Maintain a hardware inventory

Status: Live

The organization will ensure that all hardware assets are clearly identified, with an inventory of all important assets drawn up and maintained. [UCF ID 00691]

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

    Include all portable computing devices that store confidential information [UCF Control ID 04719]

Authority documents complied with:

FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg G-7; FFIEC IT Examination Handbook – Development and Acquisition, Pg 32, Exam Obj 11.1; FFIEC IT Examination Handbook – E-Banking, August 2003, Pg 28; FFIEC IT Examination Handbook – Operations, July 2004, Pg 7, Pg 8, Exam Tier II Obj A.1; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.5, Exhibit 5 CM-8; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.3.1; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, CM-8; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, CM-2, CM-2.10; The Standard of Good Practice for Information Security, SM4.3.6, SM4.3.7, CB4.2.2, CI1.3.2 thru CI1.3.4, CI2.5.1, NW5.1.3; DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2, § 2.2 (WIR0016); DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 2.4, Version 5 Release 2.4, § 2.2 (WIR0016, WIR0030); DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, V5R2.3, Version 5 Release 2.3, § 2.2 (WIR0016); DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5,Release 2.4, Version 5 Release 2.4, § 2.1 (WIR0016); DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2, § 2 (WIR0016); IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005, § 5.6.1(a); Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control, Pg 34; Guide to Bluetooth Security, NIST Special Publication 800-121, September 2008, Table 4-2 Item 6; Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97, February 2007, Table 8-5 Item 51; Archer Control Table, ATCS-020, ATCS-023, ATCS-108; Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009, § 3.1.1, § 4.1.1.D, § 4.6.1.C

Sarbanes Oxley Guidance

The organization should document all system hardware. This documentation should include the type, number, location, and how the hardware is interconnected. [Pg 34, Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

The organization should maintain comprehensive inventories of all assets. [Pg G-7, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

The organization should maintain an up-to-date hardware inventory as part of the change management process. [Pg 32, Exam Obj 11.1, FFIEC IT Examination Handbook – Development and Acquisition]

An up-to-date hardware inventory should be maintained by the organization. The inventory can aid in speeding up the organization's response to new vulnerabilities and identifying unauthorized devices. [Pg 28, FFIEC IT Examination Handbook – E-Banking, August 2003]

The organization should maintain a hardware inventory. The inventory should include the terminals used for environmental and access control; the equipment owned by vendors and service providers; PCs, mainframes, and servers; and any other equipment located on the organization's site. Include the model and serial numbers; the location of the equipment; the function of the equipment; the storage and memory capacity of the equipment; any network connections; and the Internet Protocol (IP) address in the hardware inventory. [Pg 7, Pg 8, Exam Tier II Obj A.1, FFIEC IT Examination Handbook – Operations, July 2004]

Payment Card Guidance

§ 3.1.1 Ensure that the organization maintains an up-to-date hardware inventory so that known Access Points (APs) can easily be distinguished from rogue APs.
§ 4.1.1.D Use a wireless monitoring system that can track and locate all wireless devices (including Portable Electronic Devices and laptops) and report if one or more devices are missing.
§ 4.6.1.C Ensure that the organization maintains a list of all wireless devices and personnel authorized to use the devices. [§ 3.1.1, § 4.1.1.D, § 4.6.1.C, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009]

US Internal Revenue Guidance

The organization must maintain an inventory of all system components and the names of the owners. [§ 5.6.5, Exhibit 5 CM-8, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

[§ 3.3.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

The organization ought to develop, document, and maintains a current inventory of the components of the information system and relevant ownership information. The organization must determines the appropriate level of granularity for the information system components included in the inventory that are subject to management control (i.e., tracking, and reporting). The inventory of information system components includes any information determined to be necessary by the organization to achieve effective property accountability (e.g., manufacturer, model number, serial number, software license information, system/component owner). The component inventory is consistent with the accreditation boundary of the information system. [CM-8, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Organizational records and documents should be examined to ensure a hardware, software, and firmware inventory has been developed and is being maintained; the inventory contains the manufacturer, type, serial number, version number, location, and components required for contingency operations; and specific responsibilities and actions are defined for the implementation of the system component inventory control. Any problems discovered during the implementation of the system component inventory control should be documented and used to improve the controls.
Test the system to ensure it is configured to automatically update the hardware inventory on a scheduled basis.
Interviews should be conducted with personnel who maintain and update the system component inventories for the system. [CM-2, CM-2.10, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

The organization should maintain a current inventory of all Bluetooth-enabled wireless devices, along with their addresses. [Table 4-2 Item 6, Guide to Bluetooth Security, NIST Special Publication 800-121, September 2008]

The organization should maintain an inventory of all wireless devices, such as laptops, PDAs, and mobile phones. [Table 8-5 Item 51, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97, February 2007]

Other Configuration Guidance

The organization should maintain a list of all wireless devices. [§ 2.2 (WIR0016), DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2]

A list of all approved wireless devices should be maintained by the CIO. [§ 2.2 (WIR0016, WIR0030), DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 2.4, Version 5 Release 2.4]

The organization should maintain a list of all wireless devices. [§ 2.2 (WIR0016), DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, V5R2.3, Version 5 Release 2.3]

The organization should maintain a list of all wireless and non-wireless PEDs that have been approved to process, transmit, or store official information and the list should be securely stored. [§ 2.1 (WIR0016), DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5,Release 2.4, Version 5 Release 2.4]

Verify the organization has a procedure in place for ensuring the inventory is kept up to date. Examine the hardware inventory to ensure all wireless devices, including mice and keyboards, are listed. [§ 2 (WIR0016), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2]

General Guidance

An inventory should be maintained of all hardware, including telephones and their associated cabling. This inventory should list the version, location, and a unique description of the hardware. The hardware inventory should be kept up-to-date, independently reviewed, reviewed regularly internally against actual assets, and protected so it cannot be changed without proper authorization. [SM4.3.6, SM4.3.7, CB4.2.2, CI1.3.2 thru CI1.3.4, CI2.5.1, NW5.1.3, The Standard of Good Practice for Information Security]

UK and Canadian Guidance

[§ 5.6.1(a), IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of scheduled asset inventories that occurred on time [UCF Control ID 02055]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.