How to Build Your WISP – Step 4: Tracking Your Assets
A critical component of your Written Information Security Plan (WISP) is knowing what assets you have and where they are. You can’t protect what you don’t track. Whether it’s a laptop, a cloud-based software account, or sensitive client data, every business must maintain an up-to-date inventory of its information assets to minimize security risks.
Why Asset Tracking Matters
Without a proper asset inventory, businesses face:
Data breaches from lost, stolen, or untracked devices.
Unauthorized access due to forgotten or orphaned accounts.
Compliance failures under the FTC Safeguards Rule and Gramm-Leach-Bliley Act (GLBA), which require businesses to safeguard sensitive data.
By maintaining a clear record of hardware, software, and data assets, you can quickly detect anomalies, manage risks, and respond effectively to security incidents.
What Assets Should You Track?
To create a comprehensive asset inventory, include the following categories:
1. Hardware Inventory
Computers, servers, and mobile devices.
External storage devices (USBs, hard drives).
Networking equipment (routers, firewalls, switches).
Office equipment that stores data (printers, scanners, copiers).
2. Software and Cloud Services
Licensed software and applications.
Cloud storage accounts (Google Drive, Dropbox, OneDrive).
Business-critical SaaS platforms (CRM, accounting, email services).
Third-party vendor tools that handle customer or financial data.
3. Data Assets
Customer records and Personally Identifiable Information (PII).
Financial information and payment records.
Employee and HR data.
Intellectual property and proprietary business information.
Steps to Track and Manage Assets
1. Create an Asset Inventory – Document all hardware, software, and data assets, including their physical location, assigned user, and security classification.
2. Assign Ownership – Every asset should have a designated owner responsible for its security and maintenance.
3. Implement Access Controls – Restrict access to sensitive assets based on job roles and ensure former employees’ access is removed immediately.
4. Use Asset Tagging – Label physical devices and maintain a central database for easy tracking.
5. Regularly Review and Update – Set a schedule to audit and update your inventory, ensuring outdated or unused assets are decommissioned securely.
Integrating Asset Management into Daily Operations
Asset tracking shouldn’t be a one-time task—it needs to be embedded into daily operations:
Include asset tracking in HR onboarding and offboarding to assign and revoke access properly.
Use automated tracking tools to monitor hardware and software usage.
Require employees to report lost, stolen, or outdated assets to prevent security gaps.
Compliance and Documentation
A well-documented asset management process is essential for regulatory compliance and incident response. Your WISP should include:
A detailed asset inventory list with assigned users and security levels.
Policies for issuing, managing, and retiring assets securely.
Guidelines for reporting lost or compromised assets to mitigate risks.
Wrapping Up
Tracking your assets is fundamental to reducing security risks and ensuring compliance. By maintaining a structured asset management system, you can prevent unauthorized access, safeguard sensitive data, and respond effectively to security incidents.
If managing assets sounds overwhelming, Zeus InfoSec can help. We provide guidance on setting up practical asset management processes that align with your WISP. Security starts with knowing what you have—let’s build a system that keeps your business protected.
In the next post, we’ll cover Performing a Risk Assessment—helping you understand, prioritize, and address the risks that threaten your business.
Still not sure where to start?
Check out Protect Your Business with Our Free Cybersecurity Checklist for Small Businesses or Free Cybersecurity Essentials eBook
Until next time…
Stay Safe. Stay Secure. And Remember….
Business is hard enough. Cybersecurity doesn’t have to be!
