Establish, implement, and maintain a hardware asset inventory., CC ID: 00691
Include interconnected systems and Software as a Service in the Information Technology inventory., CC ID: 04885
Include software in the Information Technology inventory., CC ID: 00692
Establish, implement, and maintain a storage media inventory., CC ID: 00694
Establish, implement, and maintain a records inventory and database inventory., CC ID: 01260
Add inventoried assets to the asset register database, as necessary., CC ID: 07051
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
For early detection of any theft, loss, and other conditions, the administrators for handheld terminals should be appointed and the total number of terminals should be checked on a regular basis. In addition, it is necessary to establish the notification/reception system that deals with theft, loss,… (P118.4., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
Internet of Things (IoT) includes any electronic devices, such as smart phones, multi-function printers, security cameras and smart televisions, which can be connected to the FI's network or the Internet. As with all information assets, the FI should maintain an inventory of all its IoT devices, inc… (§ 11.5.1, Technology Risk Management Guidelines, January 2021)
The identity and value of systems, applications and information is determined and documented. (G2:, Australian Government Information Security Manual, March 2021)
An ICT equipment and media register is maintained and regularly audited. (Security Control: 0336; Revision: 4, Australian Government Information Security Manual, March 2021)
All ICT equipment and media are accounted for on a regular basis. (Security Control: 0159; Revision: 4, Australian Government Information Security Manual, March 2021)
cable colour (Security Control: 0208; Revision: 5; Bullet 2, Australian Government Information Security Manual, March 2021)
A database register is maintained and regularly audited. (Security Control: 1243; Revision: 4, Australian Government Information Security Manual, March 2021)
seal numbers (if applicable). (Security Control: 0208; Revision: 5; Bullet 7, Australian Government Information Security Manual, March 2021)
A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited. (Security Control: 1493; Revision: 1, Australian Government Information Security Manual, March 2021)
The identity and value of systems, applications and data is determined and documented. (G2:, Australian Government Information Security Manual, June 2023)
An ICT equipment register is developed, implemented, maintained and verified on a regular basis. (Control: ISM-0336; Revision: 7, Australian Government Information Security Manual, June 2023)
Software registers for workstations, servers, network devices and other ICT equipment are developed, implemented, maintained and verified on a regular basis. (Control: ISM-1493; Revision: 4, Australian Government Information Security Manual, June 2023)
The identity and value of systems, applications and data is determined and documented. (G2:, Australian Government Information Security Manual, September 2023)
Software registers for workstations, servers, network devices and other ICT equipment are developed, implemented, maintained and verified on a regular basis. (Control: ISM-1493; Revision: 4, Australian Government Information Security Manual, September 2023)
A networked ICT equipment register is developed, implemented, maintained and verified on a regular basis. (Control: ISM-0336; Revision: 8, Australian Government Information Security Manual, September 2023)
A non-networked ICT equipment register is developed, implemented, maintained and verified on a regular basis. (Control: ISM-1869; Revision: 0, Australian Government Information Security Manual, September 2023)
The organization must account for all of the sensitive and classified information and communications technology equipment and media. (Control: 0159, Australian Government Information Security Manual: Controls)
The ICT asset inventory should be sufficiently detailed to enable the prompt identification of an ICT asset, its location, security classification and ownership. Interdependencies between assets should be documented to help in the response to security and operational incidents, including cyber-attac… (3.5 54, Final Report EBA Guidelines on ICT and security risk management)
Financial institutions should maintain an up-to-date inventory of their ICT assets (including ICT systems, network devices, databases, etc.). The ICT asset inventory should store the configuration of the ICT assets and the links and interdependencies between the different ICT assets, to enable a pro… (3.5 53, Final Report EBA Guidelines on ICT and security risk management)
a process and solutions to maintain a complete and up to date inventory and overview of all the outward facing network connection points (e.g. websites, internet applications, WIFI, remote access) through which third parties could break into the internal ICT systems. (Title 3 3.3.4(b) 55.h(i), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
The organization should have an up-to-date inventory of all relevant systems and their good manufacturing practice functionality available. (¶ 4.3, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems, SANCO/C8/AM/sl/ares(2010)1064599)
In order to address and manage ICT risk, financial entities shall use and maintain updated ICT systems, protocols and tools that are: (Art. 7 ¶ 1, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
Financial entities shall identify all information assets and ICT assets, including those on remote sites, network resources and hardware equipment, and shall map those considered critical. They shall map the configuration of the information assets and ICT assets and the links and interdependencies b… (Art. 8.4., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
