SkarpChapter 16 of 27
Asset Management and Secure Configuration in Operations
Track what you own, where it lives, and how it’s configured so you can actually secure it, from laptops and servers to cloud resources and OT devices.
Why Asset Management Is the Foundation of Security Operations
Know What You Have
If you do not know what you have, you cannot protect it. Asset management tracks what hardware, software, services, and data you own or use, where they are, and who owns them.
Modern Asset Types
In a hybrid environment, assets include endpoints, servers/VMs, cloud services, network devices, IoT/OT devices, applications, APIs, and data stores like databases or file shares.
Why SOCs Need Asset Data
Security operations teams use asset data to prioritize alerts, scope vulnerabilities, plan patching, and support resilience and recovery decisions.
Security+ Relevance
For SY0-701, asset management ties into architecture, operations, and governance, risk, and compliance, and supports risk assessment and zero trust decisions.
Core Components of an Asset Management Program
Program Overview
An asset management program is a coordinated set of people, processes, and tools that keeps your asset information accurate and usable over time.
Inventory & Classification
Core pieces: a central asset inventory with identifiers and owners, plus classification labels for criticality and sensitivity such as Critical/High/Medium/Low.
Lifecycle Management
Lifecycle covers onboarding (add and register assets), maintenance (patch and update), and offboarding (wipe, revoke access, and remove from monitoring).
Configuration & Tooling
Configuration management defines secure baselines and controls changes. Tooling like a CMDB, discovery scanners, and integrations keep data fresh.
Building and Maintaining an Asset Inventory
Inventory Scope & Fields
Start by defining scope and fields: what asset types to track and which attributes (ID, owner, OS, location, data classification, criticality, status).
Multiple Data Sources
Pull asset data from endpoint tools, cloud consoles, network scans, identity systems, and procurement records to get broad coverage.
Normalize & Own
Normalize naming, de‑duplicate entries, then assign a business and technical owner to each asset and apply initial classification labels.
Keep It Fresh
Use automated updates, enforce registration in onboarding, and schedule periodic owner reviews so the inventory stays accurate.
Asset Classification: Criticality and Sensitivity
Why Classify Assets
Classification turns a raw asset list into a prioritized view. It helps you decide which systems get the strongest protections and fastest response.
Criticality Levels
Criticality measures impact if the system is down or corrupted. Example levels: Critical, High, Medium, Low, based on business and safety impact.
Sensitivity Levels
Sensitivity measures confidentiality risk. Example labels: Public, Internal, Confidential, Restricted, based on harm if data is exposed.
Using Classification
Combine criticality and sensitivity to drive stronger controls and priority for critical, restricted systems and lighter controls for low, public ones.
Secure Configuration Management in Operations
What Is Configuration Management
Configuration management ensures assets are set up securely and consistently, and stay that way over time, reducing attack surface.
Secure Baselines
Baselines are standard hardened settings per asset type, such as disabling unused services and enforcing strong authentication and logging.
Tools and Drift
Tools like Ansible or cloud policies apply baselines at scale. Drift occurs when changes move systems away from those baselines.
Change Control
Formal change control processes require documenting, assessing, approving, and tracking configuration changes for security and compliance.
Lifecycle Management: Onboarding and Offboarding Assets
Onboarding a Laptop
A new hire request triggers procurement, enrollment in endpoint tools, application of secure baselines, and automatic registration in the asset inventory.
Configuration at Onboarding
During onboarding, baselines enforce disk encryption, EDR, firewall, logging, and MDM policies, and the device is tagged with owner and classification.
Offboarding Steps
When someone leaves, IT uses the inventory to find their assets, disable accounts, collect or wipe devices, and update records or reassign equipment.
Exam Signal
If a scenario has orphaned devices or active accounts after departures, the missing control is structured onboarding and offboarding tied to asset management.
Shadow IT and Rogue Assets
What Is Shadow IT
Shadow IT is the use of systems, apps, or services without formal IT approval. Rogue assets are unauthorized devices or services, sometimes malicious.
Examples & Risks
Examples include unapproved SaaS, personal cloud VMs, rogue Wi‑Fi APs, or unmanaged laptops. They lack baselines, patching, and monitoring.
Detecting Shadow IT
Use network discovery, NAC, CASB, DNS/proxy logs, and procurement vs. inventory comparisons to find unmanaged or unknown assets.
Controlling Shadow IT
Combine policies, user education, easy request processes, and technical controls to reduce shadow IT and onboard discovered assets securely.
Tying Asset Management to Vulnerability Management and Incident Response
Asset Data Feeds VM
Vulnerability management uses asset data to know what to scan, which versions exist, and how to prioritize remediation based on criticality.
Patching Priorities
Scan results are combined with classification so critical, restricted systems with exploitable flaws are patched before low‑impact assets.
Asset Data in Incidents
During incidents, analysts query the inventory to learn what a host is, who owns it, and what data it holds, guiding containment decisions.
Using Baselines
Configuration baselines show what normal settings should be, helping responders spot malicious or unauthorized configuration changes.
Thought Exercise: Prioritizing Assets for Protection
Work through this scenario mentally (or jot notes) to practice classification and prioritization.
Your organization has identified the following assets:
- Public marketing website hosted on a cloud provider. Static content only.
- Internal HR system with employee records (salary, performance, personal data).
- OT controller for a manufacturing line. If it fails, production stops.
- Developer test VM used for experiments, no real data.
Tasks:
- Classify each asset by criticality (Critical/High/Medium/Low) and sensitivity (Public/Internal/Confidential/Restricted).
- Think about business impact (availability/integrity) and confidentiality.
