AiVRICAcademy
Course progress
0%
SCF AST-01 • GRC / Audit

AST Asset Governance
Assessor Procedures

This course covers formal assessor procedures for the SCF AST — Asset Governance control family, in two versions: an Enterprise / Heavily Regulated edition with 11 comprehensive procedures, and a Startup / Small Business edition with 10 right-sized practical procedures. Both versions are mapped to AiVRIC CloudSignals+RiskOps as the evidence and control management platform.

"You cannot protect what you do not know exists."
Asset Governance (AST) gives every organization — from a 10-person startup to a regulated enterprise — a practical, auditable way to know what technology it has, who owns it, how important it is, how it is protected, and when it should be retired.
~90 min • 5 modules + capstone Foundational to Advanced Certification eligible — GRC/Audit path
Who this course is for
  • GRC analysts and auditors
  • Compliance officers
  • Security assessors and consultants
  • Risk managers
  • IT governance managers
  • MSP compliance practitioners
  • Small business owners managing compliance
What you will be able to do
  • Explain AST in plain language for any audience
  • Apply the applicability legend (Required / Recommended / Conditional)
  • Execute all 11 enterprise assessor procedures
  • Execute all 10 startup practical procedures
  • Conduct the monthly 30-minute AST review
  • Compile an auditable evidence package
  • Rate AST control effectiveness
Framework alignment: AST-01 Asset Governance is aligned to the Secure Controls Framework (SCF). SCF CORE is designed to right-size control sets to organization size and risk profile. This course presents both enterprise and startup implementations. Learners should apply the version that matches their organization's profile.
1

Asset Governance Foundations

15 min • SCF AST-01 • Plain language, applicability legend, knowledge supplements

The plain-language objective

Asset Governance means the organization knows:

What technology it has  •  Who owns it  •  What it is used for  •  How important it is  •  How it is protected  •  When it should be retired.

For a casual audience, AST is explained simply:

"You cannot protect what you do not know exists."

A company may have laptops, phones, email accounts, SharePoint sites, Teams channels, Google Drives, GitHub repositories, cloud servers, DNS records, websites, security tools, logs, SaaS systems, and AI tools. AST gives the company a practical way to keep track of those assets so security, compliance, privacy, and operations teams are not guessing.

What counts as an asset?

Do not limit asset governance to hardware. An asset is anything the company depends on or must protect:

Physical & Logical

Laptops, phones, servers, tablets, network devices, data-bearing media, printers

Cloud & SaaS

Cloud accounts, subscriptions, resource groups, SaaS applications, admin accounts

Code & Data

GitHub repositories, databases, SharePoint sites, shared drives, backup systems

Network & DNS

DNS zones, domain registrar accounts, certificates, websites, APIs, load balancers

AI & Automation

AI tools, models, agents, datasets, automation components, monitoring dashboards

Third-Party

Vendor-managed systems, MSP tooling, service dependencies, customer-managed assets

Applicability legend

Use these markers throughout your assessment work. They indicate what is expected at each level of organizational maturity.

MarkerMeaning
Required / Baseline Expected for almost every organization. Without it, the company has weak control over its assets. Gaps here are significant findings in any audit.
Recommended Strongly useful and often expected as the company grows. May be staged based on size, cost, risk, and staffing. Absence should be justified.
Conditional / Optional Applies when the company has a specific risk, regulation, customer requirement, asset type, geography, or business model. Document why it applies or does not apply.
Learner tip: A small company does not need to copy every enterprise control. It does need to prove that it has a reasonable, repeatable way to know and manage its important technology assets.

Owner vs. Custodian

These two roles are often confused in assessments:

Owner

Accountable for why the asset exists and what risk is acceptable. Example: The Finance department owns the payment system.

Custodian

Maintains or operates the asset day to day. Example: IT operates the servers that run the payment system.

