code repositories, CI/CD pipelines, staging environments
• Business Intelligence: Data warehouses, analytics platforms, reporting tools
• Operations: Monitoring systems, log aggregation, alerting platforms
• Backup: Backup systems, disaster recovery sites, archive storage

Third-Party Data Sharing:

• Customer Support: Help desk systems, support chat platforms
• Analytics: Marketing automation, web analytics, user behavior tracking
• Compliance: Audit firms, legal counsel, regulatory reporting
• Business Partners: API integrations, data feeds, shared platforms

Supply Chain Asset Management

Supplier Asset Inventory

Critical Suppliers (Direct Business Impact):

Supporting Suppliers (Operational Support):

Indirect Suppliers (Limited Impact):

Supplier Asset Management Process

Supplier Onboarding:

1. Business Justification: Why is this supplier needed?
2. Risk Assessment: What data will they access?
3. Security Review: Do they meet our security requirements?
4. Contract Review: Are security terms adequate?
5. Implementation: Secure configuration and access controls
6. Monitoring: Ongoing security posture monitoring

Ongoing Supplier Management:

• Quarterly Reviews: Security posture and compliance status
• Annual Assessments: Comprehensive risk evaluation
• Incident Monitoring: Track supplier security incidents
• Contract Renewal: Update security requirements as needed

Asset Prioritization and Risk Assessment

Risk-Based Asset Prioritization

Prioritization Matrix:

Asset Risk Score Calculation:

Risk Score = (Business Impact × 0.4) + (Data Sensitivity × 0.3) + 
             (Regulatory × 0.2) + (Recovery × 0.1)

Scale: 1-4 (1=Low, 2=Medium, 3=High, 4=Critical)

Risk-Based Security Investment:

• Critical Assets (Score 3.5-4.0): Maximum security controls and monitoring
• High Assets (Score 2.5-3.4): Strong security controls with regular review
• Medium Assets (Score 1.5-2.4): Standard security controls
• Low Assets (Score 1.0-1.4): Basic security controls

Asset-Based Security Control Mapping

Critical Asset Security Requirements:

• Multi-factor authentication for all access
• Encryption at rest and in transit
• Real-time monitoring and alerting
• Regular vulnerability assessments
• Incident response procedures
• Business continuity planning

High Asset Security Requirements:

• Strong authentication (MFA preferred)
• Encryption for sensitive data
• Regular security monitoring
• Quarterly vulnerability assessments
• Standard incident response
• Recovery procedures documented

Medium Asset Security Requirements:

• Standard authentication controls
• Basic encryption for data in transit
• Periodic security monitoring
• Annual vulnerability assessments
• Basic incident response
• Backup and recovery procedures

Low Asset Security Requirements:

• Basic authentication controls
• Standard encryption where feasible
• Minimal security monitoring
• Ad-hoc vulnerability assessments
• Informal incident response
• Basic backup procedures

Hands-On Exercise: Build Your Asset Inventory

Step 1: Asset Discovery

Physical Assets (30 minutes):

• List all company-owned devices (laptops, phones, etc.)
• Identify office infrastructure (routers, printers, etc.)
• Document any server or networking hardware

Cloud Assets (45 minutes):

• AWS/GCP/Azure resource inventory
• Docker containers and registries
• SaaS applications and subscriptions
• Development and staging environments

Data Assets (30 minutes):

• Customer databases and records
• Source code repositories
• Financial and business records
• Employee and HR information

Service Assets (30 minutes):

• Third-party SaaS applications
• Managed services and vendors
• API integrations and partnerships
• Support and professional services

Step 2: Asset Classification

For each asset identified:

Criticality Assessment:

• Business impact if unavailable
• Data sensitivity level
• Regulatory requirements
• Recovery complexity

Ownership Assignment:

• Primary asset owner
• Backup responsible person
• Responsible department/team

Security Requirements:

• Authentication requirements
• Encryption needs
• Monitoring requirements
• Backup/recovery needs

Step 3: Process Implementation

Documentation Setup:

