3.6 Asset management
📘CompTIA Security+ (SY0-701)
1. What is Asset Acquisition and Procurement?
Asset acquisition and procurement refer to the process of purchasing, leasing, or obtaining IT hardware, software, or services for an organization.
In cybersecurity, this process is important because security must be considered before an asset is bought or implemented. Buying an insecure or non-compliant system can create major risks.
So, acquisition/procurement means making sure that everything an organization buys—computers, servers, software, or even cloud services—is secure, trustworthy, and aligns with security policies.
2. Why Security Matters During Procurement
If security is not considered early (before buying or signing contracts), the organization might face:
- Systems with built-in vulnerabilities
- Untrusted vendors or counterfeit hardware
- Hidden backdoors in software
- Lack of compliance with laws or standards (like GDPR or HIPAA)
- Difficulty managing or patching insecure systems later
Therefore, security must be built into the procurement process from the beginning — not added after deployment.
3. Secure Procurement Process – Step by Step
Let’s look at the typical secure procurement lifecycle that Security+ expects you to understand:
Step 1: Define Security Requirements
Before purchasing, the organization defines what security features are needed.
Examples:
- Does the system support encryption?
- Does the vendor follow secure coding practices?
- Does the device receive regular security updates?
These requirements are often documented in a security policy or procurement checklist.
Step 2: Vendor Risk Assessment
The organization must evaluate vendors to ensure they are trustworthy and follow security best practices.
Key checks include:
- Vendor reputation – Are they known for secure products?
- Supply chain transparency – Can the source of components be verified?
- Security certifications – e.g., ISO 27001, SOC 2 compliance
- Past security incidents – Has the vendor suffered major data breaches?
This is part of supply chain risk management, which is a major Security+ concept.
Step 3: Request for Proposal (RFP) with Security Clauses
When requesting bids or quotes from vendors (through an RFP), the organization includes security expectations.
For instance:
- Vendors must agree to regular security patching.
- Vendors must comply with organizational and regulatory security standards.
- Vendors must provide a Software Bill of Materials (SBOM) to show what components are in the product.
This ensures that security is considered contractually, not just technically.
Step 4: Evaluation and Testing
Before final purchase, assets should be tested or reviewed for security weaknesses.
Examples:
- Conduct vulnerability assessments or penetration testing on demo units.
- Review source code for applications (if possible).
- Verify that firmware or software is digitally signed.
Testing helps confirm that the asset truly meets security requirements.
Step 5: Contracting and Legal Safeguards
The procurement contract should clearly define security responsibilities for both the organization and the vendor.
It may include:
- Data protection requirements (how the vendor must handle sensitive data)
- Incident response obligations (what happens if a breach occurs)
- Patch/update guarantees
- Right to audit (the organization can check vendor compliance)
These legal safeguards reduce future risks.
Step 6: Secure Deployment and Tracking
Once purchased, the new asset is:
- Logged into the asset inventory
- Tagged with an asset ID or barcode
- Configured securely before being used
This ensures every asset is properly tracked and protected from the moment it enters the environment.
4. Security Considerations in IT Procurement
Here are important security factors to consider during acquisition for the Security+ exam:
| Security Factor | Description |
|---|---|
| Trusted suppliers | Purchase only from authorized and reputable vendors to avoid counterfeit or tampered equipment. |
| Supply chain security | Monitor the entire path of hardware and software — from manufacturer to delivery — to detect tampering or malicious code insertion. |
| Lifecycle support | Ensure the vendor provides ongoing updates and patches for the product’s lifetime. |
| End-of-life (EOL) awareness | Avoid purchasing hardware/software that is near or past its support date. Unsupported products can’t be patched and pose risks. |
| Software integrity verification | Ensure software is code-signed and verified to prevent installing malicious or altered programs. |
| Licensing and compliance | Make sure software licenses are legitimate and comply with legal standards. |
| Cloud and third-party services | Verify the provider’s security certifications, data encryption, and compliance with organizational standards. |
5. Security Roles in Procurement
In an organization, several roles are involved in secure procurement:
| Role | Responsibility |
|---|---|
| Security team | Defines security requirements and evaluates vendors. |
| Procurement team | Handles contracts and purchasing, ensuring security clauses are included. |
| Legal/compliance team | Ensures contracts and assets meet regulatory requirements. |
| IT/Operations team | Tests, deploys, and maintains the purchased asset securely. |
Collaboration between these teams ensures security is integrated into every stage of procurement.
6. Key Terms to Know for the Exam
| Term | Meaning |
|---|---|
| Supply Chain Risk Management (SCRM) | Managing security risks from vendors and third parties in the supply chain. |
| SBOM (Software Bill of Materials) | A list of all software components used in a system — helps detect vulnerabilities. |
| Secure Procurement Policy | An internal document that defines how to securely acquire technology assets. |
| Vendor Due Diligence | The process of checking a vendor’s security posture before doing business with them. |
| Contractual Security Clauses | Legal statements in contracts that enforce security obligations on vendors. |
7. Why It Matters for the Security+ Exam
The CompTIA Security+ (SY0-701) exam expects you to understand that security must be integrated into the asset’s entire lifecycle, starting from acquisition.
You should be able to:
- Explain why procurement decisions affect security.
- Identify best practices in selecting vendors.
- Understand how contracts and supply chain management reduce risk.
- Recognize the importance of secure configuration and tracking after purchase.
8. Summary
| Key Point | Explanation |
|---|---|
| Security in procurement is proactive | Security must be checked before buying or signing contracts. |
| Vendor evaluation is critical | Choose only trusted vendors with good security practices. |
| Include security in RFPs and contracts | Makes vendors legally bound to meet security standards. |
| Verify integrity of assets | Test and confirm that the purchased product is secure and genuine. |
| Track and manage assets post-purchase | Add them to the asset inventory and maintain their security throughout their lifecycle. |
✅ In summary:
The Acquisition/Procurement phase of asset management ensures that every system, software, or service entering an organization is secure, trustworthy, and compliant before it is used. This proactive approach helps reduce vulnerabilities, protect data, and ensure a secure IT environment.
