FRAMEWORKS AND STANDARDS

Control 01: Inventory and Control of Enterprise Assets

An overview of the CIS Control 01

Published Date: August 15, 2024

Product Line: CIS Controls

Audience: Executives, Security Administrators

Get your copy of the CIS Controls V8.1 here.

Overview

This control refers to actively managing and tracking all enterprise assets (including end-user devices, network devices, IoT devices, and servers) across physical, virtual, remote, and cloud environments to ensure a comprehensive understanding of the assets needing monitoring and protection while also helping to identify and address unauthorized or unmanaged assets.

Why is this control critical?

Threat actors are always looking for unprotected and weakly configured assets, and enterprises cannot defend what they do not know they have. Enterprises must manage and control all assets to effectively reduce the attack surface and improve security monitoring, incident response, and recovery. Identifying assets holding critical data helps apply proper security controls. Both external attackers and internal threat actors can exploit unprotected assets, including temporary systems and portable devices that dynamically connect to networks. In our experience analyzing networks, we have found that some organizations have forgotten assets with vulnerabilities connected to the internet, and those assets are a possible data breach waiting to happen, so keeping an inventory of all the assets is never wrong.

Procedures and tools

This CIS Control requires both technical and procedural actions to manage and account for enterprise assets and their associated data throughout their life cycle. Large enterprises can use comprehensive IT solutions, while smaller ones can leverage security tools already installed on enterprise assets or used on the network to collect this data. There is rarely a single source of truth for asset management, so multiple sources and regular scans are needed to maintain an accurate and dynamic view. Larger enterprises can also use additional tools like cloud portals, Active Directory, and VPN logs to track assets and others.

Safeguards

1. Establish and maintain detailed enterprise asset inventory (IG1, IG2, IG3): Establish and maintain an accurate, up-to-date inventory of all enterprise assets that store or process data, including end-user devices, network devices, IoT devices, and servers. Record key details like network address, hardware address, machine name, asset owner, department, and network approval status. Use MDM tools for mobile devices where applicable. Include both physical and cloud-connected assets, even those not under the enterprise’s control. Review and update the inventory at least bi-annually or more frequently.

2. Address unauthorized assets (IG1, IG2, IG3): Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset.

3. Utilize an active discovery tool (IG2, IG3): Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the active discovery tool to execute daily, or more frequently.

4. Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory (IG2, IG3): Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise’s asset inventory. Review and use logs to update the enterprise’s asset inventory weekly, or more frequently.

5. Use a Passive Asset Discovery Tool (IG3): Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and use scans to update the enterprise’s asset inventory at least weekly, or more frequently.