AST Asset Governance
Assessor Procedures
This course covers formal assessor procedures for the SCF AST — Asset Governance control family, in two versions: an Enterprise / Heavily Regulated edition with 11 comprehensive procedures, and a Startup / Small Business edition with 10 right-sized practical procedures. Both versions are mapped to AiVRIC CloudSignals+RiskOps as the evidence and control management platform.
Asset Governance (AST) gives every organization — from a 10-person startup to a regulated enterprise — a practical, auditable way to know what technology it has, who owns it, how important it is, how it is protected, and when it should be retired.
- GRC analysts and auditors
- Compliance officers
- Security assessors and consultants
- Risk managers
- IT governance managers
- MSP compliance practitioners
- Small business owners managing compliance
- Explain AST in plain language for any audience
- Apply the applicability legend (Required / Recommended / Conditional)
- Execute all 11 enterprise assessor procedures
- Execute all 10 startup practical procedures
- Conduct the monthly 30-minute AST review
- Compile an auditable evidence package
- Rate AST control effectiveness
Asset Governance Foundations
15 min • SCF AST-01 • Plain language, applicability legend, knowledge supplements
The plain-language objective
Asset Governance means the organization knows:
For a casual audience, AST is explained simply:
A company may have laptops, phones, email accounts, SharePoint sites, Teams channels, Google Drives, GitHub repositories, cloud servers, DNS records, websites, security tools, logs, SaaS systems, and AI tools. AST gives the company a practical way to keep track of those assets so security, compliance, privacy, and operations teams are not guessing.
What counts as an asset?
Do not limit asset governance to hardware. An asset is anything the company depends on or must protect:
Physical & Logical
Laptops, phones, servers, tablets, network devices, data-bearing media, printers
Cloud & SaaS
Cloud accounts, subscriptions, resource groups, SaaS applications, admin accounts
Code & Data
GitHub repositories, databases, SharePoint sites, shared drives, backup systems
Network & DNS
DNS zones, domain registrar accounts, certificates, websites, APIs, load balancers
AI & Automation
AI tools, models, agents, datasets, automation components, monitoring dashboards
Third-Party
Vendor-managed systems, MSP tooling, service dependencies, customer-managed assets
Applicability legend
Use these markers throughout your assessment work. They indicate what is expected at each level of organizational maturity.
| Marker | Meaning |
|---|---|
| Required / Baseline | Expected for almost every organization. Without it, the company has weak control over its assets. Gaps here are significant findings in any audit. |
| Recommended | Strongly useful and often expected as the company grows. May be staged based on size, cost, risk, and staffing. Absence should be justified. |
| Conditional / Optional | Applies when the company has a specific risk, regulation, customer requirement, asset type, geography, or business model. Document why it applies or does not apply. |
Owner vs. Custodian
These two roles are often confused in assessments:
Owner
Accountable for why the asset exists and what risk is acceptable. Example: The Finance department owns the payment system.
Custodian
Maintains or operates the asset day to day. Example: IT operates the servers that run the payment system.
Enterprise AST Procedures 1–5
20 min • Enterprise / Heavily Regulated • Program, repository, reconciliation, ownership, classification
Validate the Asset Governance Program
Assessor action: Review whether the organization has a formally approved IT Asset Management program. This is not a one-time spreadsheet — it is a managed program with owners, procedures, review cycles, metrics, and escalation paths.
Expected evidence:
- Asset Governance policy & ITAM standard
- CMDB standard & asset lifecycle procedure
- Asset ownership model & data classification standard
- Cloud asset inventory procedure & SaaS governance procedure
- Third-party asset governance & secure disposal procedure
- Exception management procedure
- Executive or governance committee reporting
Confirm the Authoritative Asset Repository
Assessor action: Determine whether the organization has an authoritative system of record for assets — typically a CMDB, ITAM platform, GRC platform, or integrated asset repository.
- CMDB or ITAM export with required asset field data model
- API integrations or automated data feeds
- Asset reconciliation reports & orphaned/duplicate asset reports
- Inventory aging reports & evidence of periodic review
Central, controlled asset repository.
Automated integrations from endpoint, cloud, identity, vulnerability, and procurement.
Reconcile Asset Sources
Assessor action: Compare asset counts and asset records across independent sources: CMDB/ITAM, EDR, vulnerability scanner, cloud inventory, identity provider, procurement, SaaS discovery, monitoring, and network discovery tools.
Assessor test: Select a sample of assets from each system and confirm whether they appear correctly in the authoritative inventory.
Validate Ownership and Accountability
Assessor action: Confirm that each important asset has an assigned owner. Expected ownership fields: business owner, technical owner, security owner/contact, data owner, system custodian, vendor owner, support group, risk acceptor.
Every production asset has at least one accountable owner.
Separate business and technical ownership for critical systems.
Validate Classification and Criticality
Assessor action: Review whether assets are categorized by risk and business importance.
