Back

Establish, implement, and maintain a records inventory and database inventory.


CONTROL ID
01260
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails., CC ID: 00689

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization shall conduct inventory control on data files regularly or when the need arises using a file management book. (O25.3(4), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • A database register is developed, implemented, maintained and verified on a regular basis. (Control: ISM-1243; Revision: 6, Australian Government Information Security Manual, June 2023)
  • A database register is developed, implemented, maintained and verified on a regular basis. (Control: ISM-1243; Revision: 6, Australian Government Information Security Manual, September 2023)
  • The organization should maintain an accurate inventory of all deployed databases, along with their contents. (Control: 1243, Australian Government Information Security Manual: Controls)
  • The organization should review the inventory of deployed databases and its contents on a regular basis. (Control: 1243, Australian Government Information Security Manual: Controls)
  • A list of all registered audit companies must be kept by the auditing commission and must include the name and address of the company, the name and address of each director of the company, any restrictions on the company, and details of any suspensions the company has or has had. The organization is… (Sched 1 ¶ 112, Sched 4 ¶ 6, Sched 11A ¶ 2, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004)
  • Points of access to the entity's information assets from internal and external users and outside entities and the types of data that flow through the points of access are identified, inventoried and managed. The types of users and the systems authorized to connect to each point of access are identif… (S7.1 Manages points of access, Privacy Management Framework, Updated March 1, 2020)
  • The internal inventory and transaction documentation should include information about the type, form, and physical description of the gold and gold-bearing materials. (Supplement on Gold Step 1: § I.C.2.a, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The internal inventory and transaction documentation should include information from the supplier about the weight and assay of the gold and gold-bearing materials of input and the weight and assay of gold inputs and outputs. (Supplement on Gold Step 1: § I.C.2.b, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The internal inventory and transaction documentation should include supplier details, including "know your counterparty" due diligence information. (Supplement on Gold Step 1: § I.C.2.c, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The internal inventory and transaction documentation should include unique reference numbers for each input and output. (Supplement on Gold Step 1: § I.C.2.d, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The internal inventory and transaction documentation should include the dates of input, output, purchases, and sales. (Supplement on Gold Step 1: § I.C.2.e, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Store offsite all critical backup media, documentation and other IT resources necessary for IT recovery and business continuity plans. Determine the content of backup storage in collaboration between business process owners and IT personnel. Management of the offsite storage facility should respond … (DS4.9 Offsite Backup Storage, CobiT, Version 4.1)
  • Information classification details should be recorded in an inventory, or equivalent (e.g., a database, specialized piece of software, or on paper). (CF.03.01.07a, The Standard of Good Practice for Information Security)
  • Information classification details recorded should include the type of information being classified (e.g., merger and acquisition contract, salary details, or marketing forecasts). (CF.03.01.08a, The Standard of Good Practice for Information Security)
  • Information classification details recorded should include the level of classification of the information. (CF.03.01.08b, The Standard of Good Practice for Information Security)
  • Information classification details recorded should include the date for reclassification. (CF.03.01.08c, The Standard of Good Practice for Information Security)
  • Information classification details recorded should include the identity of the information owner. (CF.03.01.08d, The Standard of Good Practice for Information Security)
  • The file or database containing details of all authorized users for each system should be maintained by designated individuals, such as particular System Administrators. (CF.06.02.02-2, The Standard of Good Practice for Information Security)
  • Information classification details should be recorded in an inventory, or equivalent (e.g., a database, specialized piece of software, or on paper). (CF.03.01.07a, The Standard of Good Practice for Information Security, 2013)
  • Information classification details recorded should include the type of information being classified (e.g., merger and acquisition contract, salary details, or marketing forecasts). (CF.03.01.08a, The Standard of Good Practice for Information Security, 2013)
  • Information classification details recorded should include the level of classification of the information. (CF.03.01.08b, The Standard of Good Practice for Information Security, 2013)
  • Information classification details recorded should include the date for reclassification. (CF.03.01.08c, The Standard of Good Practice for Information Security, 2013)
