Back

Establish, implement, and maintain an asset inventory.


CONTROL ID
06631
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an Asset Management program., CC ID: 06630

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails., CC ID: 00689
  • Link the authentication system to the asset inventory., CC ID: 13718
  • Record a unique name for each asset in the asset inventory., CC ID: 16305
  • Record the decommission date for applicable assets in the asset inventory., CC ID: 14920
  • Record the status of information systems in the asset inventory., CC ID: 16304
  • Record the communication interfaces for applicable assets in the asset inventory., CC ID: 16301
  • Record the Uniform Resource Locator for applicable assets in the asset inventory., CC ID: 14918
  • Include source code in the asset inventory., CC ID: 14858
  • Assign ownership of maintaining the asset inventory, as necessary., CC ID: 12344
  • Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory., CC ID: 12110
  • Record the review date for applicable assets in the asset inventory., CC ID: 14919
  • Record software license information for each asset in the asset inventory., CC ID: 11736
  • Record services for applicable assets in the asset inventory., CC ID: 13733
  • Record protocols for applicable assets in the asset inventory., CC ID: 13734
  • Record the software version in the asset inventory., CC ID: 12196
  • Record the publisher for applicable assets in the asset inventory., CC ID: 13725
  • Record the authentication system in the asset inventory., CC ID: 13724
  • Tag unsupported assets in the asset inventory., CC ID: 13723
  • Record the install date for applicable assets in the asset inventory., CC ID: 13720
  • Record the make, model of device for applicable assets in the asset inventory., CC ID: 12465
  • Record the asset tag for physical assets in the asset inventory., CC ID: 06632
  • Record the host name of applicable assets in the asset inventory., CC ID: 13722
  • Record network ports for applicable assets in the asset inventory., CC ID: 13730
  • Record the MAC address for applicable assets in the asset inventory., CC ID: 13721
  • Record the operating system version for applicable assets in the asset inventory., CC ID: 11748
  • Record the operating system type for applicable assets in the asset inventory., CC ID: 06633
  • Record rooms at external locations in the asset inventory., CC ID: 16302
  • Record the department associated with the asset in the asset inventory., CC ID: 12084
  • Record the physical location for applicable assets in the asset inventory., CC ID: 06634
  • Record the manufacturer's serial number for applicable assets in the asset inventory., CC ID: 06635
  • Record the firmware version for applicable assets in the asset inventory., CC ID: 12195
  • Record the related business function for applicable assets in the asset inventory., CC ID: 06636
  • Record the deployment environment for applicable assets in the asset inventory., CC ID: 06637
  • Record the Internet Protocol address for applicable assets in the asset inventory., CC ID: 06638
  • Record trusted keys and certificates in the asset inventory., CC ID: 15486
  • Record cipher suites and protocols in the asset inventory., CC ID: 15489
  • Link the software asset inventory to the hardware asset inventory., CC ID: 12085
  • Record the owner for applicable assets in the asset inventory., CC ID: 06640
  • Record all compliance requirements for applicable assets in the asset inventory., CC ID: 15696
  • Record all changes to assets in the asset inventory., CC ID: 12190
  • Record cloud service derived data in the asset inventory., CC ID: 13007
  • Include cloud service customer data in the asset inventory., CC ID: 13006


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • To ensure the continued availability of AIs’ technology related services, AIs should maintain and service IT facilities and equipment (e.g. computer hardware, network devices, electrical power distribution, UPS and air conditioning units) in accordance with the industry practice, and suppliers’ … (5.3.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Handheld terminals should be individually identified with ID and the owner. (P118.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Identification of assets and estimation of their value. Some aspects to be included are people, buildings, hardware, software, data (electronic, print) and supplies (Critical components of information security 2) 3) Bullet 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Effective control requires a detailed inventory of information assets. Such a list is the first step in classifying the assets and determining the level of protection to be provided to each asset. (Critical components of information security 3) ¶ 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A clear and distinct identification of the asset (Critical components of information security 3) ¶ 2 Bullet 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • For accountability purposes, a bank should ensure that users and IT assets are uniquely identified and their actions are auditable. (Critical components of information security 5) (viii), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The FI should maintain an inventory of all its information assets. The inventory should be reviewed periodically and updated whenever there are changes. (§ 3.3.2, Technology Risk Management Guidelines, January 2021)
  • identification of information assets that support the FI's business and delivery of financial services; (§ 3.3.1(a), Technology Risk Management Guidelines, January 2021)
  • A cable register is maintained and regularly audited. (Security Control: 0211; Revision: 5, Australian Government Information Security Manual, March 2021)
  • In order to facilitate information asset registration and mapping of interrelationships to other information assets, APRA-regulated entities typically use an information asset inventory repository such as a configuration management database (CMDB). (32., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Financial institutions should manage their ICT operations based on documented and implemented processes and procedures (which, for PSPs, include the security policy document in accordance with Article 5(1)(j) of PSD2) that are approved by the management body. This set of documents should define how … (3.5 50, Final Report EBA Guidelines on ICT and security risk management)
  • The ICT asset inventory should be sufficiently detailed to enable the prompt identification of an ICT asset, its location, security classification and ownership. Interdependencies between assets should be documented to help in the response to security and operational incidents, including cyber-attac… (3.5 54, Final Report EBA Guidelines on ICT and security risk management)
  • Financial institutions should maintain an up-to-date inventory of their ICT assets (including ICT systems, network devices, databases, etc.). The ICT asset inventory should store the configuration of the ICT assets and the links and interdependencies between the different ICT assets, to enable a pro… (3.5 53, Final Report EBA Guidelines on ICT and security risk management)
