Secure Controls Framework
Download The SCF

Asset Management (AST)

Domain Principle

Manage Technology Assets, Applications and Services (TAAS) throughout their lifecycle to maintain visibility, accountability, authorization and protection.

Domain Intent

Organizations maintain accurate inventories, ownership records and data relationships for TAAS from procurement through disposal to ensure only authorized assets, applications and services are used and associated data is protected throughout its lifecycle.

Domain Guide

You cannot protect what you don't know you have. The AST domain is the foundational domain that makes every other technical domain possible. Without accurate TAAS inventories, vulnerability management operates on guesswork, configuration baselines have no subjects and access control misses assets that don't appear in any system of record.

 

The SCF's intent for AST goes beyond maintaining a spreadsheet. It requires tracking ownership, authorization status and data relationships across the entire TAAS lifecycle from procurement through disposal. That last part matters: decommissioned assets that still hold data, or systems still receiving network traffic after formal retirement, are a recurring source of compromise. Asset management failures don't just cause audit findings; they create real attack surface.

 

AST warrants its own domain because the discipline of maintaining accurate inventories is organizationally distinct from the technical work of securing those assets. Someone has to enforce the process by which new assets get catalogued, old ones get retired and data relationships get documented. That work is ongoing and often resistant to automation because it depends on humans accurately reporting what they've deployed.