For the purposes of paragraphs 1, 4 and 5, financial entities shall maintain relevant inventories and update them periodically and every time any major change as referred to in paragraph 3 occurs. (Art. 8.6., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
As part of the ICT risk management framework referred to in Article 6(1), financial entities shall identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and depend… (Art. 8.1., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
Survey the information technology systems and check if the existing databases or existing or planned it systems are suitable for use as the starting point for the further procedures. (4.2.4 Bullet 1, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
Survey of the IT systems and assign the IT systems or IT system groups a unique name or code. (4.2.4 Bullet 3, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
For defining the protection needs of other devices, first the business processes and applications for which these devices are used and how their protection needs are inherited must be determined. These Information have been determined in Section 8.1.7 and Section 8.2.6. Here, the data flow via such … (§ 8.2.6 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
With a view to defining the protection requirements and information domain modelling that are to be subsequently performed, a list of the existing and planned IT systems in tabular form should be produced. The term IT system does not only refer to computers in the narrower sense, but also to IoT and… (§ 8.1.5 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Produce or update and complete list of networked and stand-alone IT systems, IoT and ICS devices (§ 8.1.7 Subsection 3 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
IT-Grundschutz modelling should include acquisition of the devices with IoT functions that are networked, and particularly such devices that are not listed in the network plan considered above. Such devices should be grouped and handled as a single object as much as possible. (§ 8.1.7 ¶ 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
The corresponding supporting assets are assigned to each relevant information asset, (1.3.1 Requirements (should) Bullet 1 Sub-Bullet 1, Information Security Assessment, Version 5.1)
Companies in the supply chain should maintain an internal inventory and transaction documentation for identifying gold inputs and outputs and/or supporting a chain of custody system. (Supplement on Gold Step 1: § I.C.2, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
Regulated users should have an inventory of all computerized systems, who owns them, who the supplier or developer is, their functionality, network links, and their validation status. (¶ 6.3, Good Practices For Computerized systems In Regulated GXP Environments)
The regulated user must formally maintain an inventory of all computerized systems. (¶ 14.3, Good Practices For Computerized systems In Regulated GXP Environments)
Organizations must have a computerized systems validation policy with links to plans and Standard Operating Procedures, to include an inventory of all computerized systems classified by use, criticality, and validation status. (¶ 23.8, Good Practices For Computerized systems In Regulated GXP Environments)
Establish appropriate physical safeguards, accounting practices and inventory management over sensitive IT assets, such as special forms, negotiable instruments, special purpose printers or security tokens. (DS13.4 Sensitive Documents and Output Devices, CobiT, Version 4.1)
Is there a current list of all hardware and software components in the environment? (Appendix D, Build and Maintain a Secure Network Bullet 6 Sub-bullet 1, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
How is physical media inventoried, secured, monitored, and tracked? (Appendix D, Implement Strong Access Control Measures Bullet 16, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
Interview personnel to verify the inventory is current. (Testing Procedures § 2.4.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
The device list must include the make and model of the device. (PCI DSS Requirements § 9.9.1 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
Maintain an inventory of system components that are in scope for PCI DSS. (2.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Maintain an inventory of system components that are in scope for PCI DSS. (2.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Maintain an inventory of system components that are in scope for PCI DSS. (2.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Is an inventory maintained for systems components that are in scope for PCI DSS, including a list of hardware and software components and a description of function/use for each? (2.4 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Is the documented inventory kept current? (2.4 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Is the documented inventory kept current? (2.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Is an inventory maintained for systems components that are in scope for PCI DSS, including a list of hardware and software components and a description of function/use for each? (2.4(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Is an inventory maintained for systems components that are in scope for PCI DSS, including a list of hardware and software components and a description of function/use for each? (2.4 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Is the documented inventory kept current? (2.4 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Is an inventory maintained for systems components that are in scope for PCI DSS, including a list of hardware and software components and a description of function/use for each? (2.4(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Is the documented inventory kept current? (2.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Examine system inventory to verify that a list of hardware and software components is maintained and includes a description of function/use for each. (2.4.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Interview personnel to verify the documented inventory is kept current. (2.4.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current. (12.5.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