- Rank them from 1 (highest priority) to 4 (lowest priority) for:
- a) Patching and hardening
- b) Monitoring and alerting
- Reflect on controls:
- Which asset should be most tightly controlled (network segmentation, MFA, strict change control)?
- Which asset can tolerate more relaxed controls (still secure, but less intensive)?
Suggested reasoning (compare to your own):
- OT controller: likely Critical + at least Internal, maybe higher if safety is involved; top priority for availability and monitoring.
- HR system: High criticality and Confidential/Restricted; top priority for confidentiality and integrity.
- Marketing site: Low/Medium criticality, Public sensitivity; important but less critical than HR and OT.
- Dev VM: Low criticality, Internal; lowest priority, but still should not be wide open.
Quiz: Asset Inventory and Classification
Check your understanding of asset inventory and classification concepts.
A security team wants to ensure that vulnerability remediation efforts are focused on systems that would cause the greatest business damage if compromised. Which combination of practices BEST supports this goal?
- Run vulnerability scans on all systems every week and patch in the order findings are reported.
- Maintain a dynamic asset inventory with criticality and sensitivity labels, then prioritize remediation based on those classifications.
- Limit vulnerability scans to internet-facing systems and apply patches only when exploits are seen in the wild.
- Rely on annual penetration tests to identify the most important vulnerabilities and patch only those findings.
Show Answer
Answer: B) Maintain a dynamic asset inventory with criticality and sensitivity labels, then prioritize remediation based on those classifications.
A dynamic asset inventory with criticality and sensitivity labels allows the team to tie vulnerabilities to business impact and prioritize remediation accordingly. The other options either ignore business impact, reduce coverage too much, or rely on infrequent testing.
Quiz: Shadow IT and Configuration Management
Test your understanding of shadow IT risks and configuration management controls.
During a routine network scan, the security team discovers several wireless access points that are not in the asset inventory. Some are connected to internal switches in office areas. What is the MOST appropriate first response from a security operations perspective?
- Immediately power off all unauthorized access points without notifying anyone.
- Document the devices, investigate ownership and purpose, and then decide whether to remove them or bring them under management.
- Ignore the devices because they are in office areas and likely belong to employees.
- Update the asset inventory to include the access points but take no other action.
Show Answer
Answer: B) Document the devices, investigate ownership and purpose, and then decide whether to remove them or bring them under management.
The best first response is to treat them as potential shadow IT or rogue assets: document them, investigate who owns them and why they exist, and then either decommission or onboard and secure them. Immediate shutdown without understanding impact may disrupt business, while ignoring or only documenting them leaves risk unaddressed.
Key Term Flashcards: Asset Management and Configuration
Flip through these flashcards to reinforce core terms from this module.
- Asset inventory
- A centralized, authoritative list of hardware, software, services, and data assets, including identifiers, ownership, location, and key technical details.
- Asset classification
- The process of labeling assets based on business criticality and data sensitivity, used to prioritize protection, monitoring, and remediation.
- Configuration baseline
- A standard, approved, and hardened set of configuration settings for a given asset type, used as the reference for secure deployment and drift detection.
- Configuration drift
- The gradual deviation of a system’s actual configuration from its approved baseline due to manual changes, quick fixes, or unmanaged updates.
- Lifecycle management
- Managing assets from onboarding (request, approval, deployment) through maintenance (patching, updates) to offboarding (decommissioning, wiping, access revocation).
- Shadow IT
- Use of systems, applications, or services without formal IT approval, often unmanaged and outside standard security controls.
- Rogue asset
- An unauthorized or unknown device or service connected to the environment, potentially malicious or insecure.
- Configuration Management Database (CMDB)
- A repository that stores information about IT assets and their relationships, often used to support change management and incident response.
- Vulnerability management
- An ongoing process of identifying, assessing, prioritizing, remediating, and tracking security vulnerabilities across assets.
- Secure configuration management
- The practice of defining, applying, monitoring, and controlling changes to secure configuration baselines across assets in an environment.
Key Terms
- SY0-701
- SY0-701 is the exam series code for the latest version (V7) of the CompTIA Security+ certification exam.
- Shadow IT
- Use of systems, applications, or services without formal IT approval, often unmanaged and outside standard security controls.
- Zero trust
- Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
- Rogue asset
- An unauthorized or unknown device or service connected to the environment, potentially malicious or insecure.
- Asset inventory
- A centralized, authoritative list of hardware, software, services, and data assets, including identifiers, ownership, location, and key technical details.
- CompTIA Security+
- CompTIA Security+ is a global certification that validates the baseline skills necessary to perform core security functions and pursue an IT security career.
- Hybrid environment
- A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
- Configuration drift
- The gradual deviation of a system’s actual configuration from its approved baseline due to manual changes, quick fixes, or unmanaged updates.
- Asset classification
- The process of labeling assets based on business criticality and data sensitivity, used to prioritize protection, monitoring, and remediation.
- Lifecycle management
- Managing assets from onboarding (request, approval, deployment) through maintenance (patching, updates) to offboarding (decommissioning, wiping, access revocation).
- Configuration baseline
- A standard, approved, and hardened set of configuration settings for a given asset type, used as the reference for secure deployment and drift detection.
- Vulnerability management
- An ongoing process of identifying, assessing, prioritizing, remediating, and tracking security vulnerabilities across assets.
- Secure configuration management
- The practice of defining, applying, monitoring, and controlling changes to secure configuration baselines across assets in an environment.
- Governance, risk, and compliance
- Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.
- Configuration Management Database (CMDB)
- A repository that stores information about IT assets and their relationships, often used to support change management and incident response.