Back

Record the owner for applicable assets in the asset inventory.


CONTROL ID
06640
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an asset inventory., CC ID: 06631

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Its owner (Critical components of information security 3) ¶ 2 Bullet 6, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Its designated custodian (Critical components of information security 3) ¶ 2 Bullet 7, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Banks should ensure that each wireless device connected to the network matches an authorized configuration and security profile, with a documented owner of the connection and a defined business need. Organizations should deny access to those wireless devices that do not have such a configuration and… (Critical components of information security 28) iv., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • the administrator responsible, (§ 8.1.4 ¶ 2 Bullet 5, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • persons responsible for operation of the ICS systems. (§ 8.1.6 ¶ 5 Bullet 6, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • persons responsible for operation of the devices. (§ 8.1.7 ¶ 5 Bullet 6, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Identifying the organisation's own assets and the persons responsible and ensuring an appropriate level of protection. (Section 5.4 Objective, Cloud Computing Compliance Controls Catalogue (C5))
  • All inventoried assets are assigned to a person responsible on the part of the cloud provider. The persons responsible of the cloud provider are responsible over the entire life cycle of the assets to ensure that they are inventoried completely and classified correctly. (Section 5.4 AM-02 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • A person responsible for these information assets is assigned. (1.3.1 Requirements (must) Bullet 1 Sub-Bullet 1, Information Security Assessment, Version 5.1)
  • A person responsible for these supporting assets is assigned. (1.3.1 Requirements (must) Bullet 2 Sub-Bullet 1, Information Security Assessment, Version 5.1)
  • The organization must designate information asset owners. Each asset must have an owner who is a senior individual. (Mandatory Requirement 35.e, HMG Security Policy Framework, Version 6.0 May 2011)
  • Before an organization can assess its risks, it should understand its business processes, assets, threats, and vulnerabilities. - Context Establishment – The risk assessment team needs to understand the internal and external parameters when defining the scope of the risk assessment and/or have acc… (§ 4.2.1 ¶ 1, Information Supplement: PCI DSS Risk Assessment Guidelines, Version 2.0)
  • Ownership of critical and sensitive information, business applications, Information Systems, and networks should be assigned to individuals (e.g., business managers), and the responsibilities of owners documented. Responsibilities for protecting critical and sensitive information, business applicati… (CF.02.05.01, The Standard of Good Practice for Information Security)
  • Office equipment shall be assigned an owner (e.g., a facilities department or equivalent) who is responsible for maintaining and protecting information stored on or processed by them. (CF.12.03.02a, The Standard of Good Practice for Information Security)
  • Ownership of critical and sensitive information, business applications, Information Systems, and networks should be assigned to individuals (e.g., business managers), and the responsibilities of owners documented. Responsibilities for protecting critical and sensitive information, business applicati… (CF.02.05.01, The Standard of Good Practice for Information Security, 2013)
  • Office equipment shall be assigned an owner (e.g., a facilities department or equivalent) who is responsible for maintaining and protecting information stored on or processed by them. (CF.12.03.02a, The Standard of Good Practice for Information Security, 2013)
  • Maintain an asset inventory of all systems connected to the network and the network devices themselves, recording at least the network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, and the department associated with each device. The inventory should … (Control 1.4, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Ensure that each wireless device connected to the network matches an authorized configuration and security profile, with a documented owner of the connection and a defined business need. Organizations should deny access to those wireless devices that do not have such a configuration and profile. (Control 15.1, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The individual and department that is responsible for each information asset should be identified, recorded, and tracked. (Critical Control 1.6, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • A complete inventory of critical assets shall be maintained with ownership defined and documented. (FS-08, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Ensure that the hardware asset inventory records the network address, hardware address, machine name, data asset owner, and department for each asset and whether the hardware asset has been approved to connect to the network. (CIS Control 1: Sub-Control 1.5 Maintain Asset Inventory Information, CIS Controls, 7.1)
  • Ensure that the hardware asset inventory records the network address, hardware address, machine name, data asset owner, and department for each asset and whether the hardware asset has been approved to connect to the network. (CIS Control 1: Sub-Control 1.5 Maintain Asset Inventory Information, CIS Controls, V7)
  • Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network… (CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory, CIS Controls, V8)
  • Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. (CIS Control 5: Safeguard 5.5 Establish and Maintain an Inventory of Service Accounts, CIS Controls, V8)
  • Assets maintained in the inventory shall be owned. (A.8.1.2 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Ownership and responsibility for all IT assets shall be documented information. (Section 7.6.2 ¶ 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • Assets maintained in the inventory should be owned. (§ 8.1.2 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • An inventory of information and other associated assets, including owners, should be developed and maintained. (§ 5.9 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • The entity identifies, documents, and maintains records of physical location and custody of information assets, particularly for those stored outside the physical security control of the entity (for example, software and data stored on vendor devices or employee mobile phones under a bring-your-own-… (CC2.1 ¶ 4 Bullet 5 Manages the Location of Assets, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components. (CM-8(4) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Is ownership assigned for information assets? (§ D.1.3, Shared Assessments Standardized Information Gathering Questionnaire - D. Asset Management, 7.0)
  • Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore. (§ 164.310(d)(2)(iii), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • The organization includes in the information system component inventory information, a means for identifying by [FedRAMP Selection : position and role], individuals responsible/accountable for administering those components. (CM-8(4) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Include in the system component inventory information, a means for identifying by [FedRAMP Assignment: position and role], individuals responsible and accountable for administering those components. (CM-8(4) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Include in the system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible and accountable for administering those components. (CM-8(4) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Include in the system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible and accountable for administering those components. (CM-8(4) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components. (CM-8(4) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Determine organizations and/or echelons with collection authority over all accessible collection assets. (T0649, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization should develop, document, and maintain a system component inventory that identifies who is responsible for this inventory. (SG.CM-8 Requirement 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should include a way to identify by name, position, and/or role the individuals who are responsible for administering components in the accountability information. (App F § CM-8(4), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Determine organizations and/or echelons with collection authority over all accessible collection assets. (T0649, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization includes in the information system component inventory information, a means for identifying by {name}, individuals responsible/accountable for administering those components. (CM-8(4), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization includes in the information system component inventory information, a means for identifying by {position}, individuals responsible/accountable for administering those components. (CM-8(4), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization includes in the information system component inventory information, a means for identifying by {role}, individuals responsible/accountable for administering those components. (CM-8(4), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization includes in the information system component inventory information, a means for identifying by {name}, individuals responsible/accountable for administering those components. (CM-8(4), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes in the information system component inventory information, a means for identifying by {position}, individuals responsible/accountable for administering those components. (CM-8(4), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes in the information system component inventory information, a means for identifying by {role}, individuals responsible/accountable for administering those components. (CM-8(4), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components. (CM-8(4) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components. (CM-8(4) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Include in the system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible and accountable for administering those components. (CM-8(4) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Include in the system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible and accountable for administering those components. (CM-8(4) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components. (CM-8(4) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • owner; (§ 500.13 Asset Management and Data Retention Requirement (a)(1)(i), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)