Inventory and Control of Enterprise Assets
Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure, physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.
Why Is This Control Critical?
Enterprises cannot defend what they do not know they have. Managed control of all enterprise assets also plays a critical role in security monitoring, incident response, system backup, and recovery. Enterprises should know what data is critical to them, and proper asset management will help identify those enterprise assets that hold or manage this critical data, so appropriate security controls can be applied.
Related Policy Templates
Safeguards (5)
| ID | Title | Function | IG | Checklist Items | Evidence |
|---|---|---|---|---|---|
| 1.1 | Establish and Maintain Detailed Enterprise Asset Inventory | Identify |
IG1
IG2
IG3
|
7 | 5 |
| 1.2 | Address Unauthorized Assets | Respond |
IG1
IG2
IG3
|
5 | 3 |
| 1.3 | Utilize an Active Discovery Tool | Detect |
IG2
IG3
|
6 | 3 |
| 1.4 | Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory | Identify |
IG2
IG3
|
11 | 7 |
| 1.5 | Use a Passive Asset Discovery Tool | Detect |
IG3
|
11 | 7 |
Audit Verification Details
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Inventory tool is deployed and all required data fields are populated.
Inventory tool screenshot, exported data with populated fields
An inventory or catalog is maintained, accurate, and complete.
Inventory export with timestamps showing recent updates
Inventory is reviewed and reconciled on the defined schedule.
Review meeting minutes, sign-off records, or change logs
New assets/items are added to the inventory within the defined onboarding window.
Sample of recently onboarded assets with inventory timestamps
Process exists to identify and remediate unauthorized or unmanaged items.
Exception reports, unauthorized asset remediation records
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Current inventory or catalog documentation | Maintained continuously, reviewed quarterly |
| Document | Process/procedure documentation for identification activities | Reviewed annually |
| Technical | Asset/software inventory export with required fields populated | Exported quarterly for review |
| Record | Inventory review meeting minutes or sign-off | Per review cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Response procedures and playbooks are documented and current.
Response playbooks with review dates
Response procedures have been exercised through tabletop or simulation within the past 12 months.
Exercise reports, participant sign-off, lessons learned
Incident response actions are logged and tracked to completion.
Incident tickets, action item tracking, post-incident reviews
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Response procedure/playbook documentation | Reviewed bi-annually |
| Record | Response action logs showing procedure execution | Per incident |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the active discovery tool to execute daily, or more frequently.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Detection tools are deployed and actively collecting data.
Dashboard screenshots showing agent/sensor status and data flow
Alerting is configured with defined thresholds and notification channels.
Alert rule configuration exports, notification channel setup
Alerts are reviewed and triaged within the defined SLA.
Alert response logs, triage records with timestamps
Detection coverage has been tested with simulated events.
Detection test results, purple team exercise reports
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Detection tool deployment evidence (dashboard screenshots, agent status) | Captured monthly |
| Technical | Sample alert/detection output demonstrating capability | Captured quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise’s asset inventory. Review and use logs to update the enterprise’s asset inventory weekly, or more frequently.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Inventory tool is deployed and all required data fields are populated.
Inventory tool screenshot, exported data with populated fields
Audit logging is enabled on all in-scope systems and forwarded to centralized SIEM.
SIEM source status dashboard, log forwarding configuration
Systems are configured per an approved hardening baseline (CIS Benchmarks, DISA STIGs).
Compliance scan results against the approved baseline
An inventory or catalog is maintained, accurate, and complete.
Inventory export with timestamps showing recent updates
Inventory is reviewed and reconciled on the defined schedule.
Review meeting minutes, sign-off records, or change logs
New assets/items are added to the inventory within the defined onboarding window.
Sample of recently onboarded assets with inventory timestamps
Process exists to identify and remediate unauthorized or unmanaged items.
Exception reports, unauthorized asset remediation records
Logs are retained per the defined retention period and reviewed on schedule.
Retention policy config, log review records
Configuration drift is detected and remediated within defined timeframes.
Drift detection reports, remediation tickets
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Current inventory or catalog documentation | Maintained continuously, reviewed quarterly |
| Document | Process/procedure documentation for identification activities | Reviewed annually |
| Technical | Asset/software inventory export with required fields populated | Exported quarterly for review |
| Record | Inventory review meeting minutes or sign-off | Per review cycle |
| Technical | SIEM dashboard showing log sources and collection status | Captured monthly |
| Record | Log review records and findings | Per review cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and use scans to update the enterprise’s asset inventory at least weekly, or more frequently.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Detection tools are deployed and actively collecting data.
Dashboard screenshots showing agent/sensor status and data flow
Alerting is configured with defined thresholds and notification channels.
Alert rule configuration exports, notification channel setup
Inventory tool is deployed and all required data fields are populated.
Inventory tool screenshot, exported data with populated fields
Vulnerability scans cover all in-scope assets and run at the defined frequency.
Scan reports with scope and schedule evidence
Alerts are reviewed and triaged within the defined SLA.
Alert response logs, triage records with timestamps
Detection coverage has been tested with simulated events.
Detection test results, purple team exercise reports
Process exists to identify and remediate unauthorized or unmanaged items.
Exception reports, unauthorized asset remediation records
Vulnerabilities are remediated within defined SLAs by severity.
Remediation tracking with SLA compliance metrics
Exceptions and risk acceptances are documented and approved.
Exception/waiver records with management sign-off
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Detection tool deployment evidence (dashboard screenshots, agent status) | Captured monthly |
| Technical | Sample alert/detection output demonstrating capability | Captured quarterly |
| Technical | Asset/software inventory export with required fields populated | Exported quarterly for review |
| Record | Inventory review meeting minutes or sign-off | Per review cycle |
| Technical | Vulnerability scan reports showing scope and findings | Per scan cycle |
| Record | Vulnerability remediation tracking with SLA compliance metrics | Monthly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |