Cybersecurity Frameworks - Cybersecurity Guides
As part of our effort to help businesses navigate Cybersecurity, we are kicking off our Cybersecurity Control Initiative, where we will cover Cybersecurity Controls across different frameworks and provide a summary of the objective and any recommendations we have on how to adopt and implement the control. We will leverage many different Cybersecurity resources, which we will reference in the summary. These will mostly be Cybersecurity Frameworks and requirements from governing bodies, but could also be best practice recommendations from published articles, books, or whitepapers. We plan to use different security frameworks, but first we're going to focus on the Center for Internet Security (CIS) Controls, Version 8. Over time, the collection of control summaries will help businesses and Cybersecurity professionals build, improve and manage their Information Security Programs.
Cybersecurity Control Review: Manage and Maintain an Asset Inventory, CIS 1.1
Summary:
Establish and Maintain a Detailed Enterprise Asset Inventory, which is part of Control 01: Inventory and Control of Enterprise Assets. This control is covered by almost every Cybersecurity framework and is the first control addressed in the CIS Controls.
Create and maintain an accurate, detailed, and up-to-date inventory of all company assets. These are assets that have the capability to store or process data. These can include end-user computers, end-user mobile devices, network devices, non-computing/IoT devices, and servers.
The inventory should include all important details about the asset, such as the network address, hardware (mac) address, machine name, asset owner, department for each asset, and whether the asset has been approved to connect to the network.
For mobile end-user devices, mobile device management (MDM) solutions can assist with collecting and maintaining this information. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the company's network infrastructure, even if they are not under owned or managed by the company directly.
It is very important to review and update the inventory on a regular basis. Most organizations update the inventory monthly and conduct a review quarterly. This should be done twice per year, at a minimum.
Recommendations:
There are many software solutions and tools available that can be used so most of this can be automated. This can be a tedious and time-consuming effort, so by spending some money on good tools, this will save a tremendous amount of time and make the process much more efficient. With the help of good tools data can be updated in almost real-time which will help improve your security processes and controls. Don't forget that there will still need to be a manual review of the data to verify for accuracy, which is commonly done on a monthly basis. Some companies make the mistake of implementing a tool and then forgetting about this, but then there may be missing or inaccurate data.
See the list of references below
Review these sources for more information
CIS Controls https://www.cisecurity.org/controls