Knowledge Check
Why is asset inventory important for security and compliance?
Asset inventory enables automatic patching of all systems without requiring manual intervention from IT teams.
The company cannot protect, patch, monitor, recover, or retire assets it does not know exist — a gap in inventory is a gap in security, compliance, and resilience.
Asset inventory is a regulatory formality required only by frameworks like SOC 2 and ISO 27001 — it has limited operational value.
Asset inventory is primarily used for hardware lifecycle planning and has little relevance to cloud or SaaS environments.
Move on when you can explain AST in plain language and apply the applicability legend.
2

Enterprise AST Procedures 1–5

20 min • Enterprise / Heavily Regulated • Program, repository, reconciliation, ownership, classification

Enterprise audience: Organizations with HIPAA, PCI DSS, SOX, GLBA, GDPR, CMMC, FedRAMP, NIST 800-53, ISO 27001, SOC 2, or other formal audit obligations. Large employee populations, multiple cloud platforms, complex vendor ecosystems, and mature security/compliance/legal functions.
Enterprise control objective: The organization maintains a formal, documented, and continuously updated asset governance program that identifies, classifies, owns, protects, monitors, and retires technology assets across their full lifecycle — covering physical devices, virtual systems, cloud resources, SaaS, applications, databases, code repositories, AI tools, and third-party-managed assets.
P1

Validate the Asset Governance Program

Assessor action: Review whether the organization has a formally approved IT Asset Management program. This is not a one-time spreadsheet — it is a managed program with owners, procedures, review cycles, metrics, and escalation paths.

Expected evidence:

  • Asset Governance policy & ITAM standard
  • CMDB standard & asset lifecycle procedure
  • Asset ownership model & data classification standard
  • Cloud asset inventory procedure & SaaS governance procedure
  • Third-party asset governance & secure disposal procedure
  • Exception management procedure
  • Executive or governance committee reporting
Pass condition: The organization demonstrates that asset governance is a managed program, not a point-in-time activity.
P2

Confirm the Authoritative Asset Repository

Assessor action: Determine whether the organization has an authoritative system of record for assets — typically a CMDB, ITAM platform, GRC platform, or integrated asset repository.

  • CMDB or ITAM export with required asset field data model
  • API integrations or automated data feeds
  • Asset reconciliation reports & orphaned/duplicate asset reports
  • Inventory aging reports & evidence of periodic review
Required / Baseline
Central, controlled asset repository.
Recommended
Automated integrations from endpoint, cloud, identity, vulnerability, and procurement.
Enterprise tip: The CMDB is not the control by itself. The control is the process that keeps the CMDB accurate.
P3

Reconcile Asset Sources

Assessor action: Compare asset counts and asset records across independent sources: CMDB/ITAM, EDR, vulnerability scanner, cloud inventory, identity provider, procurement, SaaS discovery, monitoring, and network discovery tools.

Assessor test: Select a sample of assets from each system and confirm whether they appear correctly in the authoritative inventory.

Pass condition: The organization can explain differences between sources and has a documented process to resolve mismatches.
Common finding: The vulnerability scanner sees 12,000 assets, the CMDB lists 9,500, EDR shows 10,800, and no one can explain which number is correct.
P4

Validate Ownership and Accountability

Assessor action: Confirm that each important asset has an assigned owner. Expected ownership fields: business owner, technical owner, security owner/contact, data owner, system custodian, vendor owner, support group, risk acceptor.

Required / Baseline
Every production asset has at least one accountable owner.
Recommended
Separate business and technical ownership for critical systems.
P5

Validate Classification and Criticality

Assessor action: Review whether assets are categorized by risk and business importance.

Expected classification attributes: Asset type, business criticality, data sensitivity, regulatory scope, internet exposure, recovery priority, geographic location, environment (prod/dev/test), vendor involvement, AI involvement, privileged access requirement, end-of-life status.

Required
Critical and sensitive assets identified.
Recommended
All production assets have classification values.
Conditional
Lab/test assets may be staged but still inventoried.
Knowledge Check
What is the pass condition for Procedure 3 — Reconcile Asset Sources?
All asset systems show the same count with zero discrepancy — any mismatch is an automatic finding.
The organization can explain differences between sources and has a documented process to resolve mismatches — the goal is explainability, not perfect agreement.
The CMDB count must match the vulnerability scanner count within 5% to pass reconciliation testing.
Reconciliation is only required when the organization has more than 5,000 assets under management.
Move on when you can execute Enterprise Procedures 1–5 and identify evidence gaps.
3

Enterprise AST Procedures 6–11

20 min • Enterprise / Heavily Regulated • Services, endpoints, cloud, repos, monitoring, lifecycle + rating criteria

P6

Map Assets to Business Services

Assessor action: Confirm that critical assets are mapped to the business services they support.

Expected evidence: Service catalog, application dependency maps, network & data flow diagrams, cloud architecture diagrams, business impact analysis, recovery plans, critical service dependency maps.

Practical enterprise example: A regulated bank should trace the "online loan application" through public DNS → WAF → load balancer → application servers → APIs → identity provider → database → logging → backup → third-party credit bureau integration → monitoring alerts → recovery plan → business owner. If this path cannot be traced, the organization may not understand the risk or recovery needs.
P7

Validate Endpoint and Device Governance

Assessor action: Confirm that corporate and user endpoints are inventoried, protected, monitored, and governed.

Expected evidence: MDM inventory, EDR inventory, device compliance reports, encryption reports, patch reports, lost/stolen device records, BYOD approval records, remote wipe capability evidence, device return records, exception approvals.

Required
Devices accessing company data are known and protected.
Conditional
BYOD requires compensating controls: app protection, conditional access, or limited access.
P8

Validate Cloud and SaaS Asset Governance

Assessor action: Determine whether cloud resources and SaaS systems are included in asset governance.

Expected evidence: Cloud account inventory, subscription inventory, resource group inventory, SaaS application inventory, admin role review, CSPM findings, cloud tagging standards, cloud policy exceptions, cloud monitoring alerts, cloud cost and utilization reports.

Required
Production cloud and SaaS assets inventoried.
Recommended
Cloud resources use mandatory tags: owner, environment, application, data classification, cost center.
P9

Validate Code Repository Governance

Assessor action: Review whether code repositories are inventoried, owned, protected, and monitored.

Expected evidence: Repository inventory, public/private classification, repository owner list, branch protection rules, pull request approval settings, secret scanning results, dependency vulnerability reports, archived repository list, developer access review.

Required
Production repositories have owners and access controls.
Recommended
Secret scanning, dependency scanning, and branch protection enabled for all active production repositories.
P10

Validate Monitoring, Capacity, and Performance Coverage

Assessor action: Confirm that important assets are monitored for availability, performance, capacity, and abnormal behavior.

Expected evidence: Monitoring inventory, alert rules, capacity/performance dashboards, incident tickets, alert tuning records, service-level reports, cloud metrics, application performance telemetry.

Required
Critical systems have monitoring and alerting.
Recommended
Monitoring is tied to service criticality and incident response procedures.
P11

Validate Asset Lifecycle and Disposal

Assessor action: Confirm that assets are governed from request through retirement. Lifecycle phases: Request → Approval → Purchase/Provisioning → Assignment → Configuration → Operation → Monitoring → Change → Transfer → Return → Sanitization → Disposal/Decommissioning.

Expected evidence: Procurement record, deployment ticket, change ticket, assignment record, return record, secure wipe record, disposal certificate, cloud decommissioning ticket, access removal evidence, inventory update.

Required
Data-bearing assets are sanitized before reuse or disposal.
Recommended
Decommissioning includes access removal, DNS cleanup, monitoring cleanup, backup review, and evidence retention.