An inventory of authorized wireless access points is maintained, including a documented business justification. (11.2.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Examine the inventory to verify it includes all in-scope system components and a description of function/use for each. (12.5.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Interview personnel to verify the inventory is kept current. (12.5.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Is the list of devices that capture payment card data via direct physical interaction with the card accurate and up to date? (PCI DSS Question 9.9.1(b), PCI DSS Self-Assessment Questionnaire B and Attestation of Compliance, Version 3.0)
Is the list of devices that capture payment card data via direct physical interaction with the card accurate and up to date? (PCI DSS Question 9.9.1(b), PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
Is the list of devices that capture payment card data via direct physical interaction with the card accurate and up to date? (PCI DSS Question 9.9.1(b), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
Is the documented inventory kept current? (PCI DSS Question 2.4(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Is the list of devices that capture payment card data via direct physical interaction with the card accurate and up to date? (PCI DSS Question 9.9.1(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Is the documented inventory kept current? (PCI DSS Question 2.4(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
Is the list of devices that capture payment card data via direct physical interaction with the card accurate and up to date? (PCI DSS Question 9.9.1(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
Is the list of devices that capture payment card data via direct physical interaction with the card accurate and up to date? (PCI DSS Question 9.9.1(b), PCI DSS Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance, Version 3.0)
An inventory of authorized wireless access points is maintained, including a documented business justification. (11.2.2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
An inventory of authorized wireless access points is maintained, including a documented business justification. (11.2.2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current. (12.5.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
An inventory of authorized wireless access points is maintained, including a documented business justification. (11.2.2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current. (12.5.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
The foundation for assessing the IT infrastructure vulnerabilities that may impact internal controls is formed by performing a complete inventory of the IT software, hardware, data, and network components. (§ 8.2.1 ¶ 3, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
Auditors should create a comprehensive inventory of the IT environment, which will form the foundation for assessing what vulnerabilities may impact the internal controls. (§ 2.1 ¶ 3, IIA Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan)
The organization should maintain an inventory of all digital assets, including a current list of all digital assets and their physical and logical locations. (App A.9 (Recommendations for Piracy), IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
Physical inventories should be conducted on a continual basis to ensure shortages are discovered quickly. Adequate records should be maintained of all tangible assets to ensure ownership can be established when there is a question about ownership. (Pg 11-III-18, Pg 20-I-15, Protection of Assets Manual, ASIS International)
To facilitate the most efficient use of existing Information Security assets throughout the organization, an inventory of resources that can be used to reduce cost and add value (including Information Security specialists on staff) should be maintained. (SG.02.02.05a, The Standard of Good Practice for Information Security)
To facilitate the most efficient use of existing Information Security-related assets throughout the organization, an inventory of resources that can be used to reduce cost and add value (including sources of Information Security knowledge available throughout the organization) should be maintained. (SG.02.02.05b, The Standard of Good Practice for Information Security)
To facilitate the most efficient use of existing information security-related assets throughout the organization, an inventory of resources that can be used to reduce cost and add value (including information security-related products and services (that have been purchased externally or developed in… (SG.02.02.05c, The Standard of Good Practice for Information Security)
A record of customer connections should be maintained (e.g., in a log or equivalent), which includes details of authorized customers. (CF.05.01.05a, The Standard of Good Practice for Information Security)
To facilitate the most efficient use of existing Information Security assets throughout the organization, an inventory of resources that can be used to reduce cost and add value (including Information Security specialists on staff) should be maintained. (SG.02.02.05a, The Standard of Good Practice for Information Security, 2013)
