Vis/Attrib: Maintain an asset inventory of all computer systems connected to the network and the network devices themselves, recording at least the network addresses, machine name(s), purpose of each system, and an asset owner responsible for each device.
Vis/Attrib: Ensure that network inventory monitoring tools are operational and continuously monitoring, keeping the asset inventory up to date and looking for deviations from the expected inventory of assets on the network, and alerting the security operations center when deviations are discovered.
Config/Hygiene: Secure the asset inventory database and related systems, ensuring that they are included in periodic vulnerability scans and that asset information is encrypted.
Config/Hygiene: Implement automated configuration management control mechanisms for tracking and approving changes made to systems. These controls should address both hardware and software changes, network configuration changes, and any other modifications affecting security of the system.
Config/Hygiene: Periodically attach several hardened computer systems not already included in asset inventories to the network and measure the delay before each device connection is disabled or the installers confronted.
Advanced: In addition to an inventory of hardware, organizations should develop an inventory of information assets, which identifies their critical information and maps critical information to the hardware assets on which it is located.
Procedures and tools for implementing and automating this control:
Some organizations maintain asset inventories using specific large-scale enterprise commercial products dedicated to the task or they use free solutions to track and then sweep the network periodically for new assets connected to the network. In particular, when effective organizations acquire new systems, they record the owner and asset features of each system, including its network interface MAC address, a unique identifier hard-coded into each network interface, including Ethernet and wireless interfaces. This mapping of asset attributes and owner to MAC address can be stored in a free or commercial database management system.
Then, with the asset inventory assembled, many organizations use tools to pull information from network assets such as switches and routers regarding the machines connected to the network. Using the Cisco Discovery Protocol (CDP), the Simple