  • an asset inventory of the existing applications and ICT systems in the production environment, as well as the test and development environment, so that required changes (e.g. version updates or upgrades, systems patching, configuration changes) can be properly managed, implemented and monitored for … (Title 3 3.3.4(c) 56.d, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Financial entities shall identify all information assets and ICT assets, including those on remote sites, network resources and hardware equipment, and shall map those considered critical. They shall map the configuration of the information assets and ICT assets and the links and interdependencies b… (Art. 8.4., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • For the purposes of paragraphs 1, 4 and 5, financial entities shall maintain relevant inventories and update them periodically and every time any major change as referred to in paragraph 3 occurs. (Art. 8.6., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • As part of the ICT risk management framework referred to in Article 6(1), financial entities shall identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and depend… (Art. 8.1., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • The results of the previous steps, i.e. determination of framework conditions, formulation of information security objectives and determination of the appropriate security level of the business processes should be consolidated next in an overview of the available assets of the organisation. (§ 3.2.4 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Create a consolidated summary of the present assets based on the knowledge gained previously (§ 3.2.4 Subsection 4 Bullet 6, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • the networked and non-networked IT systems, ICS and IoT components belonging to the information domain, (§ 8 Subsection 2 ¶ 1 Bullet 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • the IoT devices that are currently being used or will be used soon in the organisation, and (§ 8.1.7 Subsection 1 ¶ 1 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Check whether existing databases or summaries of the existing or planned IT, ICS systems as well as other devices are appropriate as the basis for the further approach (§ 8.1.7 Subsection 3 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Produce list of all properties, buildings and rooms listed when acquiring the IT, ICS and IoT systems (§ 8.1.8 Subsection 2 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Add other rooms in which information requiring protection or processed in another manner are stored (§ 8.1.8 Subsection 2 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Give IT, ICS, IoT systems or system groups unique names or codes (§ 8.1.7 Subsection 3 Bullet 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Full title of the module (e.g. SYS.3.1 Laptop) (§ 6.2.3 ¶ 1 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Target object: For example, this could be the identification number of a component or a group and/or the name of a building or organisational unit. (§ 6.2.3 ¶ 1 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Contact person: This column serves initially only as a placeholder. The contact person is not determined at the modelling stage, but only at the point when the gap analysis in the IT- Grundschutz Check is being planned. (§ 6.2.3 ¶ 1 Bullet 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Order: The order of implementation (R1, R2, R3) of the module should be entered. (§ 6.2.3 ¶ 1 Bullet 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Notes: Incidental information and the rationale behind the modelling can be documented in this column. (§ 6.2.3 ¶ 1 Bullet 5, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • In organisation with production and manufacturing also the industrial control systems (ICS) used by the organisation must be documented. (§ 8.1.6 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • the number and the name of the object or group of objects to which the module was assigned during modelling, (§ 8.4.3 ¶ 4 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • the date on which the information was recorded and the name of the author, and (§ 8.4.3 ¶ 4 Bullet 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Identifying the organisation's own assets and the persons responsible and ensuring an appropriate level of protection. (Section 5.4 Objective, Cloud Computing Compliance Controls Catalogue (C5))
  • In the event of a failure of assets which are of essential importance for the availability of the cloud service (e. g. central network components), the cloud provider is able to promptly detect which cloud customers are affected by this in order to ensure a response to the malfunctions occurred that… (Section 5.4 AM-01 Description of additional requirements (availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • All inventoried assets are assigned to a person responsible on the part of the cloud provider. The persons responsible of the cloud provider are responsible over the entire life cycle of the assets to ensure that they are inventoried completely and classified correctly. (Section 5.4 AM-02 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The assets (e. g. PCs, peripheral devices, telephones, network components, servers, installation documentation, process instructions, IT applications, tools) used to render the cloud service are identified and inventoried. By means of appropriate processes and safeguards, it is ensured that this inv… (Section 5.4 AM-01 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The cloud provider maintains a list of all assets critical in terms of logging and monitoring and reviews this list for their currency and correctness at regular intervals. For these critical assets, advanced logging and monitoring safeguards were defined. (Section 5.6 RB-12 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The institution shall have an up-to-date overview of the components of the defined information domain as well as any related dependencies and interfaces. The institution shall be guided in this respect in particular by internal operating needs, business activities and the risk situation. (II.3.10, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • The components of the IT systems and their connections with each other shall be administered in a suitable way, and the inventory data collected for this shall be updated regularly and on an ad hoc basis. (II.7.46, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • The portfolio of IT systems shall be managed appropriately. This shall also take account of the risks stemming from outdated IT systems (lifecycle management). (II.7.47, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • A catalog of the relevant information assets exists: (1.3.1 Requirements (should) Bullet 1, Information Security Assessment, Version 5.1)
  • The information assets being of relevance to the organization are identified and recorded. (1.3.1 Requirements (must) Bullet 1, Information Security Assessment, Version 5.1)
  • Potentially endangered infrastructure components (e.g. access points, IT systems) are identified and recorded. (3.1.2 Requirements (must) Bullet 2, Information Security Assessment, Version 5.1)
  • You should have an accurate picture of the assets which make up the service, along with their configurations and dependencies. (5.1 ¶ 1, Cloud Security Guidance, 1.0)
  • The entity identifies, inventories, validates, classifies and manages information assets. (S7.1 Identifies and manages the inventory of information assets, Privacy Management Framework, Updated March 1, 2020)
  • Components shall provide the capability to support a control system component inventory according to IEC 62443-3-3 SR 7.8. (11.10.1 ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • Examine the documented policies and procedures to verify they include maintaining a list of devices. (Testing Procedures § 9.9 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • An up-to-date list of devices must be maintained. (PCI DSS Requirements § 9.9.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Maintain an up-to-date list of devices. The list should include the following: - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification. (9.9.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Maintain an up-to-date list of devices. The list should include the following: - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification. (9.9.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Maintain an up-to-date list of devices. The list should include the following: - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification. (9.9.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Is the list accurate and up to date? (9.9.1 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Revision 1.1)