Enterprise Assessment Decision Criteria

RatingMeaning
EffectiveAsset governance is documented, automated where practical, reconciled, risk-based, and evidenced.
Partially EffectiveThe organization has core processes, but ownership, inventory accuracy, lifecycle updates, or evidence are inconsistent.
IneffectiveThe organization cannot reliably identify assets, owners, locations, classifications, dependencies, or lifecycle status.
Not ApplicableThe asset type or control scenario does not exist in the assessed environment, and the rationale is documented.
Knowledge Check
Why must decommissioning (Procedure 11) include more than just physical disposal of hardware?
Physical disposal is the primary concern — digital artifacts like DNS entries and monitoring rules are cleaned up automatically by cloud platforms.
Retired assets may retain active access grants, monitoring rules, DNS records, backup data, cloud resources, and licensing — these become orphaned risks if not removed during controlled decommissioning.
Decommissioning only requires a disposal certificate — access and DNS cleanup are handled during the prior change management process.
Decommissioning evidence is only required for regulated data-bearing assets — other assets can be retired informally.
Move on when you can execute Procedures 6–11 and apply the enterprise assessment rating criteria.
4

Startup / SMB Procedures 1–5

20 min • Practical implementation • Inventory, M365/GWS, endpoints, EDR, DNS/Cloudflare

Startup/SMB profile: Organizations with limited IT staff, remote/hybrid employees, Microsoft 365 E3 or Google Workspace, Microsoft Intune, Cloudflare DNS, GitHub, GoDaddy/Bluehost hosting, MSP-managed SentinelOne or CrowdStrike EDR, Cisco Umbrella, Datadog/CloudWatch/Azure Monitor, and AiVRIC CloudSignals.
Startup control objective: Maintain a simple, accurate, and reviewable list of important technology assets; assign owners; apply basic protections; monitor critical systems; and keep enough evidence to show reasonable security and compliance practices. The goal is not bureaucracy — the goal is control.

Minimum viable asset governance model

A simple asset inventory with owner, purpose, criticality, and security tool coverage
Device management via Intune or Google endpoint management
EDR coverage report from MSP
DNS and website ownership records (Cloudflare, registrar)
GitHub repository ownership list with security settings
Cloud account inventory + AiVRIC CloudSignals GRC/CSPM evidence
Monitoring for critical services
A lightweight exception process
Monthly or quarterly evidence review
S1

Create One Simple Asset Inventory

Required / Baseline

Create one list showing the company's important technology assets. Acceptable platforms for a startup: Microsoft List or SharePoint List, Google Sheet, AiVRIC CloudSignals, or a lightweight PSA platform.

FieldPlain-Language Meaning
Asset nameWhat is it called?
Asset typeLaptop, phone, SaaS app, website, GitHub repo, DNS zone, cloud account, database, etc.
OwnerWho is responsible for it?
Business purposeWhy does it exist?
Data sensitivityPublic, internal, confidential, regulated, customer data, employee data, etc.
CriticalityHow bad would it be if it failed or leaked data?
Security tool coverageIs it in Intune, EDR, Cisco Umbrella, CloudSignals, etc.?
StatusActive, retired, lost, pending disposal, test, archived
Last reviewedWhen did someone last check it?
Small-business tip: A CMDB is usually Recommended, not required, for a small company — unless customer contracts, regulatory obligations, cyber insurance, or operational complexity require it.
S2

Inventory Microsoft 365 or Google Workspace

Required / Baseline

Treat the productivity tenant as a major business asset. At minimum inventory: the tenant, admin accounts, major collaboration sites, sensitive data repositories, guest/external sharing locations, and retention/eDiscovery tools.

Practical example — Finance SharePoint Site
A
Asset: Finance SharePoint Site  •  Owner: Finance Lead  •  Purpose: Stores invoices, payroll reports, contracts
B
Data sensitivity: Confidential  •  External sharing: Restricted  •  Review frequency: Quarterly
C
Evidence: Screenshot/export of site owner, sharing settings, sensitivity label, and access review
S3

Govern Endpoints with Intune or Google Endpoint Management

Required / Baseline

Every device that accesses company data should be known. Acceptable evidence: Microsoft Intune compliance report, Google endpoint management, EDR platform managed by MSP, device compliance report, or conditional access records.