  • Information classification details recorded should include the identity of the information owner. (CF.03.01.08d, The Standard of Good Practice for Information Security, 2013)
  • The file or database containing details of all authorized users for each system should be maintained by designated individuals, such as particular System Administrators. (CF.06.02.02-2, The Standard of Good Practice for Information Security, 2013)
  • Document ownership and stewardship of all relevant documented personal and sensitive data. Perform review at least annually. (DSP-06, Cloud Controls Matrix, v4.0)
  • Records shall be maintained regarding the individual granted access, reason for access and version of source code exposed. (IS-33, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Establish and maintain a data inventory, based on the enterprise's data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data. (CIS Control 3: Safeguard 3.2 Establish and Maintain a Data Inventory, CIS Controls, V8)
  • Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's sensitive data inventory. (CIS Control 3: Safeguard 3.13 Deploy a Data Loss Prevention Solution, CIS Controls, V8)
  • The records register must be unalterable in whatever form it takes, paper or electronic. (§ 4.3.3 ¶ 4, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • An inventory of information and other associated assets, including owners, should be developed and maintained. (§ 5.9 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Organizations should create a structured documented information library, linking different parts of documented information by: (§ 7.5.2 Guidance ¶ 2, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • determining and documenting the revision and approval process to ensure continual suitability and adequacy. (§ 7.5.2 Guidance ¶ 2(e), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • determining the structure of the documented information framework; (§ 7.5.2 Guidance ¶ 2(a), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Register the Protocols and Services along with their related UDP/TCP IP Ports used by the SaaS service that will traverse the DISN in the DoD PPSM registry. This includes all user and management plane traffic for Levels 4, 5, and 6 as well as management plane traffic for Level 2 if managed/monitored… (Section 5.10.5 ¶ 1 Bullet 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • An inventory of all Top Secret material must be conducted at least annually. COSMIC TOP SECRET, NATO SECRET, and ATOMAL documents must be inventoried on an annual basis. (§ 5-201, § 10-717, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Developer of the intervention (translation from clinical research/guideline); (§ 170.315 (a) (9) (v) (A) (2), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Developer of the intervention (translation from clinical research/guideline); (§ 170.315 (a) (9) (v) (A) (2), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • The organization should periodically review all DIB asset data for accuracy and currency and should consult with the asset owner/operators to verify the data. When information is incomplete or inaccurate, additional information will be collected through follow-up site visits or telephone interviews. (§ 2.3 ¶ 1, Defense Industrial Base Information Assurance Standard)
  • Determine whether management has a comprehensive inventory of its electronic (or digital) and physical information assets, in accordance with the Information Security Standards. Evaluate whether management specifically identifies its information assets, determines the appropriate classification of t… (App A Objective 4:1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management uses appropriate inventory mechanisms to effectively document, track, and oversee the entity's information and technology assets, including its hardware and software. As part of the technology asset inventory, determine whether management considers IT assets that do not … (App A Objective 4:3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The organization should maintain comprehensive inventories of all assets. (Pg G-7, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The organization should maintain an inventory of all data sets and the location of where they are stored on the system. (Pg 29, Exam Tier I Obj 6.3, FFIEC IT Examination Handbook - Operations, July 2004)
  • (SC-1.1, SC-3.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Inventory records must be kept of any media that contains Federal Tax Information (FTI) or results from the processing of FTI. The log for electronic files must list the date the information was received, a control number, the file name and contents of the file, the recipient(s), the number of recor… (§ 3.2, § 3.3, § 4.6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Because the ISCP contains potentially sensitive operational and personnel information, its distribution should be marked accordingly and controlled. Typically, copies of the plan are provided to recovery personnel for storage. A copy should also be stored at the alternate site and with the backup me… (§ 3.6 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization should document activities about the transport of smart grid information system media using a system of records. (SG.MP-5 Additional Considerations A2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Inventories of data and corresponding metadata for designated data types are maintained (ID.AM-07, The NIST Cybersecurity Framework, v2.0)