Expected classification attributes: Asset type, business criticality, data sensitivity, regulatory scope, internet exposure, recovery priority, geographic location, environment (prod/dev/test), vendor involvement, AI involvement, privileged access requirement, end-of-life status.
Critical and sensitive assets identified.
All production assets have classification values.
Lab/test assets may be staged but still inventoried.
Enterprise AST Procedures 6–11
20 min • Enterprise / Heavily Regulated • Services, endpoints, cloud, repos, monitoring, lifecycle + rating criteria
Map Assets to Business Services
Assessor action: Confirm that critical assets are mapped to the business services they support.
Expected evidence: Service catalog, application dependency maps, network & data flow diagrams, cloud architecture diagrams, business impact analysis, recovery plans, critical service dependency maps.
Validate Endpoint and Device Governance
Assessor action: Confirm that corporate and user endpoints are inventoried, protected, monitored, and governed.
Expected evidence: MDM inventory, EDR inventory, device compliance reports, encryption reports, patch reports, lost/stolen device records, BYOD approval records, remote wipe capability evidence, device return records, exception approvals.
Devices accessing company data are known and protected.
BYOD requires compensating controls: app protection, conditional access, or limited access.
Validate Cloud and SaaS Asset Governance
Assessor action: Determine whether cloud resources and SaaS systems are included in asset governance.
Expected evidence: Cloud account inventory, subscription inventory, resource group inventory, SaaS application inventory, admin role review, CSPM findings, cloud tagging standards, cloud policy exceptions, cloud monitoring alerts, cloud cost and utilization reports.
Production cloud and SaaS assets inventoried.
Cloud resources use mandatory tags: owner, environment, application, data classification, cost center.
Validate Code Repository Governance
Assessor action: Review whether code repositories are inventoried, owned, protected, and monitored.
Expected evidence: Repository inventory, public/private classification, repository owner list, branch protection rules, pull request approval settings, secret scanning results, dependency vulnerability reports, archived repository list, developer access review.
Production repositories have owners and access controls.
Secret scanning, dependency scanning, and branch protection enabled for all active production repositories.
Validate Monitoring, Capacity, and Performance Coverage
Assessor action: Confirm that important assets are monitored for availability, performance, capacity, and abnormal behavior.
Expected evidence: Monitoring inventory, alert rules, capacity/performance dashboards, incident tickets, alert tuning records, service-level reports, cloud metrics, application performance telemetry.
Critical systems have monitoring and alerting.
Monitoring is tied to service criticality and incident response procedures.
Validate Asset Lifecycle and Disposal
Assessor action: Confirm that assets are governed from request through retirement. Lifecycle phases: Request → Approval → Purchase/Provisioning → Assignment → Configuration → Operation → Monitoring → Change → Transfer → Return → Sanitization → Disposal/Decommissioning.
Expected evidence: Procurement record, deployment ticket, change ticket, assignment record, return record, secure wipe record, disposal certificate, cloud decommissioning ticket, access removal evidence, inventory update.
Data-bearing assets are sanitized before reuse or disposal.
Decommissioning includes access removal, DNS cleanup, monitoring cleanup, backup review, and evidence retention.
Enterprise Assessment Decision Criteria
| Rating | Meaning |
|---|---|
| Effective | Asset governance is documented, automated where practical, reconciled, risk-based, and evidenced. |
| Partially Effective | The organization has core processes, but ownership, inventory accuracy, lifecycle updates, or evidence are inconsistent. |
| Ineffective | The organization cannot reliably identify assets, owners, locations, classifications, dependencies, or lifecycle status. |
| Not Applicable | The asset type or control scenario does not exist in the assessed environment, and the rationale is documented. |
Startup / SMB Procedures 1–5
20 min • Practical implementation • Inventory, M365/GWS, endpoints, EDR, DNS/Cloudflare
Minimum viable asset governance model
Create One Simple Asset Inventory
Create one list showing the company's important technology assets. Acceptable platforms for a startup: Microsoft List or SharePoint List, Google Sheet, AiVRIC CloudSignals, or a lightweight PSA platform.
| Field | Plain-Language Meaning |
|---|---|
| Asset name | What is it called? |
| Asset type | Laptop, phone, SaaS app, website, GitHub repo, DNS zone, cloud account, database, etc. |
| Owner | Who is responsible for it? |
| Business purpose | Why does it exist? |
| Data sensitivity | Public, internal, confidential, regulated, customer data, employee data, etc. |
| Criticality | How bad would it be if it failed or leaked data? |
| Security tool coverage | Is it in Intune, EDR, Cisco Umbrella, CloudSignals, etc.? |
| Status | Active, retired, lost, pending disposal, test, archived |
| Last reviewed | When did someone last check it? |
Inventory Microsoft 365 or Google Workspace
Treat the productivity tenant as a major business asset. At minimum inventory: the tenant, admin accounts, major collaboration sites, sensitive data repositories, guest/external sharing locations, and retention/eDiscovery tools.
