Maintain a networking inventory.

UCF ID: 00693

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Maintain asset discovery audit trails. [UCF Control ID 00689]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg E-3, Pg G-7; FFIEC IT Examination Handbook – Operations, July 2004, Pg 9, Exam Tier II Obj A.1; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.3.1; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § CM-8; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, CM-2, CM-2.10; The Standard of Good Practice for Information Security, CB4.2.2, CB4.3.2, CI2.5.1, NW1.4.1, NW1.4.2(b), NW2.3.3, SM6.5.5; The Center for Internet Security Wireless Networking Benchmark, Version 1.0 April 2005, § 2.2 (2.2.040); IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005, § 5.6.1(a); Australian Government ICT Security Manual (ACSI 33), § 3.8.31, § 3.8.33; Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control, Pg 34; Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1, § 6.1(Maintain an Inventory); Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007, Table 8-5 Item 50; Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009, § 3.1.1; ISO/IEC 13335-5 Information technology — Guidelines for the management of IT Security — Part 5: Management guidance on network security, 2001, ¶ 9, ¶ 9.1, ¶ 9.2, ¶ 9.3, ¶ 9.4, ¶ 9.5

Sarbanes Oxley Guidance

The organization should document all network connections to the system. This documentation should include how the system is connected to other systems and if information can be uploaded and/or downloaded from it. [Pg 34, Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

The organization should maintain comprehensive inventories of all assets. The organization should periodically inventory and validate the telecommunications circuits and paths. [Pg E-3, Pg G-7, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

The organization should maintain a networking inventory. The inventory should include all hardware and software connected to and operating on the network and a network configuration diagram. [Pg 9, Exam Tier II Obj A.1, FFIEC IT Examination Handbook – Operations, July 2004]

Payment Card Guidance

Ensure that the organization maintains an up-to-date hardware inventory so that known Access Points (APs) can easily be distinguished from rogue APs. [§ 3.1.1, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009]

NIST Guidance

[§ 3.3.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

The organization must establish and maintain continuous monitoring policies and procedures that develop, document, and maintains a current inventory of the components of the information system; is consistent with the authorization boundary of the system; is at the level of granularity deemed appropriate for tracking and reporting; includes any information determined to be necessary by the organization to achieve effective property accountability; and is available for review and audit by designated management. [App F § CM-8, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Organizational records and documents should be examined to ensure a hardware, software, and firmware inventory has been developed and is being maintained; the inventory includes the manufacturer, type, serial number, version number, location, and components required for contingency operations; and specific responsibilities and actions are defined for the implementation of the system component inventory control. Any problems discovered during the implementation of the system component inventory control should be documented and used to improve the controls.
Test the system to ensure it is configured to automatically update the network inventory on a scheduled basis.
Interviews should be conducted with personnel who maintain and update the system component inventories for the system. [CM-2, CM-2.10, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

The organization should maintain an inventory of all legacy IEEE 802.11 APs and devices that connect to the wireless network. [§ 6.1(Maintain an Inventory), Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1]

The organization should maintain an inventory of all access points. [Table 8-5 Item 50, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007]

Other Configuration Guidance

A list should be maintained of all wired and wireless network and client devices used by the organization. The list should include configuration settings, such as MAC addresses, IP addresses, SSID, manufacturer, model, serial number, location, device users, and encryption algorithms. [§ 2.2 (2.2.040), The Center for Internet Security Wireless Networking Benchmark, Version 1.0 April 2005]

ISO Guidance

¶ 9 Review Network Architectures and Applications.
¶ 9.1 Introduction. Later steps in the Review of Network Architectures and Applications process moves towards the confirmation of potential safeguard areas, i.e. identification of the:
• type(s) of network connection that will be used,
• networking characteristics and associated trust relationships involved,
• types of security risk,
and indeed the development of the list of potential safeguard areas (and later the related designs for securing a particular connection), should always be done in the context of the network architecture and applications that already exist or are planned.
Thus detail should be obtained of the relevant network architecture and applications, and reviewed, to provide the necessary understanding and context for the process steps that follow.
By clarifying these aspects at the earliest possible stage, the process of identifying the relevant security requirement identification criteria, identifying potential safeguard areas, and refining the security architecture, will become more efficient and will eventually result in a more workable security solution (see clauses 9.2 to 9.5 below).
At the same time, consideration of network and application architectural aspects at an early stage allows time for those architectures to be reviewed and possibly revised if an acceptable security solution cannot be realistically achieved within the current architecture.
The different areas that need to be considered under network architectures and applications include:
• types of network,
• network protocols,
• network applications.
Some of the issues for review for each of these areas are discussed in clauses 9.2 to 9.4 below. Other considerations are introduced in clause 9.5.
¶ 9.2 Types of Networks. Depending on the area they cover, networks can be categorized as:
• Local Area Networks (LAN), which are used to interconnect systems locally,
• Metropolitan Area Networks (MAN), which are used to interconnect systems in a metropolitan range,
• Wide Area Networks (WAN), which are used to interconnect systems in wider areas than MANs, up to a world wide coverage.
¶ 9.3 Network Protocols. Different protocols have different security characteristics and need to be afforded special consideration. For example:
• shared media protocols are mainly used in LANs (and sometimes in MANs) and provide mechanisms to regulate the use of shared media among the systems connected. As a shared media is used, all information on the network is physically accessible by all connected systems,
• routing protocols are used to define the route through the different nodes on which information travels within MANs and WANs. Information is physically accessible for all systems along the route, and routing may be changed, either accidentally or intentionally.
The protocols may be used on different network topologies, for example bus, ring and star, whether implemented through wireless or non-wireless technologies, which may have further impact on security.
¶ 9.4 Network Applications. The type of applications used over a network need to be considered in the context of security. Types can include:
• terminal emulation based applications,
• store and forward or spooler based applications,
• client server applications.
¶ 9.5 Other Considerations. When reviewing the network architecture and applications, consideration should also be given to existing network connections within, to or from the organization, and to the network to which the connection is proposed. The organizations existing connections may restrict or prevent new connections, e.g. because of agreements or contracts. The existence of other connections to or from the network to which the connection is required could introduce additional vulnerabilities and thus higher risks, possibly warranting stronger and/or additional safeguards. [¶ 9, ¶ 9.1, ¶ 9.2, ¶ 9.3, ¶ 9.4, ¶ 9.5, ISO/IEC 13335-5 Information technology — Guidelines for the management of IT Security — Part 5: Management guidance on network security, 2001]

General Guidance

An inventory should be maintained of all network-supported applications and all devices that make up the network, including nodes, connections, software, communications equipment, in-house cabling, and services. All external connections, including third party access, should be maintained in an inventory that contains details on authorized users and what areas are accessible to external users. [CB4.2.2, CB4.3.2, CI2.5.1, NW1.4.1, NW1.4.2(b), NW2.3.3, SM6.5.5, The Standard of Good Practice for Information Security]

UK and Canadian Guidance

[§ 5.6.1(a), IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005]

Asia and Pacific Rim Guidance

The organization should maintain an inventory of cables installed in the facility. The inventory should record the cable identification number; the classification of data being transferred over the cable; the source and destination of the cable; and include a floor diagram showing the locations. The inventory should be reviewed on a regular basis for any inconsistencies between the inventory and the actual cable runs. [§ 3.8.31, § 3.8.33, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

Report on the percentage of scheduled asset inventories that occurred on time. [UCF Control ID 02055]