Cybersecurity Asset Management

Hacker in a hooded sweatshirt looking at a laptop with a padlock on top of the image.

Background

Cybersecurity begins with knowing what assets are owned and managed by an organization. Information technology assets can take many forms — from traditional computer workstations to servers, where each asset has a name and an IP address.

Many cybersecurity-related risks can be traced back to poor asset management. Unknown devices on a network will not receive updates or patches — leaving the devices vulnerable to unwanted exposure to malware or hacking attacks.

Information technology administrators cannot expect to securely maintain their assets if they do not have proper asset management. For this reason, many leading practices list asset management as the first step in a cybersecurity strategy.

The most common framework is the National Institute of Standards and Technology’s Cybersecurity Framework, as shown in Figure 1.

National-Institute-of-Standards-and-Tecnologys-Cybersecurity-Framework.jpeg

Why this matters

Cybersecurity begins with knowing what assets are owned and managed by an organization. Information technology assets can take many forms — from traditional computer workstations to servers, where each asset has a name and an IP address.
 
Many cybersecurity-related risks can be traced back to poor asset management.
 
Asset management is complex. An organization’s asset management system should include all devices: traditional workstations and servers, networking devices, cloud-based systems, cloud-based applications, vendor-managed systems, employees’ personal devices used for work purposes, and physical security devices such as badge readers and cameras.

Recommendations

This assessment found some areas of strength and some areas that need improvement. Because of the information security sensitivities involved with this assessment, these issues have been communicated separately to the city agency for their remediation.

Auditor's Letter

June 17, 2021


On behalf of the Auditor’s Office, Cornerstone Partners LLC conducted a cybersecurity assessment of an agency within the City and County of Denver. This assessment found some areas of strength and some areas that need improvement. Because of the information security sensitivities involved with this assessment, these issues have been communicated separately to the city agency for their remediation.

This assessment is authorized pursuant to the City and County of Denver Charter, Article V, Part 2, Section 1, “General Powers and Duties of Auditor.”

We extend our appreciation to the city personnel who assisted and cooperated with us and Cornerstone Partners

Denver Auditor,

Auditor's Signature
Timothy O'Brien, CPA

Follow-up

A follow-up report is forthcoming.


 


 

Tim_mug.png

AUDITOR TIMOTHY O'BRIEN, CPA
Denver Auditor



Denver Auditor´s Office

201 W. Colfax Ave. #705 Denver, CO 80202
Emailauditor@denvergov.org 
Call: 720-913-5000
Follow us on Facebook     Connect with us on Twitter
Read our social media policy

Auditor´s Office Logos for Footer