Chapter 81 · Concepts

Asset Management — Concept Maps

Structured breakdowns and comparisons for procurement workflow, asset tracking, sanitization methods, physical destruction, and data retention.

Procurement Workflow — Five Stages in Order
StageWho ActsWhat HappensKey Output
1. User Request Employee or department Documents the need: technical specifications, business justification, budget source, manager approval Formal purchase request with approvals
2. IT and Purchasing Review IT department + purchasing/finance Evaluates technical fit, budget availability, existing contracts, and preferred vendor lists Approved or rejected request; vendor selection
3. Supplier Negotiation Purchasing department + vendor Negotiates pricing, delivery schedule, licensing terms, warranty, SLA obligations Agreed contract or purchase terms
4. Purchase and Delivery Purchasing department Generates purchase order; vendor delivers goods or activates services Delivered assets + vendor invoice
5. Invoice and Payment Finance / accounts payable Processes payment per invoice terms (immediate, net-30, net-60); records in financial system; assets logged into tracking system Payment confirmation + asset record created
Asset Classification — Hardware vs. Software
PropertyHardware AssetsSoftware Assets
ExamplesServers, laptops, routers, switches, storage drives, printersOS licenses, application licenses, SaaS subscriptions, cloud service contracts
Financial treatmentCapital expenditure (CapEx) — one-time purchase of a long-lived physical assetOperating expenditure (OpEx) — ongoing business expense (subscription, license fee)
DepreciationYes — value declines over time per depreciation schedule; affects tax liability each yearGenerally no — expensed in the period incurred; not depreciated
Asset tagYes — physical tag attached to deviceNo physical tag; tracked by license key, subscription ID, or software record
Disposal considerationMedia sanitization + physical destruction + certificate of destructionLicense termination, deactivation, key destruction/deletion
Asset Tracking Components — Three Layers
LayerWhat It TracksTool / MethodSecurity Benefit
Inventory Every asset in the organization: all devices by type, make, model, location, assigned user Asset management software (ServiceNow, Snipe-IT, Lansweeper); network scanning tools Cannot secure what you don't know you have; inventory drives patch and vulnerability management
Enumeration Individual components within each asset: CPU, RAM, storage, peripherals, installed software Agent-based discovery tools; configuration management databases (CMDB) Supports precise troubleshooting, accurate replacement, detailed security assessment; identifies unsupported components
Asset Tags Physical identity — links the physical object to its database record Barcode labels (handheld scanner), RFID tags (passive or active), visible tracking numbers Rapid physical inventory; theft deterrence; chain-of-custody for disposal
Media Sanitization Methods — Capability and Use Case
MethodHow It WorksDrive Usable After?Works on SSDs?Best For
Secure overwrite Software overwrites all sectors with random data; prevents recovery Yes — drive fully functional Partial — may miss wear-leveling areas; crypto erase preferred Reuse by another employee; resale; donation
Drilling / Hammering Physical puncture or deformation of storage platters No Yes — destroys flash chips physically Small quantities; quick on-site destruction; no specialized equipment
Shredding / Pulverization Industrial machinery reduces drives to fragments No Yes Large volumes; high assurance; third-party destruction services
Degaussing Strong electromagnetic field erases magnetic patterns; also destroys servo tracks No — drive mechanically disabled by loss of servo tracks No — SSDs use flash memory, not magnetic storage; degaussing has no effect HDD-only environments; adds to physical destruction workflow for HDDs
Incineration High-temperature destruction; reduces media to ash No Yes Classified/government data; highest-assurance requirement; no fragment survivability
Certificate of Destruction — What It Contains and Why It Matters
ElementWhat It IncludesWhy It Matters
Device identificationSerial numbers of each destroyed drive, matched against asset inventoryProves specific drives were destroyed, not substituted or diverted; weak certs list only quantities
Destruction methodShredding, degaussing, incineration, or combinationConfirms method appropriate for data sensitivity level; regulatory requirements may specify methods
Date and locationDate destruction occurred; facility address or on-site locationCreates timestamped chain of custody; establishes when data became inaccessible
Vendor authorizationTechnician/supervisor name, vendor signature, company sealAccountability for the destruction process; legally binds vendor to the statement
Compliance useReferenced in compliance audits (HIPAA, PCI DSS, SOX)Demonstrates due diligence in data disposal; supports audit defense and regulatory reporting
Data Retention — Three Drivers with Examples
DriverRequirement TypeData ExamplesConsequence of Failure
Regulatory compliance Mandatory minimum retention period set by law or regulation HIPAA: patient records (varies by state; 6-10 years). SOX: financial records (7 years). SEC/FINRA: trade records and emails (3-7 years depending on type). GDPR: limits unnecessary retention Regulatory fines, legal sanctions, loss of operating licenses, evidence spoliation in litigation
Operational recovery Best practice retention to support business continuity Daily backups retained 30 days (accidental deletion recovery). Weekly archives retained 1 year. Disaster recovery copies at alternate site. System logs retained 90 days (security analysis window) Inability to recover deleted data; inability to restore after disaster; gap in incident investigation timeline
Data type differentiation Different categories have different retention requirements Executive emails vs. break room scheduling emails. Financial transaction logs vs. operational logs. Medical records vs. marketing materials Retaining everything forever: storage cost, increased breach exposure. Blanket deletion: regulatory violation, recovery failure