To facilitate the most efficient use of existing Information Security-related assets throughout the organization, an inventory of resources that can be used to reduce cost and add value (including sources of Information Security knowledge available throughout the organization) should be maintained. (SG.02.02.05b, The Standard of Good Practice for Information Security, 2013)
To facilitate the most efficient use of existing information security-related assets throughout the organization, an inventory of resources that can be used to reduce cost and add value (including information security-related products and services (that have been purchased externally or developed in… (SG.02.02.05c, The Standard of Good Practice for Information Security, 2013)
A record of customer connections should be maintained (e.g., in a log or equivalent), which includes details of authorized customers. (CF.05.01.05a, The Standard of Good Practice for Information Security, 2013)
Deploy an automated asset inventory discovery tool and use it to build a preliminary inventory of systems connected to an organizationâs public and private network(s). Both active tools that scan through IPv4 or IPv6 network address ranges and passive tools that identify hosts based on analyzing t… (Control 1.1, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
Ensure that all equipment acquisitions automatically update the inventory system as new, approved devices are connected to the network. (Control 1.3, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
Establish and maintain an inventory of authorized devices and unauthorized devices. (Critical Control 1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
The organization should deploy an automated asset inventory discovery tool and build a preliminary asset inventory of the systems connected to the public network and private network. (Critical Control 1.1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
The organization must connect the software inventory and the hardware asset inventory together, so everything is tracked from one location. (Critical Control 2.5, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
Catalogue and track all relevant physical and logical assets located at all of the CSP's sites within a secured system. (DCS-06, Cloud Controls Matrix, v4.0)
Utilize a passive discovery tool to identify devices connected to the organization's network and automatically update the organization's hardware asset inventory. (CIS Control 1: Sub-Control 1.2 Use a Passive Asset Discovery Tool, CIS Controls, 7.1)
Utilize a passive discovery tool to identify devices connected to the organization's network and automatically update the organization's hardware asset inventory. (CIS Control 1: Sub-Control 1.2 Use a Passive Asset Discovery Tool, CIS Controls, V7)
Use a passive discovery tool to identify assets connected to the enterprise's network. Review and use scans to update the enterprise's asset inventory at least weekly, or more frequently. (CIS Control 1: Safeguard 1.5 Use a Passive Asset Discovery Tool, CIS Controls, V8)
Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), … (CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory, CIS Controls, V8)
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network… (CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory, CIS Controls, V8)
Service providers should maintain an up-to-date inventory of their physical facility and equipment. Outsourced service providers should maintain an inventory of their capabilities and capacities, such as computing and related equipment, software, and staff expertise, and it should be kept up-to-date… (§ 6.14.9, § 7.14.6, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained. (A.8.1.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
The organization can use a range of techniques for identifying uncertainties that may affect one or more objectives. The following factors, and the relationship between these factors, should be considered:
- tangible and intangible sources of risk;
- causes and events;
- threats and opportunities;
-… (§ 6.4.2 ¶ 2, ISO 31000 Risk management - Guidelines, 2018)
In addition to the guidance provided in ISO 31000:2018, 6.3.1, for organizations using AI the scope of the AI risk management, the context of the AI risk management process and the criteria to evaluate the significance of risk to support decision-making processes should be extended to identify where… (§ 6.3.1 ¶ 2, ISO/IEC 23894:2023, Information technology â Artificial intelligence â Guidance on risk management)
The organization shall define the IT asset portfolio or portfolios covered by the scope of the IT asset management system. (Section 4.3 ¶ 2, ISO/IEC 19770-1, Information technology â IT asset management â Part 1: IT asset management systems â Requirements, Third Edition, 2017-12)
Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained. (§ 8.1.1 Control, ISO/IEC 27002:2013(E), Information technology â Security techniques â Code of practice for information security controls, Second Edition)
New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and softwa… (CC6.1 ¶ 3 Bullet 9 Manages Credentials for Infrastructure and Software, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus â 2022))
The organization maintains a current and complete inventory of types of data being created, stored, or processed by its information assets. (ID.AM-3.2, CRI Profile, v1.2)
The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy. (Asset Management (ID.AM), CRI Profile, v1.2)
The organization maintains an inventory of internal assets and business functions, that includes mapping to other assets, business functions, and information flows. (ID.AM-3.1, CRI Profile, v1.2)
The organization tracks connections among assets and cyber risk levels throughout the life cycles of the assets. (ID.RA-5.5, CRI Profile, v1.2)
