Control Summary
Actively manage all enterprise assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.
Why is it needed?
You cannot protect what you do not know is there. Essentially this control emphasises the need for visibility of what an
enterprise has on its network. Cyber attackers are constantly scanning the Internet address space of target organisations to look
for unprotected assets attached to a network. They target assets that are not securely configured or patched and are susceptible
to malware, to gain access.
Controlling enterprise assets can be challenging due to the size and dynamic nature of large networks with portable devices connecting only periodically. Additionally, cloud-based, and virtual machines can be paused or shut down making them difficult to track. The managed control of all enterprise assets will however assist with vital tasks such as security monitoring, back up, incident response and recovery.
Implementing Control
Meeting this control requires the ability to track and correct asset permissions. Technical and procedural actions are combined to create a formal inventory management process. Asset owners should be identified to ensure governance of the process.
Implementation Group 1 requires the following two safeguards:
1.1 Establishing and Maintaining Asset Inventory.
Larger organisations may opt for comprehensive commercial products to manage asset inventory, whereas smaller businesses can use existing tools and manage the outputs in a database or spreadsheet. A discovery scan of the network can be undertaken using a vulnerability scanner and this data combined with data from the review of anti-virus logs, switch network logs, authentication logs and endpoint security logs to gain a comprehensive baseline inventory. Other sources of data may include purchase order tracking and local inventory lists.
Maintaining this inventory is an ongoing and dynamic process requiring scanning on a regular basis, sending various packet types across the network to identify assets. Where possible organisations should collect data from enterprise systems such as Active Directory, Single Sign-on, Multifactor Authentication, Virtual Private Networks, Intrusion Detection Systems, Mobile Device Management and Vulnerability Scanning.
1.2 Address Unauthorised Assets.
This safeguard involves a weekly process for removing or quarantining unauthorised assets or denying remote connection of them to your network. Access control could use existing network technology to limit device access to networks.
After the two safeguards above are established, an organisation can consider more advanced sub-controls such as using an active discovery tool, using Dynamic Host Configuration Protocol (DHCP) logging to update the inventory, and using a passive discovery tool.
Additional safeguards at level 2 or 3:
1.3 Utilize an Active Discovery Tool
1.4 Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory
1.5 Use a Passive Asset Discovery Tool
Incident Response Solutions 