Daily Security Control (DSC) - Manage and Maintain an Asset Inventory

Updated: Sep 15

Cybersecurity News - Cybersecurity Frameworks


As part of our effort to help businesses navigate Cybersecurity, we are kicking off our Daily Security Control (DSC) initiative, where we will focus on one Cybersecurity Control and provide a summary of the objective and any recommendations we have on how to adopt and implement the control. We will pull from all different Cybersecurity sources, which we will reference in the summary. These will mostly be Cybersecurity Frameworks and requirements from governing bodies, but could also be general best practices, recommendations from hardware and software vendors, or published articles, books, or white papers. We may bounce around a little to cover different security topics, but first we're going to focus on the Center for Internet Security (CIS) Controls Version 8 framework. Over time, the collection of control summaries will help businesses and Cybersecurity professionals build, improve and manage their Information Security Programs. We hope you all benefit and as always, please reach out with feedback so we can improve along the way! Thanks

 

Daily Security Control: Manage and Maintain an Asset Inventory, CIS Control 1.1


Summary:

Establish and Maintain a Detailed Enterprise Asset Inventory, which is part of Control 01: Inventory and Control of Enterprise Assets. This control is covered by almost every Cybersecurity framework and is the first control addressed in the CIS Controls.


Create and maintain an accurate, detailed, and up-to-date inventory of all company assets. These are assets that have the capability to store or process data. These can include end-user computers, end-user mobile devices, network devices, non-computing/IoT devices, and servers.

The inventory should include all important details about the asset, such as the network address, hardware (mac) address, machine name, asset owner, department for each asset, and whether the asset has been approved to connect to the network.


For mobile end-user devices, mobile device management (MDM) solutions can assist with collecting and maintaining this information. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the company's network infrastructure, even if they are not under owned or managed by the company directly.


It is very important to review and update the inventory on a regular basis. Most organizations update the inventory monthly and conduct a review quarterly. This should be done twice per year, at a minimum.


Recommendations:

There are many software solutions and tools available that can be used so most of this can be automated. This can be a tedious and time-consuming effort, so by spending some money on good tools, this will save a tremendous amount of time and make the process much more efficient. With the help of good tools data can be updated in almost real-time which will help improve your security processes and controls. Don't forget that there will still need to be a manual review of the data to verify for accuracy, which is commonly done on a monthly basis. Some companies make the mistake of implementing a tool and then forgetting about this, but then there may be missing or inaccurate data.


See the list of references below

 

Review these sources for more information

  1. CIS Controls https://www.cisecurity.org/controls

  • Twitter
  • LinkedIn
blockchain concept illustration in 3d, connected blocks in blockchain_edited.jpg

Check out our Twitter feed!

pngegg.png