Secure Asset Provisioning and Inventory

What the Exam Is Really Testing

Here is a scenario that plays out in organizations every week: a department head signs up for a cloud-based project management tool using a corporate credit card. No security review. No IT involvement. No entry in the asset inventory. Six months later, the tool is processing customer data across three teams and nobody in security knows it exists.

You cannot protect what you do not know about. Asset provisioning and inventory are the governance mechanisms that prevent invisible risk.

This module covers CISSP exam objective 2.3: provision resources securely. ISC2 tests whether you understand the full asset lifecycle — from the moment an asset is requested through its eventual disposal — and how gaps in that lifecycle create security exposures.

The Asset Management Lifecycle

Every asset — hardware, software, data, or service — follows a lifecycle. Managing each stage is a governance responsibility, not just an operational one.

1. Request — A business need triggers a request for a new asset. The request should identify the purpose, the data that will be processed, and the expected classification level.
2. Approve — Management and security review the request. Approval should include a risk assessment proportional to the sensitivity of the data involved. High-classification data requires more scrutiny.
3. Provision — The asset is acquired, configured, and deployed according to organizational standards. Security baselines, hardening guides, and access controls are applied before the asset enters production.
4. Track — The asset is registered in an inventory system with ownership, location, classification, and configuration details. This is the step most organizations skip or perform inconsistently.
5. Maintain — Ongoing patching, configuration management, access reviews, and periodic reassessment of the asset’s classification and risk profile.
6. Dispose — When the asset reaches end of life, data is sanitized according to its classification level (as covered in Module 14), the asset is removed from inventory, and access is revoked.

The exam focuses on the governance aspects of this lifecycle. When a question asks what went wrong in a scenario involving an unknown or unmanaged asset, the answer usually points to a failure in the request/approve or track stages.

Asset Inventory and CMDB

An asset inventory is a record of all hardware, software, data repositories, and services the organization owns or uses. A Configuration Management Database (CMDB) extends this by tracking relationships between assets, their configurations, and their dependencies.

An effective asset inventory records:

• Asset identification — Name, serial number, asset tag, version
• Owner — The business manager responsible for the asset
• Custodian — The IT or operations team responsible for day-to-day management
• Classification — The sensitivity level of data the asset stores or processes
• Location — Physical location, network segment, or cloud region
• Status — Active, decommissioned, in maintenance, or pending disposal
• Relationships — Dependencies on other assets, services, or infrastructure components

The CMDB is particularly important for change management and incident response. When a vulnerability is announced for a specific software version, the CMDB tells you exactly which systems are affected. Without it, you are scanning blindly.

Hardware Asset Management

Hardware assets include servers, workstations, laptops, mobile devices, network equipment, removable media, and IoT devices. Each presents different provisioning and tracking challenges.

• Standardized builds — Hardware should be provisioned from approved images or configurations. A “golden image” ensures every device starts from a known, hardened state.
• Asset tagging — Physical tags (barcodes, RFID) enable tracking throughout the asset’s life and simplify physical inventory audits.
• Lifecycle tracking — Warranty status, maintenance schedules, and end-of-support dates determine when an asset must be replaced or upgraded.
• Disposal verification — When hardware is decommissioned, the inventory must be updated and data sanitization must be documented.

Software Asset Management

Software asset management (SAM) covers licensing, versioning, and the authorized software baseline.

• License compliance — Under-licensing creates legal liability; over-licensing wastes money. Both are governance failures.
• Authorized software list — Only approved applications should be installed. Application whitelisting enforces this technically; policy enforces it administratively.
• Version control — Running unsupported or unpatched software versions introduces known vulnerabilities. The asset inventory should track current versions against vendor support timelines.
• SaaS and cloud services — These often bypass traditional software installation, making them harder to track. Procurement and finance teams can help identify cloud subscriptions through purchasing records.

BYOD and Mobile Device Provisioning

Bring Your Own Device (BYOD) programs allow employees to use personal devices for work. This creates a provisioning challenge: the organization does not own the device but needs to protect the data on it.

Provisioning controls for BYOD typically include:

• Mobile Device Management (MDM) — Software that enforces security policies on enrolled devices: encryption, PIN requirements, remote wipe capability, and application restrictions.
• Containerization — Separating corporate data into an encrypted container on the device, so personal and business data remain isolated. This allows a remote wipe of corporate data without affecting personal content.
• Acceptable use agreements — Written policies that define what the organization can and cannot do with a personal device, including monitoring, wiping, and access to personal data.
• Network segmentation — BYOD devices should connect to a separate network segment with restricted access to internal resources.

The exam tests BYOD from a governance perspective: who is responsible for the data on a personal device? The answer is always the organization. Ownership of the device does not transfer ownership of the data.