BYOD risk escalation: BYOD becomes riskier when the company handles health data, payment card data, defense/controlled technical information, sensitive financial records, regulated customer data, or high-value IP. Company-owned managed devices are strongly recommended and may be required by contract or regulation.
S4

Use the MSP's EDR as a Reality Check

Required / Baseline

Once per month, compare: Intune device list • EDR device list • Employee roster. Look for employees with no device, devices with no assigned user, devices in Intune but missing EDR, inactive devices (30+ days), and terminated users with active devices.

Why compare Intune and EDR? Intune tells you whether a device is managed. EDR tells you whether the device is being monitored for malicious activity. A company laptop should usually appear in both systems.
S5

Inventory Cloudflare DNS

Required / Baseline

Treat the Cloudflare DNS zone as a critical business asset. Track: domain name, Cloudflare account, DNS administrators, MX/website/API/SPF/DKIM/DMARC records, DNSSEC status, registrar, and renewal date.

Example asset record — DNS Zone
A
Asset: company.com DNS Zone  •  Owner: IT/Security Lead  •  Provider: Cloudflare  •  Registrar: GoDaddy  •  Criticality: High
B
Evidence required: DNS export, admin list, DNSSEC status screenshot, registrar renewal screenshot
Knowledge Check
Does a small business always need a CMDB to satisfy AST-01 asset governance?
Yes — any company seeking SOC 2, ISO 27001, or cyber insurance must operate a formal CMDB regardless of size.
No — a small business may start with a well-maintained spreadsheet, SharePoint List, Google Sheet, or GRC tool. A CMDB becomes more important as the company grows, becomes regulated, or has complex systems.
No — a CMDB is never required; any informal asset tracking method is sufficient if the company can demonstrate ownership.
Yes — the SCF explicitly requires a CMDB for all organizations seeking to demonstrate AST-01 compliance.
Move on when you can execute Startup Procedures 1–5 and build a minimum viable asset inventory.
5

Startup Procedures 6–10, Monthly Review & Evidence

20 min • Website, GitHub, monitoring, Cisco Umbrella, CloudSignals • Monthly review • Evidence checklist

S6

Inventory Website Hosting

Required / Baseline

Track: hosting provider, plan, website URL, admin users, CMS platform, plugins/themes, SSL certificate, backup method, domain registrar, DNS provider, business owner, technical owner, renewal date, and payment owner.

Required to know: Who owns the website • Who can log into hosting • Where the domain is registered • Where DNS is managed • How the site is backed up • Who patches the CMS or plugins. A formal WAF is optional for a simple brochure site but becomes strongly recommended for login portals, e-commerce, customer data collection, or payment flows.
S7

Inventory GitHub Repositories

Required / Baseline

Every GitHub repository should have an owner and a purpose. Track: name, public/private status, business owner, technical owner, production/non-production use, sensitive data risk, branch protection status, secret scanning status, Dependabot status, archived status, and last reviewed date.

Example — customer-portal-api repository
A
Owner: Engineering Lead  •  Criticality: High  •  Visibility: Private  •  Branch protection: On  •  Dependabot: On  •  Secret scanning: On
B
Evidence: Repository settings screenshot, branch protection screenshot, security alerts export
Why GitHub is an asset: Source code can contain business logic, intellectual property, credentials, infrastructure definitions, and security weaknesses. A repository is not just a developer workspace — it is a company asset.
S8

Govern Monitoring Assets

Required / Baseline

Critical systems should have basic monitoring. For a startup, acceptable sources: Datadog, AWS CloudWatch, Azure Monitor, Azure Application Insights, hosting provider monitoring, MSP monitoring, or AiVRIC CloudSignals. Track website availability, SSL expiration, error rate, response time, CPU/memory, storage, database availability, backup success, DNS availability, and alert recipients.

