Analecta Cyber Company Blog: Making Sense of the NIST Cybersecurity Framework: Why you need an asset inventory for managing cyber risk

2018-03-06

Making Sense of the NIST Cybersecurity Framework: Why you need an asset inventory for managing cyber risk


Making Sense of the NIST Cybersecurity Framework - Why you need an asset inventory for managing cyber risk Creating your first device inventory to manage your assets


As you move toward adopting the National Institute of Standards and Technology (NIST) Cybersecurity Framework in your organization, one of the first items you will encounter is the need to identify assets that require protection. Having a detailed understanding of what a component does, where it fits into the organization’s information system, and its potential vulnerabilities goes a long way toward protecting your assets. But managing IT assets and conducting device inventories is more than just tracking hardware and sub-components.

Why manage an IT asset device inventory?


According to the NIST Cybersecurity Framework, managing an inventory properly ensures that the assets that “enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy” (NIST SP 800-53). In short, organizations need to be able to identify, protect and manage anything that is required to conduct business. Although the NIST framework documentation may feel daunting, it comes down to a few key recommendations.

How to create your first device/asset inventory: Where to start?


The first step in creating a list of components is to find out what is already known about the systems and networks. Your business may already have much of this information in various formats. One place to look can be the accounting system which typically includes all the assets purchased by the organization. Keep in mind components that are on the system that were not purchased directly by the company. How will these be inventoried? managed? protected? For example:
  1. Does your business completely own all of its IT assets or do you lease any equipment that is part of your information system?
  2. Does the organization allow employees to ‘bring your own device’ (BYOD) or are systems on the network restricted to those purchased, managed and maintained by your organization?
Although BYOD set-ups are becoming more common and can be beneficial to both the company and employee, they also bring their own set of challenges that must also be considered in the information security discussion. It is best to discuss these concerns and possible solutions with information security experts that can address your company’s individual situation.

Another quick start to building your inventory is the company’s DHCP server that has a list of all network system hardware addresses. Regardless of which policy approach your organization uses, you need ensure that only authorized devices are given access and any unauthorized or unmanaged devices are detected and prevented from gaining access.

Making sense of the nist cybersecurity framework: Why do you need an asset inventory for managing cybersecurity risk
Organizations need to be able to identify, protect and manage anything that is required to conduct business. Content necessary for effective accountability of information system components from a cybersecurity standpoint should include, hardware, network information and software specifications.

What information makes for a robust inventory?


Whether you compare an accounting inventory, server inventory, or even an asset tagging inventory, you will need to combine all relevant information into one location. From there it is good practice to resolve any conflicting information, update older lists, and have a section for removed components that detail how the system was retired and how the data was destroyed. Having a current device inventory may even save you money.  As newer devices become available, you can perform a comparative analysis with the intention of replacing multiple outdated systems.

Now that you have a thorough inventory list of components that you manage, you should consider the level of detail that the inventory information requires. This determination should take into account the organization’s risk management strategies as well as the organization’s business objectives.

Content necessary for effective accountability of information system components from a cybersecurity standpoint should include, but is not limited to:
  • Hardware inventory specifications: name of asset, date acquired, physical address, logical network address or dynamically assigned address range, and person or group the asset is assigned
  • System software specification: title, version number, vendor, license limit, list of users

 

How frequently should an asset inventory be updated?


If your company is just getting started, it is a best practice to conduct an inventory as the system is being built, causing little disruption to business. If not, as soon as you have identified your inventory strategy, you should get started. There is little to gain by delaying an inventory, and it can be scheduled out of business hours to reduce disruption for items that require a manual inventory collection.

Updates to the IT inventory should be made with each installation, removal or update to the system. If the organization is conducting inventories at the component level, you will want to ensure the inventory is updated when critical components are replaced or moved, not just when the device as a whole is added or deleted.

 

How Analecta can help?


Analecta brings decades of expertise implementing secure information systems based on national guidelines. If you are looking for expert advice on implementing a cybersecurity program for your company, or need advice on where to begin, email us at info@analecta-llc.com. We are here to help!

 

Further Resources

  1. Inventory of Authorized and Unauthorized Devices: Center for Internet Security CSC
  2. National Institute of Standards and Technology: Security Controls and Assessment Procedures for Federal Information Systems and Organizations