UniAsset
Home/Knowledge Base/Best Practices/Security Best Practices - Protect Asset Data and Access
Back to Best Practices

Security Best Practices - Protect Asset Data and Access

6 min readintermediateLast updated: January 2, 2026

Overview

Asset management systems contain valuable and sensitive information—purchase prices, locations, assignments, maintenance costs, and more. Poor security can lead to data breaches, unauthorized access, theft, or compliance violations.

Effective security practices:

  • Protect sensitive data - Keep financial and personal information secure
  • Prevent unauthorized access - Only authorized users see appropriate data
  • Enable audit trails - Track who did what and when
  • Support compliance - Meet regulatory and industry requirements
  • Maintain trust - Demonstrate responsible data stewardship

This guide covers essential security best practices for UniAsset deployments.

Access Control Fundamentals

Role-Based Access Control

Principle of least privilege:

  • Give users the minimum access they need
  • Start with Employee role, promote only when necessary
  • Review permissions quarterly
  • Remove access when no longer needed

Role assignment guidelines:

RoleAppropriate ForNever For
OwnerBusiness owners, executivesContractors, temporary staff
AdminOperations leads, IT managersGeneral employees
ManagerDepartment heads, team leadsIndividual contributors
EmployeeAll staff needing asset infoExternal vendors

Common mistakes:

  • Making everyone an Admin "just in case"
  • Not removing access when employees change roles
  • Sharing login credentials
  • Creating generic/shared accounts

User Lifecycle Management

Onboarding:

  1. Create account with appropriate role
  2. Provide training on security practices
  3. Document access grant in notes/log
  4. Review after 30 days, adjust if needed

Role changes:

  1. Update role when responsibilities change
  2. Document reason for change
  3. Notify affected user
  4. Verify they understand new permissions

Offboarding:

  1. Disable account immediately upon departure
  2. Review their recent activity
  3. Transfer asset ownership if applicable
  4. Document access removal

Review schedule:

  • Monthly: New user access review
  • Quarterly: Full user access audit
  • Annually: Comprehensive permission review
  • Ad-hoc: When security concerns arise

Managing External Access

Contractors and vendors:

  • Use Employee role (read-only)
  • Create separate accounts (never share)
  • Set expiration dates if possible
  • Remove immediately when project ends

Auditors:

  • Provide temporary read-only access
  • Filter to relevant asset categories
  • Track what they access
  • Remove access when audit completes

Partners/third parties:

  • Avoid granting system access when possible
  • Generate reports and share externally instead
  • If access required, strictly limit scope
  • Monitor activity closely

Data Protection Strategies

Sensitive Information Handling

What's considered sensitive:

  • Asset purchase prices
  • Vendor contract terms
  • Employee assignments (may include PII)
  • Maintenance costs
  • Security-related assets (cameras, access control)
  • Assets at home addresses

Protection approaches:

Restrict by role:

  • Employees may not need to see purchase prices
  • Limit maintenance cost visibility
  • Control access to assignment data

Use categories strategically:

  • Separate sensitive asset types (security equipment)
  • Limit who can view certain categories
  • Document classification rationale

Document handling:

  • Mark sensitive documents clearly
  • Limit document access when possible
  • Use secure document storage
  • Follow retention policies

Financial Data Security

Purchase price protection:

  • Consider whether all users need to see costs
  • Use notes for sensitive pricing details
  • Limit invoice/receipt document access
  • Review financial data access quarterly

Budget and planning:

  • Restrict access to total asset value reports
  • Control who can export financial data
  • Secure depreciation schedules
  • Protect TCO analysis results

Vendor information:

  • Protect vendor contact details
  • Secure contract documents
  • Limit access to pricing agreements
  • Control vendor performance data

Personal Information

Employee assignments:

  • Only store necessary information
  • Follow privacy laws (GDPR, CCPA, etc.)
  • Enable employees to see their own assignments
  • Restrict access to others' assignment history