S9

Cisco Umbrella as a Network Security Asset Source

Required / Baseline (if deployed)

If Cisco Umbrella is deployed, include it in asset governance. Track: Umbrella tenant, admin users, protected networks, roaming clients, DNS policies, block categories, exceptions, and last policy review. Know whether all intended users and locations are protected. Review blocked activity and policy exceptions monthly.

S10

AiVRIC CloudSignals for CSPM and GRC Management

Required / Baseline (when deployed)

Use AiVRIC CloudSignals as the control evidence and risk management layer. Track: cloud accounts, cloud resources, control mappings, CSPM findings, control exceptions, evidence uploads, asset risk scores, owners, remediation tasks, and review dates. Have one place where asset governance evidence is stored and reviewable.

Monthly 30-Minute AST Review

A practical startup review should be simple enough that someone will actually do it.

Step 1
New assets
Step 2
Missing / unmanaged
Step 3
High-risk items
Step 4
Exceptions
Step 5
Save evidence
Monthly AST Review — Step-by-step
1
New assets: New laptops? New GitHub repos? New DNS records? New cloud resources? New SaaS tools? New Teams, SharePoint, or Google Drive locations?
2
Missing or unmanaged: Devices in Intune without EDR? Active employees with no managed device? Former employees with active devices? GitHub repos without owners? Cloud resources without owner tags? DNS records no one recognizes?
3
High-risk items: Internet-facing assets, customer data, payment data, health data, production systems, admin accounts, public GitHub repos, BYOD access, critical DNS records, expiring domains or certificates.
4
Review exceptions: What is the exception? Why is it needed? What risk does it create? Who approved it? When does it expire? What compensating control is in place?
5
Save evidence: Inventory export, Intune/Google endpoint report, EDR coverage report, Cloudflare DNS export, GitHub repo list, cloud monitoring screenshot, Cisco Umbrella report, CloudSignals control report, exception log.

Startup Evidence Checklist

A small company can demonstrate good AST control operation with the following quarterly evidence package. Create a folder named: AST Evidence — Q3 2026

Current asset inventory export
Employee roster
Intune or Google endpoint device export
EDR coverage report from MSP
Cloudflare DNS export + registrar renewal screenshot
GitHub repository list + security alerts summary
Cloud account inventory + AiVRIC CloudSignals control report
Datadog / CloudWatch / Azure Monitor dashboard screenshot
Cisco Umbrella policy or activity report
Website hosting admin and backup screenshot
Exception log
Notes from asset review meeting
Tip: For a small business, screenshots and exports are acceptable starting evidence. As the company grows, replace screenshots with automated exports, integrations, and continuous evidence collection in AiVRIC CloudSignals.

Control Applicability — Startup vs. Enterprise

AST ActivityStartup / SMB ExpectationEnterprise Expectation
Asset inventoryRequired. Spreadsheet, SharePoint List, Google Sheet, or CloudSignals.Required. Formal ITAM / CMDB with integrations.
CMDBRecommended. Use when complexity justifies it.Required / Expected. Needed for auditability and scale.
Asset ownersRequired. Every important asset has an owner.Required. Business, technical, security, and data owners.
ClassificationRequired for important assets. Simple labels acceptable.Required. Formal classification taxonomy.
Cloud discoveryRequired for production cloud. Manual or CloudSignals.Required. Automated discovery and CSPM integration.
EDR coverageRequired. MSP report is acceptable evidence.Required. Coverage measured, reconciled, and escalated.
GitHub governanceRequired. Owners, visibility, basic security settings.Required. Formal SDLC, access review, scanning, policy enforcement.
MonitoringRequired for critical systems. Simple alerts acceptable.Required. Integrated observability and incident process.
Exception processRequired. Lightweight log acceptable.Required. Formal risk acceptance workflow.
Knowledge Check
Why should GitHub repositories be included in asset governance?
GitHub repositories are included in asset governance only when they are publicly accessible, because private repositories carry no meaningful organizational risk.
Repositories can contain source code, secrets, infrastructure definitions, intellectual property, and exploitable vulnerabilities — making them company assets that require ownership, protection, and monitoring regardless of visibility.
GitHub repositories should only be inventoried if the company is subject to a software security standard such as PCI DSS PA-DSS or NIST SSDF.
GitHub repositories are developer workspaces — security governance is handled by the development team and does not need to be part of a broader asset governance program.
Move on when you can execute Startup Procedures 6–10, run the monthly review, and compile an evidence package.

