Networking inventory

Status: Live

The organization will maintain a networking inventory as a part of the asset inventory plan. [UCF ID 00693]

Supporting and supported controls

This control directly supports:

Maintain asset discovery audit trails [UCF Control ID 00689]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg E-3, Pg G-7; FFIEC IT Examination Handbook – Operations, July 2004, Pg 9, Exam Tier II Obj A.1; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.3.1; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, CM-8; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, CM-2, CM-2.10; The Standard of Good Practice for Information Security, CB4.2.2, CB4.3.2, CI2.5.1, NW1.4.1, NW1.4.2(b), NW2.3.3, SM6.5.5; The Center for Internet Security Wireless Networking Benchmark version 1.0, v1.0 April 2005, § 2.2 (2.2.040); IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005, § 5.6.1(a); Australian Government ICT Security Manual (ACSI 33), § 3.8.31, § 3.8.33; Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control, Pg 34; Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48 Revision 1, Revision 1, § 6.1; Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97, February 2007, Table 8-5 Item 50; Archer Control Table, ATCS-020, ATCS-023; Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009, § 3.1.1

Sarbanes Oxley Guidance

The organization should document all network connections to the system. This documentation should include how the system is connected to other systems and if information can be uploaded and/or downloaded from it. [Pg 34, Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

The organization should maintain comprehensive inventories of all assets. The organization should periodically inventory and validate the telecommunications circuits and paths. [Pg E-3, Pg G-7, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

The organization should maintain a networking inventory. The inventory should include all hardware and software connected to and operating on the network and a network configuration diagram. [Pg 9, Exam Tier II Obj A.1, FFIEC IT Examination Handbook – Operations, July 2004]

Payment Card Guidance

Ensure that the organization maintains an up-to-date hardware inventory so that known Access Points (APs) can easily be distinguished from rogue APs. [§ 3.1.1, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009]

NIST Guidance

[§ 3.3.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

The organization ought to develop, document, and maintains a current inventory of the components of the information system and relevant ownership information. The organization must determines the appropriate level of granularity for the information system components included in the inventory that are subject to management control (i.e., tracking, and reporting). The inventory of information system components includes any information determined to be necessary by the organization to achieve effective property accountability (e.g., manufacturer, model number, serial number, software license information, system/component owner). The component inventory is consistent with the accreditation boundary of the information system. [CM-8, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Organizational records and documents should be examined to ensure a hardware, software, and firmware inventory has been developed and is being maintained; the inventory includes the manufacturer, type, serial number, version number, location, and components required for contingency operations; and specific responsibilities and actions are defined for the implementation of the system component inventory control. Any problems discovered during the implementation of the system component inventory control should be documented and used to improve the controls.
Test the system to ensure it is configured to automatically update the network inventory on a scheduled basis.
Interviews should be conducted with personnel who maintain and update the system component inventories for the system. [CM-2, CM-2.10, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

The organization should maintain an inventory of all legacy IEEE 802.11 APs and devices that connect to the wireless network. [§ 6.1, Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48 Revision 1, Revision 1]

The organization should maintain an inventory of all access points. [Table 8-5 Item 50, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97, February 2007]

Other Configuration Guidance

A list should be maintained of all wired and wireless network and client devices used by the organization. The list should include configuration settings, such as MAC addresses, IP addresses, SSID, manufacturer, model, serial number, location, device users, and encryption algorithms. [§ 2.2 (2.2.040), The Center for Internet Security Wireless Networking Benchmark version 1.0, v1.0 April 2005]

General Guidance

An inventory should be maintained of all network-supported applications and all devices that make up the network, including nodes, connections, software, communications equipment, in-house cabling, and services. All external connections, including third party access, should be maintained in an inventory that contains details on authorized users and what areas are accessible to external users. [CB4.2.2, CB4.3.2, CI2.5.1, NW1.4.1, NW1.4.2(b), NW2.3.3, SM6.5.5, The Standard of Good Practice for Information Security]

UK and Canadian Guidance

[§ 5.6.1(a), IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005]

Asia and Pacific Rim Guidance

The organization should maintain an inventory of cables installed in the facility. The inventory should record the cable identification number; the classification of data being transferred over the cable; the source and destination of the cable; and include a floor diagram showing the locations. The inventory should be reviewed on a regular basis for any inconsistencies between the inventory and the actual cable runs. [§ 3.8.31, § 3.8.33, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

Report on the percentage of scheduled asset inventories that occurred on time [UCF Control ID 02055]