Home address handling:

  • Use Location "Home - [Employee Name]" without specific address
  • Store addresses separately if needed
  • Limit who can view home locations
  • Follow company privacy policies

Compliance considerations:

  • Know applicable privacy regulations
  • Document data processing purposes
  • Provide data access/deletion upon request
  • Maintain audit trail of access

Password and Authentication Security

Password Requirements

Strong password practices:

  • Minimum 12 characters
  • Mix of upper, lower, numbers, symbols
  • No common words or patterns
  • Unique password (not reused)

Password management:

  • Change if compromised
  • Don't share passwords ever
  • Use password manager
  • Enable two-factor authentication (if available)

Company policy:

  • Document password requirements
  • Provide training on strong passwords
  • Monitor for weak passwords (if possible)
  • Enforce regular review (not forced rotation)

Account Security

Login monitoring:

  • Review login activity periodically
  • Investigate unusual access patterns
  • Monitor failed login attempts
  • Alert on after-hours access (if critical)

Session management:

  • Log out when finished
  • Don't stay logged in on shared computers
  • Use private browsing for sensitive operations
  • Lock screen when stepping away

Suspicious activity:

  • Report unauthorized access immediately
  • Document security incidents
  • Change passwords if compromised
  • Review affected data

Physical Security Integration

Asset Location Security

Secure storage locations:

  • Mark high-value asset storage as restricted
  • Document security measures (locks, cameras)
  • Limit location access information
  • Review location security quarterly

Asset movement tracking:

  • Document when assets move to/from secure areas
  • Require authorization for high-value transfers
  • Photo verification for valuable items
  • Audit trail of location changes

Remote/home assets:

  • Track assets at employee homes
  • Document responsible party
  • Include in insurance coverage
  • Require return upon termination

Document Security

Physical documents:

  • Secure storage for paper records
  • Control access to file cabinets
  • Shred sensitive documents when disposed
  • Log document checkout if applicable

Digital document security:

  • Encrypt sensitive files before upload
  • Use secure file sharing
  • Implement document retention policy
  • Secure backups

Audit Trails and Monitoring

Change Tracking

What to track:

  • Asset creation, edits, deletions
  • Assignment changes
  • Status updates
  • Document uploads/deletions
  • User permission changes

Review practices:

  • Periodic review of recent changes
  • Investigate unexpected changes
  • Monitor bulk operations
  • Verify high-value asset changes

Audit log retention:

  • Keep logs for compliance period (typically 7 years)
  • Export logs for long-term storage
  • Secure archived logs
  • Document retention policy

Reporting and Alerts

Security-relevant reports:

  • User access log
  • Recent asset changes
  • Assignment history
  • Document access (if tracked)
  • High-value asset movements

Alert scenarios:

  • High-value asset status change
  • Bulk asset deletion
  • Unusual access patterns
  • Failed login attempts (if available)

Backup and Recovery

Data Backup

UniAsset cloud backups:

  • UniAsset maintains system backups
  • Understand backup frequency and retention
  • Know recovery time objectives (RTO)
  • Test restore process if possible

Your backup responsibilities:

  • Export critical reports regularly
  • Maintain local copies of key documents
  • Back up custom templates/workflows
  • Document system configuration

Backup schedule:

  • Weekly: Full asset data export
  • Monthly: Document backups
  • Quarterly: Configuration documentation
  • Annually: Complete system state export

Disaster Recovery Planning

Document your recovery plan:

  1. Identify critical data and functions
  2. Define recovery time objectives
  3. Assign recovery responsibilities
  4. Document step-by-step procedures
  5. Test recovery process annually

Recovery scenarios:

  • Accidental deletion
  • Account compromise
  • System outage
  • Data corruption

Emergency contacts:

  • UniAsset support information
  • Internal IT/security team
  • Management escalation path
  • Vendor contacts if needed

