This chapter covers the second objective in Domain 4.0, Security Operations, of the CompTIA Security+ exam.

In this chapter, we will explore the acquisition and procurement process, followed by the assignment, ownership, and classification of assets. We will consider the importance of standard naming conventions for the labeling and identification of computer systems, as well as monitoring and asset tracking, to ensure all equipment has been accounted for. The final sections will review the types and methods of data sanitization and destruction of end-of-life devices to prevent data breaches.

This chapter will give you an overview of why companies rely on these processes to keep their environment safe and ensure that you are prepared to successfully answer all exam questions related to these concepts for your certification.

Note

A full breakdown of Exam Objective 4.2 will be provided at the end of the chapter.

The acquisition and procurement process begins with a strategic evaluation of an organization’s technological needs. Whether it involves new hardware, software, or data assets, comprehending these requirements is crucial to ensuring that all potential purchases are compatible with our existing systems and monitoring tools. Additional tasks in the acquisition/procurement process include identifying deficiencies in the existing infrastructure, evaluating potential upgrades, defining the scope of the acquisition, and consideration of the following:

• Change management: When you procure new assets or replace existing assets, it is vital that you submit a case to the Change Advisory Board to get approval for the purchase and implementation.
• Vendor selection: Selecting the right vendor is crucial for quality, cost efficiency, reliability, and compliance. It’s not just about finding the best deal but also about ensuring the vendor aligns...

When organizations purchase millions of dollars worth of assets, they must track asset locations for auditing and compliance with regulations and policies. The assignment/accounting process deals with the allocation and tracking of these assets within the organization.

During the assignment process, hardware, software, and data resources are allocated to the correct parties. Accounting or accountability extends to tracking asset usage, maintenance, and security, and ultimately contributes to effective asset management and data protection. The major elements of asset assignment and accounting are as follows:

• Asset register: An asset register is a comprehensive record of an organization’s assets, including details such as location, value, and ownership. It is vital that any asset that an organization procures is added to the asset register to ensure all assets are accounted for. If an asset found on your network is not in the asset register, then...

Monitoring or tracking assets provides real-time visibility into asset location, usage, and security, helping organizations proactively detect and mitigate potential risks and ensuring optimal asset management. Tracking can be conducted by maintaining an asset inventory and enumeration, as follows:

• Inventory: The asset inventory for a company will be recorded on an asset register. The size of the organization will determine whether there are few enough assets to be manually entered into an Excel spreadsheet and manually updated, or whether it should be conducted using a software-based solution such as the following:
  • IBM Maximo: IBM Maximo is a comprehensive Enterprise Asset Management (EAM) solution designed to streamline asset management throughout their life cycle. It offers features for planning, scheduling, maintenance, and inventory management to help organizations optimize asset performance, reduce operational costs, and ensure regulatory compliance...

The disposal/decommissioning phase is the final stage in the life cycle of an asset. This phase involves the systematic removal, decommissioning, and disposal of assets that are no longer in use or have reached the end of their operational life. Proper disposal is crucial because it mitigates the risk of unauthorized access and data breaches and maintains regulatory compliance. It ensures that no residual data is left on any of the data drives, especially if the device was used to access classified data. Let’s look at some aspects of disposal/decommissioning:

• Sanitization: Sanitization is the process of securely removing all data and sensitive information from an asset before it is retired or disposed of. The primary goal of sanitization is to prevent unauthorized access to data that may still reside on the asset’s storage media. The methods of sanitization are as follows:
• Data wiping/overwriting: This method involves overwriting the...

This chapter explored asset management and its role in security. You learned about the acquisition and procurement process, including the importance of strategic evaluation when acquiring new assets. This was followed by a review of tracking asset usage and maintenance, as well as the adoption of standard naming conventions to assist with the labeling and identification of computer systems. Finally, you explored disposal and decommissioning, which are crucial practices for the secure removal of data from assets that have reached the end of their operational life.

The knowledge gained in this chapter will prepare you to answer any questions relating to Exam Objective 4.2 in your CompTIA Security+ certification exam.

The next chapter will be Chapter 16, Explain various activities associated with vulnerability management.

The following objective breakdown is provided to explain the security implications of proper hardware, software, and data asset management:

• Acquisition/procurement process: Purchasing of new equipment
• Assignment/accounting:
  • Ownership: Establishing clear ownership of assets
  • Classification: Categorizing assets for security management
• Monitoring/asset tracking:
  • Inventory: An up-to-date record of assets
  • Enumeration: Identifying and tracking all assets
• Disposal/decommissioning:
  • Sanitization: Safely wiping data from retired assets
  • Destruction: Properly disposing of obsolete assets
  • Certification: Verifying secure asset disposal
  • Data retention: Managing data storage for compliance

The following questions are designed to check that you have understood the information in the chapter. For a realistic practice exam, please check the practice resources in our exclusive online study tools (refer to Chapter 29, Accessing the online practice resources for instructions to unlock them). The answers and explanations to these questions can be found via this link.

1. You have just received a shipment of 10 desktop computers from a third-party vendor. However, these computers are no longer operational, and the vendor wants to use your company to dispose of the computers securely. What is the MOST essential action you need to carry out in this situation?
   1. Pay for the destruction
   2. Obtain a destruction certificate
   3. Develop a maintenance schedule for the computers
   4. Remove them from your inventory list of computers
2. In a top-secret government facility, an intelligence officer needs to dispose of classified documents that contain highly sensitive information...