  • Is the list of devices updated when devices are added, relocated, decommissioned, etc.? (9.9.1 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Revision 1.1)
  • Is the list accurate and up to date? (9.9.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Verions 3.2)
  • Is the list of devices updated when devices are added, relocated, decommissioned, etc.? (9.9.1(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Verions 3.2)
  • Do policies and procedures require that a list of such devices be maintained? (9.9(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Verions 3.2)
  • Is the list of devices updated when devices are added, relocated, decommissioned, etc.? (9.9.1 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Is the list accurate and up to date? (9.9.1 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Do policies and procedures require that a list of such devices be maintained? (9.9 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Do policies and procedures require that a list of such devices be maintained? (9.9(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
  • Is the list accurate and up to date? (9.9.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
  • Is the list of devices updated when devices are added, relocated, decommissioned, etc.? (9.9.1(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
  • Is the list accurate and up to date? (9.9.1 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Do policies and procedures require that a list of such devices be maintained? (9.9(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Is the list accurate and up to date? (9.9.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Is the list of devices updated when devices are added, relocated, decommissioned, etc.? (9.9.1(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Do policies and procedures require that a list of such devices be maintained? (9.9 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Is the list accurate and up to date? (9.9.1 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Is the list of devices updated when devices are added, relocated, decommissioned, etc.? (9.9.1 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Is the list accurate and up to date? (9.9.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Is the list of devices updated when devices are added, relocated, decommissioned, etc.? (9.9.1(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Do policies and procedures require that a list of such devices be maintained? (9.9(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Is the list accurate and up to date? (9.9.1 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is the list of devices updated when devices are added, relocated, decommissioned, etc.? (9.9.1 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Do policies and procedures require that a list of such devices be maintained? (9.9 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Do policies and procedures require that a list of such devices be maintained? (9.9(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Is the list accurate and up to date? (9.9.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Is the list of devices updated when devices are added, relocated, decommissioned, etc.? (9.9.1(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Do policies and procedures require that a list of such devices be maintained? (9.9 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.1)
  • Is the list accurate and up to date? (9.9.1 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.1)
  • Is the list of devices updated when devices are added, relocated, decommissioned, etc.? (9.9.1 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.1)
  • Do policies and procedures require that a list of such devices be maintained? (9.9(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.2)
  • Is the list accurate and up to date? (9.9.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.2)
  • Is the list of devices updated when devices are added, relocated, decommissioned, etc.? (9.9.1(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.2)
  • Select a sample of devices from the list and observe devices and device locations to verify that the list is accurate and up to date. (9.9.1.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Examine the list of devices to verify it includes: - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification. (9.9.1.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Interview personnel to verify the list of devices is updated when devices are added, relocated, decommissioned, etc. (9.9.1.c, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Maintaining a list of POI devices. (9.5.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • An up-to-date list of POI devices is maintained, including: (9.5.1.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine the list of POI devices to verify it includes all elements specified in this requirement. (9.5.1.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Observe POI devices and device locations and compare to devices in the list to verify that the list is accurate and up to date. (9.5.1.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Interview personnel to verify the list of POI devices is updated when devices are added, relocated, decommissioned, etc. (9.5.1.1.c, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Do policies and procedures require that a list of devices that capture payment card data via direct physical interaction with the card be maintained to protect against tampering and substitution? (PCI DSS Question 9.9(a), PCI DSS Self-Assessment Questionnaire B and Attestation of Compliance, Version 3.0)
  • Do policies and procedures require that a list of devices that capture payment card data via direct physical interaction with the card be maintained to protect against tampering and substitution? (PCI DSS Question 9.9(a), PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
  • Do policies and procedures require that a list of devices that capture payment card data via direct physical interaction with the card be maintained to protect against tampering and substitution? (PCI DSS Question 9.9(a), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Do policies and procedures require that a list of devices that capture payment card data via direct physical interaction with the card be maintained to protect against tampering and substitution? (PCI DSS Question 9.9(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Do policies and procedures require that a list of devices that capture payment card data via direct physical interaction with the card be maintained to protect against tampering and substitution? (PCI DSS Question 9.9(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Do policies and procedures require that a list of devices that capture payment card data via direct physical interaction with the card be maintained to protect against tampering and substitution? (PCI DSS Question 9.9(a), PCI DSS Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance, Version 3.0)
  • Maintaining a list of POI devices. (9.5.1 Bullet 1, Self-Assessment Questionnaire B and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An up-to-date list of POI devices is maintained, including: (9.5.1.1, Self-Assessment Questionnaire B and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An up-to-date list of POI devices is maintained, including: (9.5.1.1, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Maintaining a list of POI devices. (9.5.1 Bullet 1, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An up-to-date list of POI devices is maintained, including: (9.5.1.1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Maintaining a list of POI devices. (9.5.1 Bullet 1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Maintaining a list of POI devices. (9.5.1 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Maintaining a list of POI devices. (9.5.1 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An up-to-date list of POI devices is maintained, including: (9.5.1.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Maintaining a list of POI devices. (9.5.1 Bullet 1, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An up-to-date list of POI devices is maintained, including: (9.5.1.1, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)
