Asset Management – CompTIA Security+ SY0-701 – 4.2

An important part of IT security is the management of hardware and software. In this video, you’ll learn best practices for the procurement process, asset tracking, media sanitization, physical destruction, and more.


Every organization has a formal process for acquiring goods and services from third parties. This is part of the purchasing process. And it’s often a very formal process which requires sign-off and approval by a number of different parts of your organization.

This process usually starts with the end user. They may have a particular software or hardware requirement, and they’ll work with the information technology group and the purchasing department to obtain those goods or services. This usually involves analysis of the budget and if that particular department can afford to purchase that particular product and, of course, formal approvals by individuals in IT, the purchasing department, and most likely the management of the company.

This process will probably require some type of negotiation with the supplier to be assured that the organization is getting the best price for what they’re purchasing. This usually involves a back and forth process between the organization and the supplier as they negotiate pricing, any terms of licensing, and any particular contract details.

Once the negotiations are complete, the actual purchase can be made. This usually starts with the supplier providing the goods or services, and then once those goods or services are delivered, they will provide an invoice for the cost.

There are usually terms associated with the invoice. Those terms may require the company to pay the entire amount of the invoice in full immediately upon receiving the goods. Or, there might be a time frame, such as 30 days or 60 days, before the company must pay that invoice in full.

If the company is purchasing a tangible product, they’ll receive those goods then add that into a central asset tracking system. This is a way to manage all of the assets received by the company and be able to track them for the entire life cycle of that particular product.

The first step is understanding who has control of that particular asset and their assigned ownership in this asset tracking system. So if someone receives a laptop, the laptop is put under their name. And if we need to make any changes or updates to that laptop, we visit that user to be able to gain access to the asset.

Our asset tracking system will allow us to designate the type of device this might be, so we can call it a laptop, a desktop, a mobile device or any other type of system. We also then need to determine whether this is hardware or whether this is software. This not only allows us to recognize what type of asset this might be, but it also allows us to understand the tax liability for these different types.

For example, hardware is a capital expenditure and there may be depreciation that is taken on the hardware, and that affects the taxes associated with that asset. Software, however, doesn’t generally depreciate, so this is purely an operating expense and it’s taxed differently than a capital expense.

Our asset tracking system is not only used when we purchase the product, but we also use it for the entire life cycle of that product to inventory, understand where the product happens to be, and provide some type of tracking for the product. For example, you may be able to pull an inventory of the devices on your network to understand where all of the laptops, the routers, all of the cables might be, and every other hardware component associated with these devices.

This is also very useful for our help desk. Not only can they associate a user with a particular help desk ticket, they can populate that ticket with detailed information about the device make and model so that the technician knows exactly what they’re looking for when they start working on this ticket. The asset tracking system also allows the enumeration of these devices.

For example, a desktop computer is more than just one computer. Inside of that device is CPU, memory, storage drives, keyboards, mice, and other peripherals. Our asset tracking system allows us to see it as a single entity or to understand what those individual components might be inside of that device.

And to provide additional identification of the device, we might include an asset tag that we can physically attach to the device. Not only does this tag allow us to associate a particular number or barcode with a device, having that label on the physical device can also act as a security feature should this device become lost or stolen.

There may be times when we need to reuse a particular device. And this can be a bit of a challenge if there is a storage drive on that device. We may need to remove all of the company data from that device and ensure that no one could ever recover that data, especially if we’re decommissioning or giving this device away.

There are different ways to sanitize the media on these devices, depending on what you’re planning to do with that device. For example, if you’re planning to completely dispose of this device and send it for recycling, we may want to delete everything that’s on that storage drive. But if we’re planning to use this device internally for another employee, we may only need to delete certain files that might be sensitive on that device.

If we are planning to reuse these storage drives, the goal is to use a utility that can securely delete the information on these devices. That would mean that no one would be able to recover that data. Once the secure delete is complete, that information is no longer accessible. This allows us to reuse these devices with the same storage drives, which means that we can allow others in the organization to make use of that asset without worrying that sensitive data might be seen by others.

If we want to guarantee that the data on that hard drive will never be seen by anyone again, then we may want to physically destroy the drive. One way to do this is by using a shredder or industrial pulverizer that will completely destroy the drive. If you only have a few drives that you need to physically destroy, you can probably do this yourself with a drill or a hammer. Once you put holes into these dry platters, there’s no way to recover the data that was on those storage drives.

If you want to render a hard drive unusable and destroy all of the data on that drive, you can degauss the drive. This uses a strong electromagnetic field to be able to delete all of the data on that drive. And if it’s a hard drive, it will render that drive unusable. And in some cases, an organization may choose to incinerate all of these storage drives, which will definitely ensure that no one would be able to use that drive again.

Some organizations, though, have hundreds or even thousands of devices that they might be retiring, and they need to make sure that all of those drives are completely destroyed. But they don’t have time to destroy thousands of drives themselves, so they’ll contract with a third party that specializes in drive destruction.

This usually involves more than simply handing drives off to a third party. That third party has to not only destroy the drives but they need to provide a confirmation that the drives are indeed now destroyed. This confirmation is commonly referred to as a certificate of destruction. This certificate provides a confirmation that all of the drives that you’ve given to a third party have now been completely destroyed and now you know that all of that data is no longer accessible.

Just as there are times when we need to destroy data, there’s also times when we need to be sure that we retain data. This data retention might involve the original data sources, any copies of those data sources, backups of the data, and any other place where that data may be stored in the organization.

Depending on the rules and regulations associated with your organization, there might be a mandate to provide data retention. For example, certain organizations are required to keep emails for a certain number of years, or there might be financial data that needs to be stored for a certain amount of time. There are usually a set of policies and procedures that are specifically written with data retention in mind, especially if it’s an organization that is mandated to keep that data.

Retaining data might also be a good best practice for your organization. For example, you might tie this into your backup policy in case there’s data that’s accidentally deleted. And, of course, if you need to call a disaster and move all of your data to another location, you’ll have that data retained to bring it up and running at that new site. Different types of data may require different types of retention. So you need to know exactly what data you’re working with, what the requirements are for retaining that data, and make sure that all of the proper procedures are in place to provide the right type and length of data retention.