id-am-8 high Identify / Asset Management

Systems, hardware, software, services, and data are managed throughout their life cycles

Assets that are not properly retired become liabilities. End-of-life software stops receiving security patches, decommissioned servers left running get forgotten, and orphaned SaaS accounts retain access long after the employee leaves. Lifecycle management closes these gaps by ensuring every asset has a defined path from acquisition through secure disposal.

Estimated effort: 6h

lifecycleasset-managementdisposaldecommission

Complete first: id-am-1 , id-am-2 , id-am-7

Implementation steps

1

Define lifecycle stages and responsibilities

Document the stages each asset type goes through: request and approval, acquisition or provisioning, active use and maintenance, and retirement or disposal. Assign a responsible role for each transition, for example the IT team for hardware disposal and the application owner for software decommission.

servicenowjira
2

Implement acquisition controls

Require approval before purchasing or provisioning new hardware, software, or cloud services. Check that the item is on the approved list and that security requirements (encryption, patching cadence, supported versions) are met before deployment. Track the acquisition date in the asset inventory.

servicenowsnykdependabot
3

Enforce retirement and disposal procedures

When an asset reaches end of life: revoke access and credentials, wipe or physically destroy storage media per NIST 800-88 guidance, remove the asset from the inventory, and document the disposal method and date. For cloud resources, terminate or delete rather than simply stop. Archive any data required for legal or compliance holds before deletion.

blanccojamfmicrosoft-intunekandji