1.2
IG1 IG2 IG3

Address Unauthorized Assets

Control Group: 1. Inventory and Control of Enterprise Assets
Asset Type: Devices
Security Function: Respond

Description

Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset.

Implementation Checklist

1
Define response procedures and playbooks
2
Assign response roles and responsibilities
3
Establish response timeframes and SLAs
4
Test response procedures through tabletop or simulation
5
Document lessons learned and update procedures
6
Draft policy/procedure document
7
Obtain stakeholder review and approval
8
Communicate to affected personnel
9
Schedule periodic review and updates

Tool Recommendations

Axonius Forrester Wave Leader, CAASM 2023

Cyber asset attack surface management platform providing comprehensive asset inventory across IT, cloud, SaaS, and OT environments

Axonius · Enterprise subscription
ServiceNow IT Asset Management Gartner MQ Leader, ITSM 2024

Enterprise IT asset management and CMDB platform with automated discovery and lifecycle management

ServiceNow · Enterprise subscription
Lansweeper Gartner Peer Insights Customers' Choice, ITAM 2024

IT asset discovery and inventory platform scanning networks for hardware, software, and cloud assets

Lansweeper · Per-asset subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Rogue Device Network Infiltration

Confidentiality

An attacker or insider connects an unauthorized device (e.g., rogue wireless AP, USB-tethered device) to the corporate network to intercept traffic or establish a backdoor.

Compromised IoT Device Persistence

Integrity

Unauthorized IoT devices with default credentials remain on the network indefinitely, providing persistent attack vectors that bypass endpoint security controls.

BYOD Malware Introduction

Availability

Unmanaged personal devices infected with malware connect to the enterprise network without quarantine or review, spreading infections to production systems.

Vulnerabilities (When Safeguard Absent)

No Process to Quarantine or Remove Unauthorized Assets

Without a defined process for addressing unauthorized assets, rogue devices persist on the network indefinitely with no accountability or remediation timeline.

Delayed Response to Network Intrusions

The absence of a weekly review cycle for unauthorized assets means malicious or non-compliant devices can operate undetected for extended periods.

Evidence Requirements

Type Evidence Item Collection Frequency
Document Response procedure/playbook documentation Reviewed bi-annually
Record Response action logs showing procedure execution Per incident
Document Governing policy document (current, approved, communicated) Reviewed annually

Related Policy Templates

Enterprise Asset Management Policy
Control 1

Related Safeguards in Control 1

1.1 Establish and Maintain Detailed Enterprise Asset Inventory
1.3 Utilize an Active Discovery Tool
1.4 Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory
1.5 Use a Passive Asset Discovery Tool
1.1 1.3