JavaScript is required

Context

Purpose

To effectively manage IT and Cybersecurity risk, it is essential for organisations to continuously maintain visibility of their IT infrastructure and applications and manage the full asset lifecycle from planning, through acquisition and operation, to disposal. This document provides recommended best practices for Victorian government entities to adopt in this regard.

Audience

This guidance is targeted at department and agency:

  • CIO’s (Chief Information Officers)
  • CISO’s (Chief Information Security Officers)
  • Cyber Security Practitioners
  • IT Asset Owners/Custodians
  • Application Managers/Product Managers
  • IT Asset Management Steering Committees/Governance Board Members
  • IT Asset Managers
  • IT Infrastructure/Operations Managers and Team Leads
  • Enterprise Architects

and assumes a basic knowledge of IT operational processes.

Resources

The following resources are associated with this guidance. Please contact the Cyber Security Branch at vicgov.ciso@dpc.vic.gov.au to access the following resources:

Title Description
AMAF 41 Processes - IT Asset Class Considerations Excel Spreadsheet - Commentary on how the asset-generic AMAF processes can be interpreted in an IT asset context.
WoVG IT Asset Management Data Dictionaries Excel Spreadsheet - Recommended standardised fields that can be used to capture Application and Infrastructure data in a CMDB.
WoVG IT Asset Management Cybersecurity KPIs Excel Spreadsheet - A list of example KPIs that can be applied to IT Asset management to ensure the maintenance of good cybersecurity.

Benefits

Cybersecurity

Good IT asset management contributes directly to better cybersecurity in an organisation. Regularly performing IT asset management processes such as updating asset registers, replacing assets before end of life, patching systems, monitoring systems, and securely disposing of storage results in a significantly improved organisational security posture.

Cyber security issues that can occur when IT assets are not well managed include:

  • Data being stolen from unpatched IT assets or lost IT assets
  • Unmaintained IT assets being encrypted by ransomware
  • Unused assets being repurposed as internal attack platforms
  • Malicious actors making unmaintained assets unavailable for normal business use
  • Unmaintained assets become unavailable due to lack of maintenance
  • Lack of basic (e.g. Essential 8) operating system cybersecurity controls leading to avoidable breaches
  • An inability to map often urgent threat intelligence to specific IT assets
  • An inability to prioritise IT asset maintenance activities and budget based on risk
  • Unknown risk visibility and risk exposure of the IT asset fleet, including asset end-of-life
  • An inability to detect rogue, malicious and unsanctioned IT assets
  • Insecure disposal of IT assets resulting in data leakage
  • Difficulties attracting and retaining staff to perform important but sometimes mundane/repetitive IT asset maintenance activities
  • Higher cyber insurance (re)insurance premiums due to an inability to demonstrate good asset management and basic cybersecurity hygiene
  • An inability to assess the adverse impact of aging IT assets on cyber risk and business productivity, resulting in suboptimal planning for timely disposal and replacement

Financial Benefits

In addition to these cybersecurity-related problems, poor IT asset management can also result in financial inefficiency, for example:

  • Duplicate contracts, over licensing and overprovisioning of IT assets within an organisation
  • Lack of all-of-government contracts/efficiency of scale, due to lack of IT asset visibility
  • Unused assets creating unnecessary ongoing costs and non-strategic budget spend
  • Inefficient cost optimisation/asset utilisation
  • Service continuity/supportability issues

Note that financial benefits are not directly addressed by this guidance. Improving IT asset management for cybersecurity reasons lays the groundwork for an organisation to realise financial benefits more easily through additional improvement activities.

Regulatory Requirements

The following regulatory requirements apply to IT asset management for many Victorian Government departments and agencies:

Asset Management Accountability Framework 2016 (DTF)

  • 41 Mandatory Requirements
  • Optional Guidance
  • Self-assessment every three years

Victorian Protective Data Security Standard v2.0 (OVIC)

  • "The organisation manages all ICT assets (e.g. on-site, and off-site) throughout their lifecycle" [E11.020]

Scope

Agency Scope

This guidance applies to all Victorian Public Service departments and agencies, including the Health, Water, Education, Justice and Local Government sectors. Note that even though some agencies are not covered by the Financial Management Act mandating AMAF, or be required to comply with VPDSS or Essential 8, they may still wish to follow this guidance as a collection of best practices.

In Scope IT Assets

The following IT assets are in scope of this guidance:

  • Servers (virtual and physical)
  • Applications (client-side, on prem/data centre and cloud-hosted)
  • Database systems and Middleware
  • Network appliances (Wi-Fi access points, firewalls, switches, routers, bridges, gateways, modems, repeaters, hubs etc)
  • PCs (laptops and desktops)
  • Mobile devices/Smartphones/Tablets/SIM cards issued by department/agency
  • Business critical IP phones and phone lines, cloud phone systems
  • Networked Multifunction Devices/Printers/Scanners/Faxes
  • Security Certificates
  • Cloud applications (SaaS)
  • Cloud platforms (PaaS)
  • Cloud infrastructure (IaaS)
  • Outsourced/Third Party Hosted/Managed Services IT assets (delegated IT asset management responsibility)
  • IoT/embedded systems/electronic medical devices (if relevant to the organisation)

Out of Scope IT Assets

The following are out of scope of this guidance:

  • Keyboards and pointing devices (e.g. mice)
  • Monitors
  • Data Centres
  • Information/Data Assets (this is covered by OVIC’s VPDSS Framework)
  • Data retention and archiving
  • IT Contracts
  • IT Financial Management (including depreciation)
  • Linking IT assets to Business Processes
  • Linking IT assets to Business or public services

Updated