Cloud Asset Provisioning and Shadow IT

Cloud services introduce a provisioning challenge that traditional asset management was not designed to handle. Anyone with a credit card can provision infrastructure, platforms, or applications in minutes — with no IT involvement.

Shadow IT is the use of IT systems, devices, software, applications, and services without explicit organizational approval. It is a provisioning governance failure.

Shadow IT risks include:

• Data stored outside organizational security controls
• No backup, encryption, or access management aligned with policy
• Regulatory non-compliance when data crosses jurisdictional boundaries
• No visibility for incident response or forensic investigation
• Vendor lock-in or data loss when the subscribing employee leaves the organization

Mitigation strategies include:

• Cloud Access Security Brokers (CASBs) — Proxy or API-based tools that discover and monitor cloud service usage across the organization
• Procurement controls — Requiring IT review before any cloud service purchase or subscription
• Network monitoring — Analyzing outbound traffic to detect connections to unapproved cloud services
• Self-service provisioning — Providing fast, easy access to approved cloud services so employees do not need to go around IT

Asset Ownership vs. Custody

The distinction between owner and custodian applies to assets just as it applies to data classification:

• Owner — The business manager accountable for the asset and the data it processes. The owner determines what protection the asset needs, who can access it, and when it should be decommissioned.
• Custodian — The IT or operations team member who implements the owner’s decisions. Custodians manage backups, apply patches, configure access controls, and perform sanitization at disposal.
• User — The person who accesses the asset for day-to-day work. Users follow the handling procedures defined by the owner and implemented by the custodian.

Every asset must have a named owner. “IT owns it” is not a valid ownership assignment — IT is the custodian. When an asset has no clearly assigned owner, accountability gaps follow: nobody is responsible for access reviews, classification updates, or decommissioning decisions.

Pattern Recognition

Provisioning and inventory questions on the CISSP tend to follow these structures:

• Unknown asset discovered — The root cause is a provisioning or tracking failure. The fix is governance, not technical controls.
• Shadow IT scenario — The risk is data outside organizational controls. The answer involves discovery, governance, and bringing the service into the managed environment.
• Ownership confusion — When nobody owns the asset, nobody is accountable. The first step is assigning ownership.
• BYOD data question — The organization owns the data regardless of who owns the device.

Trap Patterns

Watch for these wrong answers:

• “Block all unapproved cloud services at the firewall” — Technical blocking is part of the solution but does not address the governance failure. The exam prefers answers that establish process and policy first.
• “IT is responsible for all assets” — IT is the custodian. Business owners bear accountability for classification, access decisions, and lifecycle governance.
• “The employee owns the data on their personal device” — Corporate data on a personal device remains corporate data. The organization’s classification and handling requirements still apply.
• “Inventory only needs to include hardware” — Asset inventory includes hardware, software, data repositories, cloud services, and any other resource that stores, processes, or transmits organizational data.

Scenario Practice

Question 1

During a security audit, the team discovers 15 cloud-based SaaS applications being used by various departments. None were approved through the organization’s procurement process, and none appear in the asset inventory. Several are processing customer personal data.

What is the FIRST action the security team should take?

A. Immediately block all 15 applications at the network perimeter
B. Assess the risk of each application, focusing on those processing personal data, and bring them into the governance framework
C. Terminate the accounts of all employees using unapproved applications
D. Report the finding to the board of directors as a critical compliance failure

Question 2

An organization implements a BYOD policy that allows employees to use personal smartphones for corporate email. An employee’s phone is stolen, and it contained emails with customer financial data. The employee did not have a PIN lock enabled.

What governance failure does this represent?

A. The employee failed to follow personal device security best practices
B. The BYOD policy did not include or enforce minimum security requirements through MDM
C. The organization should not have allowed BYOD for email access
D. The IT department should have physically inspected the employee’s phone

Question 3

A company’s asset inventory shows 500 servers in the data center. A network scan reveals 530 active devices. The 30 additional devices are unaccounted for in the CMDB.

What is the PRIMARY risk created by this discrepancy?

A. The additional devices are consuming excess network bandwidth
B. Unmanaged devices may not be patched, hardened, or monitored, creating blind spots in the security posture
C. The organization is paying for servers it does not need
D. The network scan results are likely inaccurate and should be re-run

Key Takeaway

Asset provisioning and inventory are governance problems, not technical ones. The exam will not ask you to configure a CMDB or deploy an MDM agent. It will ask you to recognize when a lifecycle stage was skipped, who should have been responsible, and what risk results from the gap. Remember three principles: every asset needs an owner, every asset needs to be in the inventory, and you cannot secure what you do not know exists.