The organization maintains an inventory of internal assets and business functions, that includes mapping to other assets, business functions, and information flows. (ID.AM-3.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
The organization maintains a current and complete inventory of types of data being created, stored, or processed by its information assets. (ID.AM-3.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
The organization tracks connections among assets and cyber risk levels throughout the life cycles of the assets. (ID.RA-5.5, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
The organization must maintain a current inventory of external and internal resources. (§ 5.6.6, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
Does the Business Continuity and Disaster Recovery program include updates from the inventory of Information Technology assets and telecom assets? (§ K.1.2.10, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
The organization must establish and document inventory records for all system components. (CSR 1.9.4(4), Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
Employ a capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory. (AM.4.226, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
Employ a capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory. (AM.4.226, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
Have you checked to determine if the baseline software inventory is current? (DCSW-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
A medical device manufacturer shall establish and maintain procedures to identify the product in all stages of production, receipt, distribution, and installation. (§ 820.60, 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
Technology asset inventories. (III.B Action Summary ¶ 2 Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Hardware, software, and telecommunications inventories. (App A Objective 1:3d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
This examination procedure may be performed in coordination with the examination procedures in Objective 4 (ITAM). Determine whether management has effective processes related to ITAM to track and monitor all hardware assets (whether or not they are connected to the network) to maintain an accurate … (App A Objective 13:2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Evaluation of the inventory of current IT assets and the purpose of those assets. (App A Objective 12:2d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Determine whether management uses appropriate inventory mechanisms to effectively document, track, and oversee the entity's information and technology assets, including its hardware and software. As part of the technology asset inventory, determine whether management considers IT assets that do not … (App A Objective 4:3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Assess whether each IT asset is captured in the entity's ITAM inventory, tracked throughout its operational life, and prepared for physical removal at the end of its useful life. Determine whether management implemented policies, standards, and procedures to identify assets and their EOL time frames… (App A Objective 4:4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Regularly updates the information and technology asset inventories for new assets, both internal assets and those residing at third-party service provider locations. (App A Objective 3:5d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Ascertains the effectiveness of database controls and updates the information asset and technology inventories. (App A Objective 3:6c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Management should have appropriate ITAM processes to track, manage, and report on the entity's information and technology assets. (III.B Action Summary ¶ 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Management implements appropriate ITAM processes to track, manage, report on the entity's information and technology assets. (III.B, "IT Asset Management") (App A Objective 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Determine whether management effectively maintains an inventory(ies) of hardware, software, information, and connections. Review whether management does the following: (App A Objective 6.6, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Management should inventory and classify assets, including hardware, software, information, and connections. (II.C.5 Inventory and Classification of Assets, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Inventory of computer hardware, software, and telecommunications protocols used to support check item processing, EFT/POS transaction processing, ACH, and bankcard issuance and acquiring transaction services. (App A Tier 1 Objectives and Procedures Objective 2:2 Bullet 5, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Determine whether the audit function periodically performs an inventory of unused ATM card stock at each location owned or operated by the institution and that each location is included in the audit program, either directly or indirectly (e.g., as part of a branch audit). (App A Tier 1 Objectives and Procedures Objective 7:3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Exam Tier I Obj 1.2 Determine whether new retail payment products and emerging technologies pose increased risk due to the lack of maturity of the respective control environments. Consider: ⢠New retail payment products and services that have been introduced within the past year. ⢠Whether the i… (Exam Tier I Obj 1.2, Exam Tier I Obj 3.4, Exam Tier I Obj 4.3, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
Review past reports for comments relating to the institution's internal control environment and technical infrastructure. Consider:
⪠Internal controls including logical access controls, data center operations, and physical security controls.