Compliance and Regulations

Common Compliance Requirements

SOX (Sarbanes-Oxley):

  • Fixed asset tracking and valuation
  • Change audit trails
  • Access controls
  • Disposal documentation

GDPR/CCPA (Privacy laws):

  • Personal data minimization
  • Data access/deletion rights
  • Processing documentation
  • Consent management

ISO 27001 (Information Security):

  • Access control policy
  • Asset inventory
  • Risk assessment
  • Incident response

Industry-specific:

  • HIPAA (healthcare): PHI protection
  • PCI DSS (payments): Secure hardware tracking
  • FISMA (government): System security documentation

Compliance Best Practices

Documentation:

  • Maintain security policies
  • Document access controls
  • Record security incidents
  • Keep audit evidence

Training:

  • Security awareness training
  • Role-specific security training
  • Compliance requirements overview
  • Incident response procedures

Regular audits:

  • Quarterly access reviews
  • Annual security assessment
  • Compliance gap analysis
  • Third-party audits when required

Incident Response

Recognizing Security Incidents

Common incidents:

  • Unauthorized access attempt
  • Compromised user account
  • Data breach or leak
  • Malicious data changes
  • Lost/stolen device with access

Warning signs:

  • Unusual system activity
  • Unexpected asset changes
  • Login from unfamiliar locations
  • User reports suspicious activity

Response Procedures

Immediate actions:

  1. Contain the incident (disable account if needed)
  2. Assess the scope and impact
  3. Notify appropriate parties (IT, security, management)
  4. Preserve evidence (logs, screenshots)
  5. Document timeline and actions taken

Investigation:

  • Review audit logs
  • Identify affected data
  • Determine root cause
  • Assess damage

Remediation:

  • Close security gaps
  • Change compromised credentials
  • Restore data if needed
  • Update security measures

Post-incident:

  • Document lessons learned
  • Update security procedures
  • Provide additional training
  • Monitor for recurrence

Incident Documentation

What to record:

  • Date/time of discovery
  • Who discovered it
  • Description of incident
  • Actions taken
  • Impact assessment
  • Root cause
  • Remediation steps
  • Preventive measures

Use documentation for:

  • Compliance reporting
  • Insurance claims
  • Legal requirements
  • Process improvement

Security Checklist

Initial Setup

  • Review default security settings
  • Configure appropriate user roles
  • Document access control policy
  • Train users on security practices

Ongoing (Monthly)

  • Review new user access
  • Monitor for unusual activity
  • Check for inactive accounts
  • Export backup data

Quarterly

  • Full user access audit
  • Review sensitive data access
  • Update security documentation
  • Security awareness refresher

Annually

  • Comprehensive security review
  • Test disaster recovery plan
  • Update security policies
  • External security audit (if applicable)

Security Tips by Role

For Owners/Admins

  • Review access permissions regularly
  • Monitor high-value asset changes
  • Maintain audit documentation
  • Stay informed on security threats
  • Lead by example in security practices

For Managers

  • Protect data within your scope
  • Report security concerns immediately
  • Follow data handling procedures
  • Train your team on security
  • Verify user access needs

For All Users

  • Use strong, unique passwords
  • Never share login credentials
  • Log out when finished
  • Report suspicious activity
  • Follow security policies
  • Protect sensitive information

Related Resources

Key Takeaways

  • Least privilege wins - Give users only the access they need
  • Monitor and review - Regular access audits catch issues early
  • Protect sensitive data - Financial and personal information needs extra care
  • Document everything - Audit trails support compliance and investigations
  • Train continuously - Security is everyone's responsibility
  • Plan for incidents - Have response procedures ready
  • Compliance matters - Know and follow applicable regulations

Security isn't a one-time setup—it's an ongoing practice. Make security part of your asset management culture, and you'll protect both your assets and your organization's reputation.

Need Help?

If you have questions not covered in this article, our support team is here to help.

Contact Support