search:
               

Status: Live

The organization will maintain asset trails for inventory management and reporting, including how new hardware is added and old hardware removed. [UCF ID 00689]

Supporting and supported controls

This control directly supports:

• Identify information processes, applications, and systems significant to the organization [UCF Control ID 00688]

This control has the following supporting controls:

• Environmental survey [UCF Control ID 00690]
• Maintain a hardware inventory [UCF Control ID 00691]
• Software inventory [UCF Control ID 00692]
• Networking inventory [UCF Control ID 00693]
• Maintain an accurate media inventory [UCF Control ID 00694]
• Document, database, and messaging inventory [UCF Control ID 01260]

Authority documents complied with:

FFIEC IT Examination Handbook – Information Security, Exam Tier II Obj B.1; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Exam Tier I Obj 1.2, Exam Tier I Obj 3.4, Exam Tier I Obj 4.3; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier I Obj 1.2; Health Insurance Portability and Accountability Act of 1996 (HIPAA), § 164.308(a)(7)(ii)(E); Protection of Assets Manual, ASIS International, Pg 11-III-18, Pg 20-I-15; FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security, § 3.4.2; The Standard of Good Practice for Information Security, SM4.3.1(c), CI1.3.1; Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition, Ch 5.5.4; Archer Control Table, ATCS-020, ATCS-023, ATCS-028, ATCS-116, ATCS-445

Banking and Finance Guidance

[Exam Tier II Obj B.1, FFIEC IT Examination Handbook – Information Security]

[Exam Tier I Obj 1.2, Exam Tier I Obj 3.4, Exam Tier I Obj 4.3, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

[Exam Tier I Obj 1.2, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

Healthcare and Life Science Guidance

[§ 164.308(a)(7)(ii)(E), Health Insurance Portability and Accountability Act of 1996 (HIPAA)]

US Federal Security Guidance

Physical inventories should be conducted on a continual basis to ensure shortages are discovered quickly. Adequate records should be maintained of all tangible assets to ensure ownership can be established when there is a question about ownership. [Pg 11-III-18, Pg 20-I-15, Protection of Assets Manual, ASIS International]

[§ 3.4.2, FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security]

General Guidance

Documented procedures should exist to ensure important information about all organizational assets are recorded in an inventory and that the inventory is kept up-to-date and protected. [SM4.3.1(c), CI1.3.1, The Standard of Good Practice for Information Security]

[Ch 5.5.4, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition]

Metrics

The metrics associated with this control are as follows:

• Report on the percentage of scheduled asset inventories that occurred on time [UCF Control ID 02055]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.