  • There should be documented standards / procedures for asset management, which cover keeping the asset register up-to-date. (CF.03.04.01b-2, The Standard of Good Practice for Information Security)
  • Asset registers should specify important information about each asset, including a unique description of software in use. (CF.03.04.04a-2, The Standard of Good Practice for Information Security)
  • Asset registers should be signed off by an appropriate business representative. (CF.03.04.07a, The Standard of Good Practice for Information Security)
  • Asset registers should be kept up-to-date. (CF.03.04.07c, The Standard of Good Practice for Information Security)
  • Asset registers should be reviewed independently. (CF.03.04.07d, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for asset management, which cover keeping the asset register up-to-date. (CF.03.04.01b-2, The Standard of Good Practice for Information Security, 2013)
  • Asset registers should be signed off by an appropriate business representative. (CF.03.04.07a, The Standard of Good Practice for Information Security, 2013)
  • Asset registers should be kept up-to-date. (CF.03.04.07c, The Standard of Good Practice for Information Security, 2013)
  • Asset registers should be reviewed independently. (CF.03.04.07e, The Standard of Good Practice for Information Security, 2013)
  • Asset registers should specify important information about each asset, including purpose of each asset (e.g., processing high value transactions, manufacturing goods, or handling medical records) and corresponding owner. (CF.03.04.04a, The Standard of Good Practice for Information Security, 2013)
  • The acquisition of hardware / software should be recorded in an asset register. (CF.16.02.08b, The Standard of Good Practice for Information Security, 2013)
  • Maintain an asset inventory of all systems connected to the network and the network devices themselves, recording at least the network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, and the department associated with each device. The inventory should … (Control 1.4, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization should develop an information asset inventory that identifies the critical information and maps the information to its hardware assets. (Critical Control 1.6, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The alerting system and the asset inventory database must be able to identify where authorized devices and unauthorized devices that are plugged into the network are located, their department, and other details. (Control 7 Metric, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Assets must be classified in terms of business criticality in support of dynamic and distributed physical and virtual computing environments, service-level expectations, and operational continuity requirements. A complete inventory of business-critical assets located at all sites and/or geographical… (DCS-01, Cloud Controls Matrix, v3.0)
  • Catalogue and track all relevant physical and logical assets located at all of the CSP's sites within a secured system. (DCS-06, Cloud Controls Matrix, v4.0)
  • Ensure that unauthorized software is either removed or the inventory is updated in a timely manner. (CIS Control 2: Sub-Control 2.6 Address Unapproved Software, CIS Controls, 7.1)
  • Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all assets, whether connected to the organization's network or not. (CIS Control 1: Sub-Control 1.4 Maintain Detailed Asset Inventory, CIS Controls, 7.1)
  • Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all hardware assets, whether connected to the organization's network or not. (CIS Control 1: Sub-Control 1.4 Maintain Detailed Asset Inventory, CIS Controls, V7)
  • Ensure that unauthorized software is either removed or the inventory is updated in a timely manner. (CIS Control 2: Sub-Control 2.6 Address Unapproved Software, CIS Controls, V7)
  • Establish and maintain an inventory of the enterprise's authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently. (CIS Control 6: Safeguard 6.6 Establish and Maintain an Inventory of Authentication and Authorization Systems, CIS Controls, V8)
  • Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network… (CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory, CIS Controls, V8)
  • Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory. Review and use logs to update the enterprise's asset inventory weekly, or more frequently. (CIS Control 1: Safeguard 1.4 Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory, CIS Controls, V8)
  • account for health information assets (i.e. maintain an inventory of such assets); (§ 8.1.1 Health-specific control ¶ 1(a), ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • Assets of and their value to the organization: (§ 6.4.2.2 ¶ 1 Bullet 1, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • The organization shall ensure that required data about all core IT assets in scope is accurately recorded throughout the life cycle; and that there is documented information for all IT assets as to whether they are authorized or not. (Section 8.3 ¶ 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • An inventory of information and other associated assets, including owners, should be developed and maintained. (§ 5.9 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • The cloud service customer's inventory of assets should account for information and associated assets stored in the cloud computing environment. The records of the inventory should indicate where the assets are maintained, e.g., identification of the cloud service. (§ 8.1.1 Table: Cloud service customer, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • The entity identifies, inventories, classifies, and manages information assets (for example, infrastructure, software, and data). (CC6.1 ¶ 3 Bullet 1 Identifies and Manages the Inventory of Information Assets, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The entity identifies, documents, and maintains records of system components such as infrastructure, software, and other information assets. Information assets include physical endpoint devices and systems, virtual systems, data and data flows, external information systems, and organizational roles. (CC2.1 ¶ 4 Bullet 2 Manages Assets, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization maintains a current and complete asset inventory of physical devices, hardware, and information systems. (ID.AM-1.1, CRI Profile, v1.2)
  • The organization maintains a current and complete asset inventory of physical devices, hardware, and information systems. (ID.AM-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Components may bring their own set of components into the overall control system. When this is the case then those components need to provide a mechanism to augment the overall component inventory which is compatible with ISA‐62443‐2‐4 [8] SP.06.02. (11.10.2 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Develops and documents an inventory of information system components that: (CM-8a., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Includes all components within the authorization boundary of the information system; (CM-8a.2., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. (CM-8b., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Accurately reflects the current information system; (CM-8a.1., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.3., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and (CM-8a.4., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. (CM-8b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and (CM-8a.4., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Accurately reflects the current information system; (CM-8a.1., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. (CM-8(1) ¶ 1, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.3., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Develops and documents an inventory of information system components that: (CM-8a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Includes all components within the authorization boundary of the information system; (CM-8a.2., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. (CM-8b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and (CM-8a.4., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Accurately reflects the current information system; (CM-8a.1., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. (CM-8(1) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.3., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Develops and documents an inventory of information system components that: (CM-8a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Includes all components within the authorization boundary of the information system; (CM-8a.2., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Develops and documents an inventory of information system components that: (CM-8a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. (CM-8(1) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Accurately reflects the current information system; (CM-8a.1., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and (CM-8a.4., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. (CM-8b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Includes all components within the authorization boundary of the information system; (CM-8a.2., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.3., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The entity identifies, inventories, classifies, and manages information assets. (CC6.1 Identifies and Manages the Inventory of Information Assets, Trust Services Criteria)
  • The entity identifies, inventories, classifies, and manages information assets. (CC6.1 ¶ 2 Bullet 1 Identifies and Manages the Inventory of Information Assets, Trust Services Criteria, (includes March 2020 updates))
  • Principle: Firms should conduct regular assessments to identify cybersecurity risks associated with firm assets and vendors and prioritize their remediation. Effective practices include establishing and implementing governance frameworks to: - identify and maintain an inventory of assets authorized… (Cybersecurity Risk Assessment, Report on Cybersecurity Practices)
  • Is there an inventory system for hardware and software assets? (§ D.1.1, Shared Assessments Standardized Information Gathering Questionnaire - D. Asset Management, 7.0)
  • Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. (CM.2.061, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. (CM.2.061, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. (CM.2.061, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. (CM.2.061, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. (CM.L2-3.4.1 System Baselining, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Internal and external assets. (App A Objective 5:2a Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • An inventory of organizational assets (e.g., hardware, software, data, and systems hosted externally) is maintained. (Domain 1: Assessment Factor: Governance, IT ASSET MANAGEMENT Baseline 3 ¶ 1, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Regularly reviewing and validating the accuracy of the inventories. (App A Objective 4:2d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Adds assets to the inventories and tracks changes made to assets. (App A Objective 4:4b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Specifying the life cycle phase of those assets. (App A Objective 4:2c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Regularly updates the information and technology asset inventories for new assets, both internal assets and those residing at third-party service provider locations. (App A Objective 3:5d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Maintenance and ownership of the IT architecture repository. (App A Objective 2:9a Bullet 10, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Ascertains the effectiveness of database controls and updates the information asset and technology inventories. (App A Objective 3:6c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Updates the inventory(ies) appropriately. (App A Objective 6.6.e, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Maintains an inventory of assets, event classes, threats, and existing controls. (App A Objective 10:1 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The service provider must define the information that it deems necessary to achieve effective property accountability. (Column F: CM-8d, FedRAMP Baseline Security Controls)
  • The joint authorization board must approve and accept the property accountability information. (Column F: CM-8d, FedRAMP Baseline Security Controls)
  • The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. (CM-8(1) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Includes all components within the authorization boundary of the information system; (CM-8a.2. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.3. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and (CM-8a.4. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Accurately reflects the current information system; (CM-8a.1. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Develops and documents an inventory of information system components that: (CM-8a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Reviews and updates the information system component inventory [FedRAMP Assignment: at least monthly]. (CM-8b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Develops and documents an inventory of information system components that: (CM-8a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Accurately reflects the current information system; (CM-8a.1. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Includes all components within the authorization boundary of the information system; (CM-8a.2. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.3. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and (CM-8a.4. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Reviews and updates the information system component inventory [FedRAMP Assignment: at least monthly]. (CM-8b. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Develops and documents an inventory of information system components that: (CM-8a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Accurately reflects the current information system; (CM-8a.1. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Includes all components within the authorization boundary of the information system; (CM-8a.2. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.3. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and (CM-8a.4. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Reviews and updates the information system component inventory [FedRAMP Assignment: at least monthly]. (CM-8b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. (CM-8(1) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Maintain records of the system components. (PE-16b., FedRAMP Security Controls High Baseline, Version 5)
  • Accurately reflects the system; (CM-8a.1., FedRAMP Security Controls High Baseline, Version 5)
  • Develop and document an inventory of system components that: (CM-8a., FedRAMP Security Controls High Baseline, Version 5)
  • Does not include duplicate accounting of components or components assigned to any other system; (CM-8a.3., FedRAMP Security Controls High Baseline, Version 5)
  • Update the inventory of system components as part of component installations, removals, and system updates. (CM-8(1) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Includes all components within the system; (CM-8a.2., FedRAMP Security Controls High Baseline, Version 5)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.4., FedRAMP Security Controls High Baseline, Version 5)
  • Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and (CM-8a.5., FedRAMP Security Controls High Baseline, Version 5)
