Since both Windows 7 and Server 2008 R2 will reach end-of-life support in January of 2020, many organizations have already made the jump to Windows 10 and Windows Server 2012, 2016, 2019, or Azure. If you have full control over the asset lifecycle management process for your financial institution you may have already completed this conversion and are working through the headache of teaching your end users the nuances of Windows 10. Because of the complexity of the conversion process (particularly at the server level), we have also started to see trends in outsourcing more information technology tasks to external technology service providers (TSPs). No matter where your financial institution may fall on this DIY to outsourced spectrum, it’s critical to have a well-defined asset lifecycle management process.
Defining Asset Lifecycle
Let’s start by unpacking asset lifecycle to understand why the process is so important that an entire contributing component within the FFIEC Cybersecurity Assessment Tool, and a section of the Information Security IT Handbook, is dedicated to IT Asset Management.
NIST condenses the typical asset lifecycle to three phases:
Similarly, the FFIEC defines the lifecycle process as “The multistep process that starts with the initiation, analysis, design, and implementation, and continues through the maintenance and disposal of the system.” For the purposes of this article, we’ll use the 3-phase NIST definition, and assume that the enrollment phase includes initiation, analysis and design; operation includes implementation and maintenance; and end-of-life includes disposal.
The enrollment phase will include planning for new IT assets, procuring those assets, and configuring them for production environments. The operations phase determines how IT assets are maintained and the specific policies that provide structure for performing changes or modifications to them. As IT assets reach the end-of-life phase, they must be properly decommissioned and disposed.
If you’re working with a TSP in this area, this vendor will likely procure and pre-configure the new assets and may even perform the implementation for you. It is important to ensure the service provider is aware of your policies (including your IT risk appetite), and that they will abide by them and follow financial industry best practices. The TSPs should also be able to provide you with a baseline configuration, or checklist for the newly introduced IT assets, to prove that they have been pre-configured to your security specifications. Your own internal asset lifecycle management policy should include receiving this information from your TSP prior to new assets being implemented into your infrastructure.
FFIEC guidance requires IT assets to be both inventoried and classified according to the type of data they will store or process. Classification should be tied to sensitivity and criticality. Sensitivity is typically expressed as private (customer NPI), confidential (non-NPI FI information such as HR records, strategic plans, etc.), and public. Criticality is usually inherited from the process the asset is utilized for, expressed as the recovery time objective for the underlying process.
As technology changes, we are seeing fewer barcodes for physical asset inventories, and more Excel spreadsheets comprised of printer, server, and workstation inventory information. Many TSPs provide an automated central management solution for assets that greatly reduces the overhead of manually managing so many devices. The routine (daily, monthly, quarterly) maintenance for IT assets should also be documented in the asset lifecycle management policy. These tasks are the NIST operation phase that provides documentation for software and OS patches, AV/Anti-malware, data backups, etc.
Destruction and Disposal
A lot of emphasis is placed on the introduction of new IT assets and the support and maintenance of them throughout their operation, but it is equally important to include destruction and disposal procedures for these assets as they reach the end of their lifecycle. When a system reaches End-of-Life it means that a vendor is no longer providing critical security updates or support for those devices, and any new vulnerabilities may be exposed to exploitation. If a TSP assists with decommissioning these devices, their disposal practices should be reviewed and determined to align with your own policies based on the classification or the assets and the retention period for the data. Any devices that house non-public or confidential information should be securely erased or destroyed to ensure the contents are not recoverable, and if this process is outsourced, the TSP should be able to provide validation of this process.
Occasionally, there is a legitimate business need to continue using hardware or software that has reached End-of-Life support. A risk assessment should be performed, and any compensating controls implemented and documented. If residual risks are still too high, this may include segmenting the asset from the rest of the network to limit the risk exposure.
Whether your financial institution manages the entire asset lifecycle process internally, outsources it completed to TSPs, or is somewhere in between, it is critical to have a structured, well-defined plan that follows these assets from planning and implementation to decommission and salvage. If you outsource any aspect of this process, a robust ongoing vendor management program is critical in providing a level of assurance and in holding them accountable for their obligations throughout the asset lifecycle management process. Of course, with all things outsourced, you cannot outsource the responsibility.
Appendix A of the FFIEC IT Handbook provides the examination procedures for establishing an effective lifecycle management policy. Examiners are instructed to do the following:
“Determine whether management plans for the life cycles of the institution’s systems, eventual end of life, and any corresponding business impacts. Review whether the institution’s lifecycle management includes the following:
- Maintaining inventories of systems and applications.
- Adhering to an approved End-of-Life or sunset policy for older systems.
- Tracking changes made to the systems and applications, availability of updates, and the planned end of support by the vendor.
- Planning for the update or replacement of systems nearing obsolescence.
- Outlining procedures for the secure destruction or wiping of hard drives being returned to vendors or donated to prevent the inadvertent disclosure of sensitive information.”