SRC Blog - SRC Security Risk Compliance GmbH

Part 1: Structure analysis for IT asset management

Written by Dr. Jaber Kakar | 11/23/21 11:11 AM

Digitalization is omnipresent and it affects various businesses, including, and especially financial institutions. With customers of all those institutions leading the way in their digitalization efforts, financial institutions are competing in the digital transformation arena. At the same time, financial enterprises are heavily exposed to a wide range of regulations. As digital technologies become more pervasive, information security risks increase. A major hurdle of digital transformation in the financial industry is therefore to

reconcile rapid digital transformation with information security and regulatory compliance and make it as efficient as possible. 

What does the reconciliation process look like? In this blog series, we will discuss the main steps towards a fully digitized information security framework. Let's start with part 1 or rather step 1 of this process.

Understand your assets that need protection

Information security cannot begin until you have a clear understanding of what is security-relevant or worth protecting. But how exactly do you develop this understanding? In short and simple terms:

Understand your business processes and the data processed or generated in these processes. 

In particular, the relevance of the data to various legal aspects, including but not limited to the General Data Protection Regulation, is of importance. Our consultants provide broad and deep expertise in globally recognized standards, such as ISO27001, NIST, and SOC 2 that will help you with this analysis. But why is this so-called structural analysis necessary? 

The structural analysis creates transparency and provides you with the basis for increasing automation as part of your efforts in maintaining a high level of information security. 

Complex relationships between assets, sometimes previously unknown to your organization, are thus identified and documented. A database serves as the basis for displaying exactly these complex relationships. We have the necessary experience in the construction of a complete, accurate mapping of the asset network as part of the aforementioned database, the so-called configuration management database (CMDB). 

A configuration management database (CMDB) is used by an organization to store information about hardware and software assets, often referred to as configuration items (CI). It is useful to break down CIs into logical layers. This database acts as a data warehouse for the organization by storing information regarding the relationships among its assets. The CMDB provides a means of understanding the organization's critical assets and their relationships, such as IT systems and dependencies of  CIs. 

According to ITIL 4, CIs are all components that need to be managed to provide an IT service. The latest digital technologies are used for CMDBs so that maintenance-intensive and non-automated spreadsheet-based solutions (e.g., Excel) become fully obsolete.

Properties of a CMDB

Now we know what a CMDB is for and how it relates to IT asset management. Now we need to derive the key functional characteristics of a CMDB.

1. Seamless dashboards with CI metrics and analytics that make it easy to track the health of CIs, their relationships, the impact of changes that lead to incidents or problems, and the effort in terms of money and resources to build and manage each service within an organization.

2. Compliance functions: This refers to the ability of auditors to obtain detailed records and transparent insights into not only the current state of CIs but also their past changes, audits, incidents, etc.

3. Creation of CIs and the timely updating of relevant data: Support for (a) manual inputs, (b) integrations (API-driven, SCCM), and (c) discovery tools that perform automated scans of all IP addresses on an organization's network to gather software and hardware information and effectively capture the inventory of every physical and virtual device in the enterprise.

4. Support for federated data sets, including normalization and reconciliation of CIs and their data.

5. IT service mapping in the form of a graphical representation of relationships and dependencies.

6. Access controls that allow different people or teams to be assigned different levels of access as needed and track changes back to their origin when issues or incidents arise.