  • Review and update the system component inventory [FedRAMP Assignment: at least monthly]. (CM-8b., FedRAMP Security Controls High Baseline, Version 5)
  • Maintain records of the system components. (PE-16b., FedRAMP Security Controls Low Baseline, Version 5)
  • Accurately reflects the system; (CM-8a.1., FedRAMP Security Controls Low Baseline, Version 5)
  • Develop and document an inventory of system components that: (CM-8a., FedRAMP Security Controls Low Baseline, Version 5)
  • Does not include duplicate accounting of components or components assigned to any other system; (CM-8a.3., FedRAMP Security Controls Low Baseline, Version 5)
  • Includes all components within the system; (CM-8a.2., FedRAMP Security Controls Low Baseline, Version 5)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.4., FedRAMP Security Controls Low Baseline, Version 5)
  • Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and (CM-8a.5., FedRAMP Security Controls Low Baseline, Version 5)
  • Review and update the system component inventory [FedRAMP Assignment: at least monthly]. (CM-8b., FedRAMP Security Controls Low Baseline, Version 5)
  • Maintain records of the system components. (PE-16b., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Accurately reflects the system; (CM-8a.1., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Develop and document an inventory of system components that: (CM-8a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Does not include duplicate accounting of components or components assigned to any other system; (CM-8a.3., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Update the inventory of system components as part of component installations, removals, and system updates. (CM-8(1) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Includes all components within the system; (CM-8a.2., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.4., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and (CM-8a.5., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Review and update the system component inventory [FedRAMP Assignment: at least monthly]. (CM-8b., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Does the Credit Union maintain a current inventory of the specifications for each network component, such as Operating System, type of server, required software, software version, and date of last updates? (IT - Networks Q 21, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and (CM-8a.5., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Accurately reflects the system; (CM-8a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Review and update the system component inventory [Assignment: organization-defined frequency]. (CM-8b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Does not include duplicate accounting of components or components assigned to any other system; (CM-8a.3., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Develop and document an inventory of system components that: (CM-8a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Includes all components within the system; (CM-8a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.4., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Update the inventory of system components as part of component installations, removals, and system updates. (CM-8(1) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Maintain records of the system components. (PE-16b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Accurately reflects the system; (CM-8a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Develop and document an inventory of system components that: (CM-8a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Includes all components within the system; (CM-8a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Does not include duplicate accounting of components or components assigned to any other system; (CM-8a.3., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.4., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and (CM-8a.5., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Review and update the system component inventory [Assignment: organization-defined frequency]. (CM-8b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Maintain records of the system components. (PE-16b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Does not include duplicate accounting of components or components assigned to any other system; (CM-8a.3., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and (CM-8a.5., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Accurately reflects the system; (CM-8a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Includes all components within the system; (CM-8a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Maintain records of the system components. (PE-16b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Review and update the system component inventory [Assignment: organization-defined frequency]. (CM-8b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Develop and document an inventory of system components that: (CM-8a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Update the inventory of system components as part of component installations, removals, and system updates. (CM-8(1) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.4., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Accurately reflects the system; (CM-8a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Includes all components within the system; (CM-8a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Does not include duplicate accounting of components or components assigned to any other system; (CM-8a.3., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.4., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and (CM-8a.5, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Develop and document an inventory of system components that: (CM-8a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Review and update the system component inventory [Assignment: organization-defined frequency]. (CM-8b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Maintain records of the system components. (PE-16b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Does not include duplicate accounting of components or components assigned to any other system; (CM-8a.3., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.4., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and (CM-8a.5., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Includes all components within the system; (CM-8a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Accurately reflects the system; (CM-8a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Develop and document an inventory of system components that: (CM-8a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Review and update the system component inventory [Assignment: organization-defined frequency]. (CM-8b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Accurately reflects the system; (CM-8a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Develop and document an inventory of system components that: (CM-8a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Does not include duplicate accounting of components or components assigned to any other system; (CM-8a.3., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Review and update the system component inventory [Assignment: organization-defined frequency]. (CM-8b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Includes all components within the system; (CM-8a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.4., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and (CM-8a.5., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Maintain records of the system components. (PE-16b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Accurately reflects the system; (CM-8a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Develop and document an inventory of system components that: (CM-8a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Does not include duplicate accounting of components or components assigned to any other system; (CM-8a.3., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Review and update the system component inventory [Assignment: organization-defined frequency]. (CM-8b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Update the inventory of system components as part of component installations, removals, and system updates. (CM-8(1) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Includes all components within the system; (CM-8a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Provide a centralized repository for the inventory of system components. (CM-8(7) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.4., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and (CM-8a.5., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components. (3.4.1e, Enhanced Security Requirements for Protecting Controlled Unclassified Information, NIST SP 800-172)
