Maintain a hardware inventory.

UCF ID: 00691
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

    Ensure portable computing devices that store restricted data or information are included in the hardware inventory. [UCF Control ID 04719]

Authority documents complied with:

FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg G-7; FFIEC IT Examination Handbook – Development and Acquisition, Pg 32, Exam Obj 11.1; FFIEC IT Examination Handbook – E-Banking, August 2003, Pg 28; FFIEC IT Examination Handbook – Operations, July 2004, Pg 7, Pg 8, Exam Tier II Obj A.1; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.5, Exhibit 5 CM-8; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.3.1; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § CM-8, App G § PM-5; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, CM-2, CM-2.10; The Standard of Good Practice for Information Security, SM4.3.6, SM4.3.7, CB4.2.2, CI1.3.2 thru CI1.3.4, CI2.5.1, NW5.1.3; DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2, § 2.2 (WIR0016); DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 2.4, Version 5 Release 2.4, § 2.2 (WIR0016, WIR0030); DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2, § 2 (WIR0016); IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005, § 5.6.1(a); Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control, Pg 34; Guide to Bluetooth Security, NIST SP 800-121, September 2008, Table 4-2 Item 6; Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007, Table 8-5 Item 51; Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009, § 3.1.1, § 4.1.1.D, § 4.6.1.C; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCHW-1; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCHW-1; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCHW-1; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCHW-1; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCHW-1; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCHW-1; ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.1.7(5)

Sarbanes Oxley Guidance

The organization should document all system hardware. This documentation should include the type, number, location, and how the hardware is interconnected. [Pg 34, Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

The organization should maintain comprehensive inventories of all assets. [Pg G-7, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

The organization should maintain an up-to-date hardware inventory as part of the change management process. [Pg 32, Exam Obj 11.1, FFIEC IT Examination Handbook – Development and Acquisition]

An up-to-date hardware inventory should be maintained by the organization. The inventory can aid in speeding up the organization's response to new vulnerabilities and identifying unauthorized devices. [Pg 28, FFIEC IT Examination Handbook – E-Banking, August 2003]

The organization should maintain a hardware inventory. The inventory should include the terminals used for environmental and access control; the equipment owned by vendors and service providers; PCs, mainframes, and servers; and any other equipment located on the organization's site. Include the model and serial numbers; the location of the equipment; the function of the equipment; the storage and memory capacity of the equipment; any network connections; and the Internet Protocol (IP) address in the hardware inventory. [Pg 7, Pg 8, Exam Tier II Obj A.1, FFIEC IT Examination Handbook – Operations, July 2004]

Payment Card Guidance

§ 3.1.1 Ensure that the organization maintains an up-to-date hardware inventory so that known Access Points (APs) can easily be distinguished from rogue APs.
§ 4.1.1.D Use a wireless monitoring system that can track and locate all wireless devices (including Portable Electronic Devices and laptops) and report if one or more devices are missing.
§ 4.6.1.C Ensure that the organization maintains a list of all wireless devices and personnel authorized to use the devices. [§ 3.1.1, § 4.1.1.D, § 4.6.1.C, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009]

US Federal Security Guidance

Have you examined the Hardware inventory to ensure that it exists? [DCHW-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

Have you examined the Hardware inventory to ensure that it contains the hardware manufacturer? [DCHW-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

Have you examined the Hardware inventory to ensure that it contains the hardware type? [DCHW-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

Have you examined the Hardware inventory to ensure that it contains the hardware model? [DCHW-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

Have you examined the Hardware inventory to ensure that it contains the physical location of the hardware? [DCHW-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

Have you examined the Hardware inventory to ensure that it contains the logical location of the hardware? [DCHW-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

US Internal Revenue Guidance

The organization must maintain an inventory of all system components and the names of the owners. [§ 5.6.5, Exhibit 5 CM-8, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

[§ 3.3.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

App F § CM-8 The organization must establish and maintain continuous monitoring policies and procedures that develop, document, and maintains a current inventory of the components of the information system; is consistent with the authorization boundary of the system; is at the level of granularity deemed appropriate for tracking and reporting; includes any information determined to be necessary by the organization to achieve effective property accountability; and is available for review and audit by designated management.
App G § PM-5 The organization must develop and maintain an inventory of its information systems. [App F § CM-8, App G § PM-5, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Organizational records and documents should be examined to ensure a hardware, software, and firmware inventory has been developed and is being maintained; the inventory contains the manufacturer, type, serial number, version number, location, and components required for contingency operations; and specific responsibilities and actions are defined for the implementation of the system component inventory control. Any problems discovered during the implementation of the system component inventory control should be documented and used to improve the controls.
Test the system to ensure it is configured to automatically update the hardware inventory on a scheduled basis.
Interviews should be conducted with personnel who maintain and update the system component inventories for the system. [CM-2, CM-2.10, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

The organization should maintain a current inventory of all Bluetooth-enabled wireless devices, along with their addresses. [Table 4-2 Item 6, Guide to Bluetooth Security, NIST SP 800-121, September 2008]

The organization should maintain an inventory of all wireless devices, such as laptops, PDAs, and mobile phones. [Table 8-5 Item 51, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007]

Other Configuration Guidance

The organization should maintain a list of all wireless devices. The list will be stored in a secure location. [§ 2.2 (WIR0016), DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2]

A list of all approved wireless devices should be maintained by the CIO. [§ 2.2 (WIR0016, WIR0030), DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 2.4, Version 5 Release 2.4]

Verify the organization has a procedure in place for ensuring the inventory is kept up to date. Examine the hardware inventory to ensure all wireless devices, including mice and keyboards, are listed. [§ 2 (WIR0016), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2]

ISO Guidance

Physical Security. An organization should combine the identification of the environment with safeguards which deal with physical protection. The following items may apply to buildings, secure areas, computer rooms and offices. The safeguard selection depends on which part of the building is considered. Safeguards in this area are listed below.
5. Protection against Theft
To achieve stock control, all items of equipment should be uniquely identifiable and an inventory maintained. Security guards/receptionists should be encouraged to check for equipment or media leaving rooms/areas or the building without authorization. Sensitive information and proprietary software held on portable media (e.g. floppy discs) should be protected appropriately. [¶ 8.1.7(5), ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]

General Guidance

An inventory should be maintained of all hardware, including telephones and their associated cabling. This inventory should list the version, location, and a unique description of the hardware. The hardware inventory should be kept up-to-date, independently reviewed, reviewed regularly internally against actual assets, and protected so it cannot be changed without proper authorization. [SM4.3.6, SM4.3.7, CB4.2.2, CI1.3.2 thru CI1.3.4, CI2.5.1, NW5.1.3, The Standard of Good Practice for Information Security]

UK and Canadian Guidance

[§ 5.6.1(a), IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of scheduled asset inventories that occurred on time. [UCF Control ID 02055]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.