Context

Purpose

To effectively manage IT and Cybersecurity risk, it is essential for organisations to continuously maintain visibility of their IT infrastructure and applications and manage the full asset lifecycle from planning, through acquisition and operation, to disposal. This document provides recommended best practices for Victorian government entities to adopt in this regard.

Audience

This guidance is targeted at department and agency:

CIO’s (Chief Information Officers)
CISO’s (Chief Information Security Officers)
Cyber Security Practitioners
IT Asset Owners/Custodians
Application Managers/Product Managers
IT Asset Management Steering Committees/Governance Board Members
IT Asset Managers
IT Infrastructure/Operations Managers and Team Leads
Enterprise Architects

and assumes a basic knowledge of IT operational processes.

Resources

The following resources are associated with this guidance. Please contact the Cyber Security Branch at vicgov.ciso@dpc.vic.gov.au to access the following resources:

Title	Description
AMAF 41 Processes - IT Asset Class Considerations	Excel Spreadsheet - Commentary on how the asset-generic AMAF processes can be interpreted in an IT asset context.
WoVG IT Asset Management Data Dictionaries	Excel Spreadsheet - Recommended standardised fields that can be used to capture Application and Infrastructure data in a CMDB.
WoVG IT Asset Management Cybersecurity KPIs	Excel Spreadsheet - A list of example KPIs that can be applied to IT Asset management to ensure the maintenance of good cybersecurity.

Benefits

Cybersecurity

Good IT asset management contributes directly to better cybersecurity in an organisation. Regularly performing IT asset management processes such as updating asset registers, replacing assets before end of life, patching systems, monitoring systems, and securely disposing of storage results in a significantly improved organisational security posture.

Cyber security issues that can occur when IT assets are not well managed include:

Data being stolen from unpatched IT assets or lost IT assets
Unmaintained IT assets being encrypted by ransomware
Unused assets being repurposed as internal attack platforms
Malicious actors making unmaintained assets unavailable for normal business use
Unmaintained assets become unavailable due to lack of maintenance
Lack of basic (e.g. Essential 8) operating system cybersecurity controls leading to avoidable breaches
An inability to map often urgent threat intelligence to specific IT assets
An inability to prioritise IT asset maintenance activities and budget based on risk
Unknown risk visibility and risk exposure of the IT asset fleet, including asset end-of-life
An inability to detect rogue, malicious and unsanctioned IT assets
Insecure disposal of IT assets resulting in data leakage
Difficulties attracting and retaining staff to perform important but sometimes mundane/repetitive IT asset maintenance activities
Higher cyber insurance (re)insurance premiums due to an inability to demonstrate good asset management and basic cybersecurity hygiene
An inability to assess the adverse impact of aging IT assets on cyber risk and business productivity, resulting in suboptimal planning for timely disposal and replacement

Financial Benefits

In addition to these cybersecurity-related problems, poor IT asset management can also result in financial inefficiency, for example:

Duplicate contracts, over licensing and overprovisioning of IT assets within an organisation
Lack of all-of-government contracts/efficiency of scale, due to lack of IT asset visibility
Unused assets creating unnecessary ongoing costs and non-strategic budget spend
Inefficient cost optimisation/asset utilisation
Service continuity/supportability issues

Note that financial benefits are not directly addressed by this guidance. Improving IT asset management for cybersecurity reasons lays the groundwork for an organisation to realise financial benefits more easily through additional improvement activities.

Regulatory Requirements

The following regulatory requirements apply to IT asset management for many Victorian Government departments and agencies:

Asset Management Accountability Framework 2016 (DTF)

41 Mandatory Requirements
Optional Guidance
Self-assessment every three years

Victorian Protective Data Security Standard v2.0 (OVIC)

"The organisation manages all ICT assets (e.g. on-site, and off-site) throughout their lifecycle" [E11.020]

Scope

Agency Scope

This guidance applies to all Victorian Public Service departments and agencies, including the Health, Water, Education, Justice and Local Government sectors. Note that even though some agencies are not covered by the Financial Management Act mandating AMAF, or be required to comply with VPDSS or Essential 8, they may still wish to follow this guidance as a collection of best practices.

In Scope IT Assets

The following IT assets are in scope of this guidance:

Servers (virtual and physical)
Applications (client-side, on prem/data centre and cloud-hosted)
Database systems and Middleware
Network appliances (Wi-Fi access points, firewalls, switches, routers, bridges, gateways, modems, repeaters, hubs etc)
PCs (laptops and desktops)
Mobile devices/Smartphones/Tablets/SIM cards issued by department/agency
Business critical IP phones and phone lines, cloud phone systems
Networked Multifunction Devices/Printers/Scanners/Faxes
Security Certificates
Cloud applications (SaaS)
Cloud platforms (PaaS)
Cloud infrastructure (IaaS)
Outsourced/Third Party Hosted/Managed Services IT assets (delegated IT asset management responsibility)
IoT/embedded systems/electronic medical devices (if relevant to the organisation)

Out of Scope IT Assets

The following are out of scope of this guidance:

Keyboards and pointing devices (e.g. mice)
Monitors
Data Centres
Information/Data Assets (this is covered by OVIC’s VPDSS Framework)
Data retention and archiving
IT Contracts
IT Financial Management (including depreciation)
Linking IT assets to Business Processes
Linking IT assets to Business or public services

Updated 5 July 2023