Asset Inventory and Control v2
“Companies spend millions of dollars on firewalls, encryption, and secure access devices, and it’s money wasted; none of these measures address the weakest link in the security chain: the people who use, administer, and configure computer systems.”
The CIS Control for Inventory and Control of Enterprise Assets is a fundamental and critical component of any robust cybersecurity program. This control focuses on actively managing (tracking, reporting on, and correcting) all enterprise assets connected to an organization's infrastructure, whether physically, virtually, remotely, or within cloud environments. The primary goal is to maintain an accurate, up-to-date inventory of all assets that connect to the network or process, store, or transmit data.
The importance of this control cannot be overstated. An organization cannot protect what it doesn't know exists. Unidentified or unmanaged assets represent potential vulnerabilities that can be exploited by threat actors. These "shadow assets" might be running outdated software, lack proper security controls, or provide unauthorized access points to the network.
These steps are a basic steps for remediation for Windows, OSX, Linux, AWS, GCP, and Azure. As tool change, remediation advice changes. This entry maps to the code or ID referenced in the entry. Please check back regularly for updates to this library entry.
-
Hardware:
Servers (physical and virtual)
Workstations (desktops and laptops)
Network devices (routers, switches, firewalls)
IoT devices (smart cameras, sensors, industrial control systems)
Mobile devices (smartphones, tablets)
Peripheral devices (printers, scanners)
Software:
Operating systems (Windows, macOS, Linux distributions)
Applications (off-the-shelf and custom-developed)
Firmware (for network devices, IoT)
Databases (SQL, NoSQL)
Middleware and runtime environments
Virtual Assets:
Virtual machines (VMware, Hyper-V, KVM)
Containers (Docker, Kubernetes pods)
Virtual appliances
Software-defined networking (SDN) components
Cloud Resources:
Infrastructure as a Service (IaaS): VMs, storage, networks
Platform as a Service (PaaS): App services, databases
Software as a Service (SaaS): Office 365, Salesforce, etc.
Serverless functions and services
Data Assets:
Databases (production, development, backup)
File shares and storage systems
Data warehouses and data lakes
Backup and archive systems
Remote Assets:
Employee-owned devices (BYOD)
Remote office infrastructure
Third-party managed devices
Edge computing devices
-
Identification:
Unique identifier (e.g., asset tag, serial number, UUID)
Asset name and description
Asset type and category (from the categories above)
Ownership and Responsibility:
Primary owner (individual or department)
Secondary contacts
Vendor/manufacturer (if applicable)
Location and Access:
Physical location (for hardware)
Network location (IP address, VLAN)
Geographical location (for distributed assets)
Access methods and restrictions
Technical Details:
Make and model (for hardware)
Version and patch level (for software)
Configuration details
Capacity and performance metrics
Security Posture:
Patch status (up-to-date, pending, out-of-date)
Known vulnerabilities
Compliance status (compliant, non-compliant, exempted)
Security controls applied (encryption, access controls, etc.)
