CIS Controls Enterprise Asset Management Policy Template

When implementing a security framework, many security controls often start with creating a policy. This allows an enterprise to have a document to work off of, have a reference to look back on, and create an avenue to enforce the policy. After all, it is difficult to enforce a policy that is not written down.

In this way, information security policies are the cornerstone of a cybersecurity program. But they are rarely one large document that coverings multiple topics. Instead, they oftentimes represent a large collection of individual documents. Additionally, many security frameworks recommend or require different types of policies to be created, implemented, and enforced within an enterprise.

Enterprise Asset Management as a Starting Place

The CIS Critical Security Controls (CIS Controls) recommend several policies that an enterprise should have in place. The first of many policies we are working on, Enterprise Asset Management Policy, is meant as a “jumping off point” for enterprises that need help drafting their own enterprise asset management policy.

Enterprise asset management is the process of procuring, identifying, tracking, maintaining, and disposing of an asset owned by an enterprise. Enterprise asset management is a difficult problem for an enterprise of any size. New assets are constantly acquired, others are retired, and many others are simply lost. With work from home becoming more prominent, enterprise assets may also disappear from the main enterprise network, only to reappear months later or never again. Additionally, there are multiple types of enterprise assets that often need to be managed differently.

How To Use The Policy

To implement an effective enterprise asset management process, enterprises should build a solid foundation which starts with a good, working policy. They can choose to create their policy on their own. Alternatively, they can use a policy template to streamline the process.

Our policy template, Enterprise Asset Management Policy, is meant to supplement the CIS Controls v8. The policy statements included within this document can be used by all CIS Implementation Groups (IGs), but they are specifically geared towards Safeguards in IG1. IG1, commonly referred to as essential cyber hygiene, represents a minimum standard of information security for all enterprises. It's a recommended starting point for an enterprise of any size.

Get started laying a secure foundation of essential cyber hygiene with the CIS Controls.



Future versions of this template will expand the scope to both IG2 and IG3 Safeguards.

Looking to get a head start on creating policy templates for your enterprise? Download the Enterprise Asset Management Policy today.