  • Develops and documents an inventory of information system components that: (CM-8a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Develops and documents an inventory of information system components that: (CM-8a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Develops and documents an inventory of information system components that: (CM-8a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Accurately reflects the current information system; (CM-8a.1. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Accurately reflects the current information system; (CM-8a.1. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Accurately reflects the current information system; (CM-8a.1. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Includes all components within the authorization boundary of the information system; (CM-8a.2. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Includes all components within the authorization boundary of the information system; (CM-8a.2. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Includes all components within the authorization boundary of the information system; (CM-8a.2. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.3. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.3. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.3. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and (CM-8a.4. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and (CM-8a.4. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and (CM-8a.4. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. (CM-8b. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. (CM-8b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. (CM-8b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. (CM-8(1) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. (CM-8(1) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Perform asset management/inventory of information technology (IT) resources. (T0496, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization should develop, document, and maintain an inventory that allows the organization to track and report on components and to allow for property accountability. (SG.CM-8 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should use automated mechanisms to maintain a complete, accurate, available, and up-to-date system component inventory. (SG.CM-8 Additional Considerations A2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should document, identify, and track all system components and information, so their function and location are known. (SG.CM-9 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. (3.4.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. (3.4.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. (3.4.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization must develop, document, and maintain a system component inventory that accurately depicts the current system. (App F § CM-8.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop, document, and maintain a system component inventory that is at the level of granularity deemed appropriate for tracking and reporting. (App F § CM-8.c, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop, document, and maintain a system component inventory that is consistent with the authorization boundary of the system. (App F § CM-8.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Perform asset management/inventory of information technology (IT) resources. (T0496, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization develops and documents an inventory of information system components that accurately reflects the current information system. (CM-8a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system. (CM-8a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting. (CM-8a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops and documents an inventory of information system components that includes {organizationally documented information deemed necessary to achieve effective information system component accountability}. (CM-8a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the information system component inventory {organizationally documented frequency}. (CM-8b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. (CM-8(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization provides a centralized repository for the inventory of information system components. (CM-8(7), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops and documents an inventory of information system components that accurately reflects the current information system. (CM-8a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system. (CM-8a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting. (CM-8a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops and documents an inventory of information system components that includes {organizationally documented information deemed necessary to achieve effective information system component accountability}. (CM-8a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the information system component inventory {organizationally documented frequency}. (CM-8b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. (CM-8(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops and documents an inventory of information system components that accurately reflects the current information system. (CM-8a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system. (CM-8a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting. (CM-8a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops and documents an inventory of information system components that includes {organizationally documented information deemed necessary to achieve effective information system component accountability}. (CM-8a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the information system component inventory {organizationally documented frequency}. (CM-8b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. (CM-8(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops and documents an inventory of information system components that accurately reflects the current information system. (CM-8a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system. (CM-8a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting. (CM-8a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops and documents an inventory of information system components that includes {organizationally documented information deemed necessary to achieve effective information system component accountability}. (CM-8a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the information system component inventory {organizationally documented frequency}. (CM-8b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Develops and documents an inventory of information system components that: (CM-8a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. (CM-8(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Accurately reflects the current information system; (CM-8a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and (CM-8a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. (CM-8b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Includes all components within the authorization boundary of the information system; (CM-8a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Develops