Securely Manage Enterprise Assets and Software
Description
Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.
Implementation Checklist
Tool Recommendations
Automated CIS Benchmark assessment tool for configuration compliance scanning across OS, applications, and cloud
Center for Internet Security · CIS SecureSuite membership
Cloud-based configuration assessment and compliance platform with CIS Benchmark support and continuous monitoring
Qualys · Per-asset subscription
Unified endpoint management platform for device enrollment, software deployment, configuration, and compliance across Windows, macOS, iOS, and Android
Microsoft · Per-user/per-device subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Credential Interception via Insecure Management Protocols
ConfidentialityAdministrative credentials transmitted over Telnet, HTTP, or unencrypted SNMP are captured by attackers performing network sniffing, granting full administrative control.
Man-in-the-Middle Attack on Management Traffic
IntegrityAttackers intercept and modify management commands sent over insecure protocols, altering device configurations, injecting backdoor accounts, or disrupting services.
Vulnerabilities (When Safeguard Absent)
Use of Insecure Management Protocols
Managing enterprise assets via Telnet, HTTP, or SNMPv1/v2 exposes administrative credentials and commands in plaintext on the network.
No Version-Controlled Infrastructure Configuration
Without version-controlled infrastructure-as-code for managing configurations, unauthorized changes are difficult to detect and impossible to reliably roll back.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Configuration compliance scan results against approved baseline | Scanned monthly |
| Document | Approved baseline configuration documentation | Reviewed quarterly |
| Record | Access review/recertification records with sign-off | Quarterly |
| Technical | Access control configuration evidence (RBAC settings, group memberships) | Reviewed quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |