When going through one of our security gap analyses, we are often asked to clarify why the interviewee is being asked if they have an asset inventory in place. Asset inventories are more than just a spreadsheet to track your hardware. According to the HIPAA Security Rule Crosswalk to NIST, managing assets enables “the organization to achieve business purposes that are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.” Additionally, the Payment Card Industry Data Security Standard (PCI DSS) requires that an inventory of system components (PCI Req. 2.4: Complete Inventory List) is maintained. Today we will help to break down the importance of an asset inventory as it relates to your firm’s security to help shed some light on this foundational element of a security program.
Asset Inventory for Risk Management
You can’t protect what you don’t know you have. Maybe that seems obvious, but if you do not have an asset inventory or your asset inventory is managed and kept up-to-date, you run the risk of not knowing what is connected to your network. The ability to track and audit your inventory is a baseline requirement for most security standards, including the CIS Top 20, HIPAA, and PCI. These standards all have an element of risk assessment that is required of organizations, too. And if you to perform a documented risk assessment, you’ll need to understand your threats, vulnerabilities, and assets.
Many companies that start out as small shops may think this is foolish because they only have a few things to keep track of, such as a couple workstations, a printer, etc. However, as the company begins to grow, the number of endpoints also grows and can easily be overlooked. Rather than trying to play catch-up, which can be very difficult and time consuming from a technical perspective, standing up an asset inventory at the earliest possible stage ensures that there is a process to track and manage inventory to mitigate risks down the road.
Asset Inventory for Business Operations
Having an accurate, up-to-date asset inventory also ensures your company can keep track of the type and age of hardware in use. By keeping track of this information, you are more easily able to identify technology gaps and refresh cycles. As systems begin to age, they could no longer be supported by the manufacturer, presenting a security risk to your organization as a whole. Unsupported software is no longer receiving updates from the manufacturer, and they are likely not even acknowledging new vulnerabilities that are discovered, much less fixing them.
At the end of the day, an asset inventory is a foundational element of your security program that can ultimately improve your security posture. It helps you mitigate risk and ensure business operations run smoothly. An asset inventory can be as simple as an Excel spreadsheet that tracks each piece of hardware (most importantly what’s connected to your network or storing your data), the date it was placed into service, serial number, and a brief description/business justification. As your firm grows, you can use this data to make smart technology and security-related decisions.