Moving property

The responsibility is often on the assigned owner of the equipment to keep it safe whilst it is in their protection.

However, before a device can even be handed over, information security managers should ensure that the infrastructure is in place to effectively manage and maintain all assets under their watch.

Risk reduction

There are plenty of risk reductive measures on the market, ranging from the sublime to the entirely ridiculous, however, your job as information security manager is to take a considered approach and choose appropriate controls.

Marking assets with an indelible mark that uniquely identifies them is a great start. This allows a full inventory of all assets to be taken and maintained. You can also make use of barcodes, RFID (radio-frequency identification) tags, and even serial numbers of devices much in the same way as shops protect their products.

Earlier you learned that one of the ways to protect equipment is by creating an asset log. An individual or department should be made responsible for the security and custody of these assets. If you are exchanging equipment for newer items, this log must be maintained, and all items tracked from purchase through to disposal. Should a PC item, for example, have a disc drive inside it that needs to be securely destroyed, this cradle to grave management only stops when the disc drive has been chopped up. You’ll learn more about correct disposal procedures later on.

When moving protectively marked equipment (official, secret, top secret) or information from one place to another, you should use a trusted courier service that provides a level of security assurance around the transit. The UK government uses a special courier service (The Queen’s Messengers) to move classified documents and assets from one building to another, that includes the protection of the route information, secrecy around the schedules and a rule whereby two people must be always handling the asset (known as two-man-rule).

Security labels and seals

When moving assets from one site to another, there’s a risk that a computer could be powered up by someone in the transit company, a USB drive inserted, and all your confidential information copied off onto that third party device. The consequences could be disastrous if information gets into the wrong hands, so what can be done to protect assets in transit?

You could encrypt your discs, which is a great confidentiality control, but if the computer chassis is opened and the disc cloned, the attackers still have an opportunity to break that encryption. In the previous Course, you learned how it’s entirely possible that attackers with access to enough resources, utilising the latest developments in cryptanalysis, can breach even the most secure of systems.

For this reason, it’s important to protect the structure of the systems you ship, to further mitigate the risk. Or, if all else fails, at least you will be informed that your systems have been tampered with.

Tamper resistant labels and tamper evident labels can be used on your equipment to help protect physical access. Seals can act as barriers, which if broken, can render the equipment useless, or they can simply be an indicator that someone has tried to break into that component.

For example, if all your USB sockets have tamper evident seals covering them, the act of peeling them off will render the seal broken and irreplaceable. Once the equipment is received at the far end of its journey, inspection of the seals will show the security officer that someone has attempted (or even succeeded) to break into that device. Visit here for more information on tamper evident security labels.

Care should be taken to cover all open ports and joins, such as where two parts of the computer’s chassis come together. It’s also possible to have these labels numbered with asset information so that you can use it both from a security and inventory perspective.

Key points

Let’s take a look at some of the key points to take with you as you move through the rest of this lesson:

For reducing risk when moving property, you could mark assets with an indelible mark, or use barcodes, RFID (radio-frequency identification) tags, and even serial numbers of devices.
Tamper resistant labels and tamper evident labels can be used on your equipment to help protect physical access. Seals can act as barriers which, if broken, can render the equipment useless, or they can simply be an indicator that someone has tried to break into that component.
Care should be taken to cover all open ports and joins, such as where two parts of the computer’s chassis come together. It’s also possible to have these labels numbered with asset information so that you can use it both from a security and inventory perspective.

Moving equipment does give attackers the opportunity to strike, but if done properly, you’ll be reducing the likelihood of information getting into the wrong hands. The same applies when thinking about getting rid of assets for good.

Moving and disposal of equipment [CISMP]