Appendix B: Asset Configuration Documentation

Aligned with NIST SP 800-53 (CM Family) and FCA Regulatory Expectations

Purpose:

To document key configuration details for all critical assets supporting security, business continuity, identity management, and incident response operations. This aligns with NIST SP 800-53r5 Configuration Management (CM) controls (e.g., CM-2, CM-6, CM-8) and supports asset visibility, change control, and compliance.

Asset Configuration Template (Excel/Word Table)

Asset ID

Asset Name

Type

Owner

Location

Baseline Config Version

Last Updated

Change Control Ref.

Criticality

Dependencies

Backup/Restore Method

Comments

AS-001

IAM Platform (JumpCloud)

SaaS Platform

Sarah D (IAM)

Cloud (UK/EU)

v1.3

01-May-2025

CHG-2211

High

SCIM, Okta, HRIS

Daily snapshot via API

Key for access control

AS-002

Main Firewall (Palo Alto)

Hardware Appliance

Jane S (SecOps)

Data Centre A

FWv9.1.0

15-Apr-2025

CHG-2199

High

SIEM, Syslog

Config backed up weekly

Firmware due update Q3

AS-003

Xcavate CRM

SaaS

David C (Vendor)

AWS EU West

v2025.1

02-Jun-2025

CHG-2240

Medium

Marketing DB, Email Tool

Built-in vendor backup

DR test scheduled Q4

AS-004

SIEM (Splunk)

Software

Tom W (IT Risk)

Cloud Hosted

ConfigSet_XC025

29-May-2025

CHG-2237

High

Firewall, IDS, IAM Logs

Daily backup by script

Correlation rules active

AS-005

DevOps Git Repository

Cloud Repository

Emily C (DPO)

GitHub Enterprise

v2.0 (Hardened)

10-May-2025

CHG-2215

High

CI/CD, Build System

Encrypted backup nightly

MFA enforced

Required Documentation for Each Asset:

Each critical asset entry in this appendix should be backed by:

  1. Baseline Configuration Document – System build standards, versions, OS patches, tools.

  2. Change Log / Audit Trail Reference – Link to change approval records.

  3. Dependency Map – Dependencies on applications, infrastructure, or third parties.

  4. Security Hardening Checklist – Alignment with CIS/NIST benchmarks.

  5. Backup/Restore Procedures – Frequency, media, encryption, and test status.

  6. Contact Owner Acknowledgement – Last review and confirmation signature or log.

PreviousAppendix A: Contact SheetNextAppendix C: Backup Schedules & Locations

Last updated