and documents an inventory of information system components that: (CM-8a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Includes all components within the authorization boundary of the information system; (CM-8a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. (CM-8b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Accurately reflects the current information system; (CM-8a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and (CM-8a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. (CM-8b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and (CM-8a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Accurately reflects the current information system; (CM-8a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. (CM-8(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Develops and documents an inventory of information system components that: (CM-8a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Includes all components within the authorization boundary of the information system; (CM-8a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Includes all components within the authorization boundary of the information system; (CM-8a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Develops and documents an inventory of information system components that: (CM-8a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. (CM-8(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Accurately reflects the current information system; (CM-8a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and (CM-8a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. (CM-8b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization provides a centralized repository for the inventory of information system components. (CM-8(7) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Provides each update of the PII inventory to the CIO or information security official [Assignment: organization-defined frequency] to support the establishment of information security requirements for all new or modified information systems containing PII. (SE-1b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Maintain records of the system components. (PE-16b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Accurately reflects the system; (CM-8a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Develop and document an inventory of system components that: (CM-8a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Does not include duplicate accounting of components or components assigned to any other system; (CM-8a.3., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Review and update the system component inventory [Assignment: organization-defined frequency]. (CM-8b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Update the inventory of system components as part of component installations, removals, and system updates. (CM-8(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Includes all components within the system; (CM-8a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide a centralized repository for the inventory of system components. (CM-8(7) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.4., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and (CM-8a.5., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Maintain records of the system components. (PE-16b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Accurately reflects the system; (CM-8a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Develop and document an inventory of system components that: (CM-8a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Does not include duplicate accounting of components or components assigned to any other system; (CM-8a.3., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Review and update the system component inventory [Assignment: organization-defined frequency]. (CM-8b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Update the inventory of system components as part of component installations, removals, and system updates. (CM-8(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Includes all components within the system; (CM-8a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Provide a centralized repository for the inventory of system components. (CM-8(7) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.4., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and (CM-8a.5., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Accurately reflects the current information system; (CM-8a.1., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Includes all components within the authorization boundary of the information system; (CM-8a.2., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.3., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and (CM-8a.4., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. (CM-8b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. (CM-8(1) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization provides a centralized repository for the inventory of information system components. (CM-8(7) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Develops and documents an inventory of information system components that: (CM-8a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Maintain and secure the company's list of critical facilities. (4.2 ¶ 1 Bullet 4, Pipeline Security Guidelines)
  • asset inventory and device management; (§ 500.03 Cybersecurity Policy (c), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • As part of its cybersecurity program, each covered entity shall implement written policies and procedures designed to produce and maintain a complete, accurate and documented asset inventory of the covered entity's information systems. The asset inventory shall be maintained in accordance with writt… (§ 500.13 Asset Management and Data Retention Requirements (a), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • a method to track key information for each asset, including, as applicable, the following: (§ 500.13 Asset Management and Data Retention Requirements (a)(1), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • the frequency required to update and validate the covered entity's asset inventory. (§ 500.13 Asset Management and Data Retention Requirements (a)(2), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • asset inventory, device management and end of life management; (§ 500.3 Cybersecurity Policy (c), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • Develops and documents an inventory of information system components that: (CM-8a., TX-RAMP Security Controls Baseline Level 1)
  • Includes all components within the authorization boundary of the information system; (CM-8a.2., TX-RAMP Security Controls Baseline Level 1)
  • Accurately reflects the current information system; (CM-8a.1., TX-RAMP Security Controls Baseline Level 1)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.3., TX-RAMP Security Controls Baseline Level 1)
  • Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and (CM-8a.4., TX-RAMP Security Controls Baseline Level 1)
  • Reviews and updates the information system component inventory [TX-RAMP Assignment: at least monthly]. (CM-8b., TX-RAMP Security Controls Baseline Level 1)
  • Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and (CM-8a.4., TX-RAMP Security Controls Baseline Level 2)
  • Accurately reflects the current information system; (CM-8a.1., TX-RAMP Security Controls Baseline Level 2)
  • The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. (CM-8(1) ¶ 1, TX-RAMP Security Controls Baseline Level 2)
  • Is at the level of granularity deemed necessary for tracking and reporting; and (CM-8a.3., TX-RAMP Security Controls Baseline Level 2)
  • Develops and documents an inventory of information system components that: (CM-8a., TX-RAMP Security Controls Baseline Level 2)
  • Includes all components within the authorization boundary of the information system; (CM-8a.2., TX-RAMP Security Controls Baseline Level 2)
  • Reviews and updates the information system component inventory [TX-RAMP Assignment: at least monthly]. (CM-8b., TX-RAMP Security Controls Baseline Level 2)