⪠Wholesale EFT network controls.
⪠Inventory of co… (Exam Tier I Obj 1.2, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
Security configuration, provisioning, logging, and monitoring. Misconfiguration of cloud resources is a prevalent cloud vulnerability and can be exploited to access cloud data and services. System vulnerabilities can arise due to the failure to properly configure security tools within cloud computin… (Risk Management Cloud Security Management Bullet 4, FFIEC Security in a Cloud Computing Environment)
The service provider must define the information that it deems necessary to achieve effective property accountability. (Column F: CM-8d, FedRAMP Baseline Security Controls)
The joint authorization board must approve and accept the property accountability information. (Column F: CM-8d, FedRAMP Baseline Security Controls)
Does the Credit Union maintain a detailed listing of all critical computer equipment and programs? (IT - Networks Q 17, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Does management maintain a current inventory of all the security analysis tools it uses? (IT - Security Program Q 10, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Establish, maintain, and update [Assignment: organization-defined frequency] an inventory of all systems, applications, and projects that process personally identifiable information. (PM-5(1) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
Develop and update [Assignment: organization-defined frequency] an inventory of organizational systems. (PM-5 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
Develop and update [Assignment: organization-defined frequency] an inventory of organizational systems. (PM-5 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Develop and update [Assignment: organization-defined frequency] an inventory of organizational systems. (PM-5 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy. (ID.AM Asset Management, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
Physical devices and systems within the organization are inventoried (ID.AM-1, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy. (ID.AM Asset Management, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
Physical devices and systems within the organization are inventoried (ID.AM-1, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
The organization develops and maintains an inventory of its information systems. (PM-5 Control:, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Systems/products/services that process data are inventoried. (ID.IM-P1, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
Data actions of the systems/products/services are inventoried. (ID.IM-P4, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
The organization must develop, document, and maintain an inventory of the smart grid system's components. (SG.CM-2 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop and maintain an inventory of its Information Systems. (App G § PM-5, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization must develop, document, and maintain a system component inventory that includes information needed for effective property accountability. (App F § CM-8.d, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization must develop, document, and maintain a system component inventory that is available for audit and review by designated officials. (App F § CM-8.e, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization should update the system inventory as an integral part of installations, removals, and updates. (App F § CM-8(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization should use automated mechanisms to help maintain up-to-date, accurate, complete, and readily available inventory. (App F § CM-8(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization should verify all components in the system's authorization boundary are included in the inventory as part of the system or as a component in another system. (App F § CM-8(5), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization should include assessed component configurations and approved deviations to the current configurations in the system component inventory. (App F § CM-8(6), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization develops and maintains an inventory of its information systems. (PM-5, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization establishes, maintains, and updates {organizationally documented frequency} an inventory that contains a listing of all programs and information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII). (SE-1a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization provides each update of the PII inventory to the CIO or information security official {organizationally documented frequency} to support the establishment of information security requirements for all new or modified information systems containing PII. (SE-1b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization develops and maintains an inventory of its information systems. (PM-5 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Establishes, maintains, and updates [Assignment: organization-defined frequency] an inventory that contains a listing of all programs and information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII); and (SE-1a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Establish, maintain, and update [Assignment: organization-defined frequency] an inventory of all systems, applications, and projects that process personally identifiable information. (PM-5(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Develop and update [Assignment: organization-defined frequency] an inventory of organizational systems. (PM-5 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Establish, maintain, and update [Assignment: organization-defined frequency] an inventory of all systems, applications, and projects that process personally identifiable information. (PM-5(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Develop and update [Assignment: organization-defined frequency] an inventory of organizational systems. (PM-5 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Inventories of software, services, and systems managed by the organization are maintained (ID.AM-02, The NIST Cybersecurity Framework, v2.0)