Lifecycle Information:
Acquisition date
Warranty information
End-of-life/support dates
Current status (active, inactive, decommissioned)
Dependencies and Relationships:
Connected systems and interfaces
Data flows
Service dependencies
Risk Profile:
Criticality to business operations
Data classification (e.g., public, confidential, regulated)
Threat exposure (e.g., internet-facing, internal only)
1. Establish Asset Inventory Scope
Actions:
Define asset categories to be included in the inventory:
Hardware (servers, workstations, network devices, IoT devices)
Software (operating systems, applications, firmware)
Virtual assets (VMs, containers)
Cloud resources (IaaS, PaaS, SaaS)
Data assets (databases, file shares)
Remote assets (employee-owned devices, remote offices)
Determine the minimum information to be collected for each asset type:
Unique identifier
Asset type and category
Owner/responsible party
Location (physical or virtual)
Status (active, inactive, decommissioned)
Security posture (patched, vulnerable, compliant)
2. Implement Automated Discovery and Inventory Tools
Actions:
Deploy network discovery tools:
Use Nmap for network scanning and OS fingerprinting
Implement Wireshark for deep packet inspection and protocol analysis
Implement asset management solutions:
For on-premises: Microsoft System Center Configuration Manager (SCCM) or BMC Helix Discovery
For cloud: AWS Config, Azure Resource Graph, or Google Cloud Asset Inventory
Deploy endpoint detection and response (EDR) tools:
Consider solutions like CrowdStrike Falcon or Microsoft Defender for Endpoint
Implement cloud management platforms:
Use multi-cloud management tools like CloudCheckr or Flexera
Set up continuous monitoring:
Configure tools to perform regular scans (e.g., daily for critical assets, weekly for others)
Implement real-time asset discovery for dynamic environments
3. Establish Asset Onboarding and Offboarding Processes
Actions:
Create workflows for adding new assets:
Integrate with procurement and provisioning processes
Implement automated asset registration for cloud resources
Develop procedures for asset decommissioning:
Include data wiping and secure disposal for physical assets
Implement automated deprovisioning for cloud resources
Establish processes for handling temporary assets:
Define policies for BYOD and contractor devices
Implement network access control (NAC) for temporary device management
4. Implement Asset Tracking and Reporting
Actions:
Set up a centralized asset inventory database:
Consider using a Configuration Management Database (CMDB) like ServiceNow
Implement asset tagging:
Use physical asset tags for hardware
Implement virtual tagging (e.g., AWS tags, Azure tags) for cloud resources
3. Develop automated reporting:
Create dashboards for real-time asset visibility
Set up scheduled reports for various stakeholders (IT, Security, Management)
4. Implement alerting for asset-related events:
Configure alerts for unauthorized assets, changes in asset status, or compliance violations
5. Establish Asset Control Measures
Implement network access control:
Deploy a NAC solution like Cisco ISE or Forescout CounterACT
Configure policies to allow only authorized devices on the network
Set up software asset management:
Use tools like Microsoft Software Asset Management or Flexera to track software licenses and usage
Implement application whitelisting to control software execution
Implement cloud access security broker (CASB like Microsoft Cloud App Security or Netskope to control access to cloud resources
Establish mobile device management (MDM) like VMware Workspace ONE or Microsoft Intune for managing mobile and remote devices
6. Continuous Monitoring and Correction
Actions:
Implement continuous vulnerability assessment:
Use tools like Qualys or Tenable.io to regularly scan assets for vulnerabilities
Integrate vulnerability data with the asset inventory
Set up configuration management:
Use tools like Ansible, Puppet, or Chef to maintain and enforce standard configurations
Regularly audit configurations against baselines
Implement automated patching:
Use WSUS or third-party patch management tools for Windows systems
Implement automated patching for cloud resources using native tools (e.g., AWS Systems Manager, Azure Automation)
Establish a process for addressing non-compliant assets:
Define escalation procedures for persistent issues
Implement automated remediation where possible (e.g., quarantine, forced updates)
7. Data Asset Management
Implement data discovery and classification:
Use tools like Microsoft Information Protection or Varonis Data Classification Engine
Establish data inventory processes:
Catalog databases, file shares, and cloud storage
Implement metadata tagging for data assets
3. Implement data loss prevention (DLP):
Deploy DLP solutions to monitor and control data movement
4. Establish data lifecycle management:
Implement processes for data retention, archiving, and secure deletion
8. Training and Documentation
Actions:
Develop training materials:
Create role-specific training for IT, security, and end-users
Include asset management responsibilities in security awareness training
Establish and maintain documentation:
Create and regularly update asset management policies and procedures
Maintain detailed documentation of the asset inventory system and processes
Conduct regular drills:
Perform asset inventory accuracy checks
Practice incident response scenarios involving asset inventory
Implementation Timeline
Planning Phase (Weeks 1-2):
Define scope and requirements
Select necessary tools and solutions
Tool Deployment (Weeks 3-6):
Implement discovery and inventory tools
Set up centralized asset database
Process Establishment (Weeks 7-10):
Develop and document asset management processes
Implement asset control measures
Integration and Testing (Weeks 11-14):
Integrate asset management with other security processes
Conduct initial full asset inventory and reconciliation
Training and Refinement (Weeks 15-18):
Conduct staff training
Refine processes based on initial implementation
Ongoing Operations:
Continuous monitoring and improvement
Regular audits and updates to the asset inventory
