The Skinny

Many of you will be familiar with the starters and leavers process in organisations, we all have to do it.

take the same thinking and apply it to IT Assets – you’re welcome.

Obviously retrospective work is going to be less smooth, but have at it, get those juniors to work.

a new service / device / thing is being introduced to the network ? starters and leavers form … web form ?




  • What is it?
  • What problem is it fixing
  • Who’s the project owner
  • Has it been security tested
    • Yes
      •  where is the report
      • how old is it
    • No
      • Schedule one
  • Who needs visibility over configuration changes
  • Is it important enough to 4 eyes (from those who understand impact)
  • Who has access(s) to the $thing


  • Has all company information been removed (where data exists)
    • Configuration files
    • Memory
    • Disk(s)
  • Are there any requirements to have elements certified on distruction
  • what assurances to cloud services provide for data destruction on decommission

This post might grow and improve, feel free to ping me what I’ve missed, I’ll credit and update. I believe this method is less intrusive and could be integrated into IT’s workflow


What’s the driver for promoting this ?

I’ve had my way with many networks, networks using fairly comprehensive EDR/Network defences, the common gaps here are residual systems that cannot run Microsoft  or Apple Mac software, such as low powered devices that will allow tools to load and run that can manipulate networks to the point of gaining credentials or exploration and elevation – every time this happens it’s silly, the printer, the raspberry pi, the arm system that doesn’t have defence vendor support yet, they can all be hardened and minimised attack surface, but doing it in such a way that becomes normal, make it an IT problem that relies on the security team to provide config and hardening guidance, aligned with baselines and minimal organisation membership requirements, it can be sped up so every item isn’t a sluggish security project, it satisfies asset inventory, eradication of defaults, ownership and hardening. (maybe more ?!)