Back

Record the related business function for applicable assets in the asset inventory.


CONTROL ID
06636
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an asset inventory., CC ID: 06631

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • In addition, financial institutions should identify, establish and maintain updated mapping of the information assets supporting their business functions and supporting processes, such as ICT systems, staff, contractors, third parties and dependencies on other internal and external systems and proce… (3.3.2 16, Final Report EBA Guidelines on ICT and security risk management)
  • For defining the protection needs of other devices, first the business processes and applications for which these devices are used and how their protection needs are inherited must be determined. These Information have been determined in Section 8.1.7 and Section 8.2.6. Here, the data flow via such … (§ 8.2.6 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • the type and function (e.g. database server for application X), (§ 8.1.4 ¶ 2 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • description (type and function), (§ 8.1.7 ¶ 5 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • description (type and function), (§ 8.1.6 ¶ 5 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • description (e.g. function, type), (§ 8.1.5 Subsection 1 ¶ 3 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Here, a reasonable approach for the ISO could be to go to the various rooms of the organisation and to identify the relevant components that require power and if they could be networked via IT networks. The ISO should talk particularly to the colleagues of the building services team, but also the ot… (§ 8.1.7 Subsection 1 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The control system shall provide the capability to report the current list of installed components and their associated properties. (11.10.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • Maintain an asset inventory of all systems connected to the network and the network devices themselves, recording at least the network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, and the department associated with each device. The inventory should … (Control 1.4, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Ensure that the hardware asset inventory records the network address, hardware address, machine name, data asset owner, and department for each asset and whether the hardware asset has been approved to connect to the network. (CIS Control 1: Sub-Control 1.5 Maintain Asset Inventory Information, CIS Controls, 7.1)
  • Ensure that the hardware asset inventory records the network address, hardware address, machine name, data asset owner, and department for each asset and whether the hardware asset has been approved to connect to the network. (CIS Control 1: Sub-Control 1.5 Maintain Asset Inventory Information, CIS Controls, V7)
  • Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), … (CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory, CIS Controls, V8)
  • Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network… (CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory, CIS Controls, V8)
  • Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. (CIS Control 5: Safeguard 5.5 Establish and Maintain an Inventory of Service Accounts, CIS Controls, V8)
  • The organization maintains an inventory of internal assets and business functions, that includes mapping to other assets, business functions, and information flows. (ID.AM-3.1, CRI Profile, v1.2)
  • The organization maintains an inventory of internal assets and business functions, that includes mapping to other assets, business functions, and information flows. (ID.AM-3.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Does the inventory system contain a field for the business function? (§ D.1.1.5, Shared Assessments Standardized Information Gathering Questionnaire - D. Asset Management, 7.0)
  • Determine whether management inventoried the critical assets and infrastructure upon which business functions depend, including the identification of single points of failure. Critical assets and infrastructure may include the following: (App A Objective 4:2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Evaluation of the inventory of current IT assets and the purpose of those assets. (App A Objective 12:2d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determining each asset's status (e.g., active or inactive). (App A Objective 4:2b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Identifying the type and version of open source software in use, where it is used within the entity, and its purpose. (App A Objective 13:6g Bullet 2 Sub-Bullet 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)