• Create asset inventory spreadsheet/database
• Define update and review schedule
• Assign asset management responsibilities
• Create asset owner notification process

Automation Planning:

• Identify tools for automated discovery
• Plan integration with existing systems
• Define monitoring and alerting
• Create reporting and dashboard requirements

Real-World Example: SaaS Startup Asset Management

Company: 22-employee project management software startup Challenge: Rapid growth, cloud-native architecture, remote team

Month 1: Initial Discovery

Automated Discovery Results:

• 47 AWS resources across 3 environments
• 23 active SaaS subscriptions (found in expense reports)
• 31 GitHub repositories (including personal repos with company code)
• 67 devices (laptops, phones, tablets) across remote team

Manual Investigation Findings:

• 15 additional “shadow IT” tools found through interviews
• 8 development environments not in official documentation
• 12 domain names registered by different team members
• 5 databases containing customer data not in main inventory

Month 2: Classification and Prioritization

Critical Assets (12 items):

• Production AWS environment
• Customer database
• Payment processing integration
• Main application code repository
• Customer-facing web application

Risk Score Distribution:

• Critical: 12 assets requiring maximum security
• High: 28 assets needing strong controls
• Medium: 45 assets with standard security
• Low: 31 assets with basic protection

Month 3: Process Implementation

Asset Management System:

• Airtable database for asset inventory
• Automated AWS inventory integration
• Weekly asset owner notifications
• Monthly comprehensive review process

Results After 6 Months:

• 100% asset visibility achieved
• 3 security incidents prevented through early detection
• $15,000 saved by eliminating redundant services
• SOC 2 audit passed with clean asset inventory
• 40% faster incident response due to asset clarity

Key Lessons Learned:

• Started simple with spreadsheets, evolved to integrated tools
• Automated discovery missed 30% of actual assets
• Employee interviews were crucial for complete inventory
• Regular review process essential for maintaining accuracy
• Asset ownership assignment improved security accountability

Common Asset Management Challenges

Challenge: “We Have Too Many Assets to Track”

Solution:

• Focus on critical and high-risk assets first
• Use automated discovery tools to reduce manual effort
• Implement risk-based management (more attention to higher-risk assets)
• Create asset categories to manage similar assets together

Challenge: “Assets Change Too Quickly”

Solution:

• Implement automated asset discovery and monitoring
• Build asset management into development and deployment processes
• Create change notification workflows
• Focus on asset categories rather than individual items

Challenge: “Nobody Wants to Be Asset Owners”

Solution:

• Make asset ownership part of job responsibilities
• Provide clear expectations and minimal overhead processes
• Recognize and reward good asset management
• Make asset ownership relevant to business success

Challenge: “We Don’t Know What Data We Have”

Solution:

• Start with data flow mapping from customer perspective
• Use data discovery tools to scan systems
• Interview teams about data they work with
• Create data classification and handling procedures

Key Takeaways

1. Start with Critical Assets: Focus on what matters most to your business first
2. Automation is Essential: Use tools to discover and track assets automatically
3. Ownership Drives Accountability: Every asset needs a responsible owner
4. Classification Enables Prioritization: Not all assets need the same level of protection
5. Process Must Scale: Build asset management that grows with your organization

Knowledge Check

1. What’s the most important first step in asset management?

   • A) Buying asset management software
   • B) Automated network discovery
   • C) Identifying critical business assets
   • D) Creating detailed documentation

2. How should startups prioritize assets for security investment?

   • A) Alphabetically by name
   • B) By cost of the asset
   • C) By business impact and data sensitivity
   • D) By age of the asset

3. What percentage of assets do automated discovery tools typically find?

   • A) 100% - they find everything
   • B) Around 70% - manual investigation needed
   • C) 50% - mostly automated
   • D) 25% - mostly manual work required

Additional Resources

• Asset inventory templates and spreadsheets (coming soon)
• Automated asset discovery script examples (coming soon)
• Asset management tool comparison guide (coming soon)

In the next lesson, we’ll explore how to understand your business environment context - the threats, vulnerabilities, and risk factors that could impact your startup’s cybersecurity posture.