Govern Endpoints with Intune or Google Endpoint Management
Every device that accesses company data should be known. Acceptable evidence: Microsoft Intune compliance report, Google endpoint management, EDR platform managed by MSP, device compliance report, or conditional access records.
Use the MSP's EDR as a Reality Check
Once per month, compare: Intune device list • EDR device list • Employee roster. Look for employees with no device, devices with no assigned user, devices in Intune but missing EDR, inactive devices (30+ days), and terminated users with active devices.
Inventory Cloudflare DNS
Treat the Cloudflare DNS zone as a critical business asset. Track: domain name, Cloudflare account, DNS administrators, MX/website/API/SPF/DKIM/DMARC records, DNSSEC status, registrar, and renewal date.
Startup Procedures 6–10, Monthly Review & Evidence
20 min • Website, GitHub, monitoring, Cisco Umbrella, CloudSignals • Monthly review • Evidence checklist
Inventory Website Hosting
Track: hosting provider, plan, website URL, admin users, CMS platform, plugins/themes, SSL certificate, backup method, domain registrar, DNS provider, business owner, technical owner, renewal date, and payment owner.
Inventory GitHub Repositories
Every GitHub repository should have an owner and a purpose. Track: name, public/private status, business owner, technical owner, production/non-production use, sensitive data risk, branch protection status, secret scanning status, Dependabot status, archived status, and last reviewed date.
Govern Monitoring Assets
Critical systems should have basic monitoring. For a startup, acceptable sources: Datadog, AWS CloudWatch, Azure Monitor, Azure Application Insights, hosting provider monitoring, MSP monitoring, or AiVRIC CloudSignals. Track website availability, SSL expiration, error rate, response time, CPU/memory, storage, database availability, backup success, DNS availability, and alert recipients.
Cisco Umbrella as a Network Security Asset Source
If Cisco Umbrella is deployed, include it in asset governance. Track: Umbrella tenant, admin users, protected networks, roaming clients, DNS policies, block categories, exceptions, and last policy review. Know whether all intended users and locations are protected. Review blocked activity and policy exceptions monthly.
AiVRIC CloudSignals for CSPM and GRC Management
Use AiVRIC CloudSignals as the control evidence and risk management layer. Track: cloud accounts, cloud resources, control mappings, CSPM findings, control exceptions, evidence uploads, asset risk scores, owners, remediation tasks, and review dates. Have one place where asset governance evidence is stored and reviewable.
Monthly 30-Minute AST Review
A practical startup review should be simple enough that someone will actually do it.
Startup Evidence Checklist
A small company can demonstrate good AST control operation with the following quarterly evidence package. Create a folder named: AST Evidence — Q3 2026
Control Applicability — Startup vs. Enterprise
| AST Activity | Startup / SMB Expectation | Enterprise Expectation |
|---|---|---|
| Asset inventory | Required. Spreadsheet, SharePoint List, Google Sheet, or CloudSignals. | Required. Formal ITAM / CMDB with integrations. |
| CMDB | Recommended. Use when complexity justifies it. | Required / Expected. Needed for auditability and scale. |
| Asset owners | Required. Every important asset has an owner. | Required. Business, technical, security, and data owners. |
| Classification | Required for important assets. Simple labels acceptable. | Required. Formal classification taxonomy. |
| Cloud discovery | Required for production cloud. Manual or CloudSignals. | Required. Automated discovery and CSPM integration. |
| EDR coverage | Required. MSP report is acceptable evidence. | Required. Coverage measured, reconciled, and escalated. |
| GitHub governance | Required. Owners, visibility, basic security settings. | Required. Formal SDLC, access review, scanning, policy enforcement. |
| Monitoring | Required for critical systems. Simple alerts acceptable. | Required. Integrated observability and incident process. |
| Exception process | Required. Lightweight log acceptable. | Required. Formal risk acceptance workflow. |
Capstone & Assessment
Completing all five modules makes you eligible for the AST Assessor Procedures certification exam and capstone exercise.
- Asset governance foundations & applicability legend — 15%
- Enterprise assessor procedures (P1–P5: program, repo, reconciliation, ownership, classification) — 25%
- Enterprise assessor procedures (P6–P11: services, endpoints, cloud, repos, monitoring, lifecycle) — 25%
- Startup / SMB practical procedures & minimum viable model — 20%
- Evidence compilation, monthly review, and assessment rating — 15%
Capstone exercise: Build a Startup AST Inventory
You are the security lead for a 40-person company using Microsoft 365 E3, Teams, SharePoint, Intune, Cloudflare, GitHub, Bluehost, MSP-managed CrowdStrike, Cisco Umbrella, Datadog, and AiVRIC CloudSignals. Your task:
Then answer these five questions for your mock inventory:
- Which assets are critical?
- Which assets have customer or employee data?
- Which assets are missing owners?
- Which assets need stronger protection?
- Which evidence would prove the control is working?