Capstone & Assessment

Completing all five modules makes you eligible for the AST Assessor Procedures certification exam and capstone exercise.

Exam domains:
  • Asset governance foundations & applicability legend — 15%
  • Enterprise assessor procedures (P1–P5: program, repo, reconciliation, ownership, classification) — 25%
  • Enterprise assessor procedures (P6–P11: services, endpoints, cloud, repos, monitoring, lifecycle) — 25%
  • Startup / SMB practical procedures & minimum viable model — 20%
  • Evidence compilation, monthly review, and assessment rating — 15%

Capstone exercise: Build a Startup AST Inventory

You are the security lead for a 40-person company using Microsoft 365 E3, Teams, SharePoint, Intune, Cloudflare, GitHub, Bluehost, MSP-managed CrowdStrike, Cisco Umbrella, Datadog, and AiVRIC CloudSignals. Your task:

Identify and document five endpoint assets (laptops, phones) with owner, management tool, EDR status, and data sensitivity
Document two SharePoint sites with owner, purpose, sensitivity, and external sharing status
Document one Teams workspace and one Cloudflare DNS zone with owner and renewal date
Document three GitHub repositories — one customer-facing, one internal tool, one archived
Document one cloud account (AWS or Azure) and one Datadog monitoring dashboard
Document one exception — contractor using personal laptop for 14 days — with approval, expiration, risk, and compensating control

Then answer these five questions for your mock inventory:

  1. Which assets are critical?
  2. Which assets have customer or employee data?
  3. Which assets are missing owners?
  4. Which assets need stronger protection?
  5. Which evidence would prove the control is working?

Assessor procedure statements

Enterprise: The assessor reviews whether the organization operates a formal asset governance program supported by documented policies, assigned control ownership, an authoritative asset repository, defined asset data standards, lifecycle processes, automated discovery, risk classification, service dependency mapping, monitoring coverage, exception management, and auditable evidence. The assessor reconciles asset records across CMDB, ITAM, MDM, EDR, cloud, vulnerability management, IAM, monitoring, procurement, SaaS, and GRC systems. Deficiencies are documented where asset data is incomplete, unowned, stale, inconsistent, or insufficient to support security, privacy, compliance, resilience, or incident response obligations.
Startup / SMB: The assessor reviews whether the organization maintains a practical and current inventory of important technology assets — including productivity systems, endpoints, DNS, website hosting, GitHub repositories, cloud resources, security tools, monitoring systems, and GRC/CSPM tooling. The assessor confirms that each important asset has an owner, business purpose, sensitivity level, lifecycle status, and evidence of basic security control coverage. The assessor compares available records from Intune or Google endpoint management, MSP-managed EDR, Cloudflare, GitHub, monitoring platforms, and AiVRIC CloudSignals to identify missing, duplicate, stale, unowned, or high-risk assets. Exceptions are documented, reviewed, and appropriate for the company's size, stage, industry, and regulatory obligations.
For enterprise learners: Asset Governance is a formal, auditable discipline that connects technology assets to business services, regulatory obligations, security controls, monitoring, lifecycle management, and evidence.
For startup learners: Asset Governance is a practical habit: keep a current list of the technology your company depends on, know who owns each item, protect the important assets first, review the list regularly, and save evidence that proves you did it.
🏅
Course complete!
You've completed AST Asset Governance Assessor Procedures. You can now conduct SCF AST-01 assessments for both enterprise and startup environments.
Next: Information Assurance