ID.AM-1 

Identify>Asset Management>ID.AM-1 Physical Devices and Systems Within the Organization Are Inventoried 

There’s a battle going on between the growth of your environment and your ability to understand it. This battle is part of the larger war in the protection of digital assets. Cybersecurity programs are built to protect digital assets. The conundrum lies in the reality that asset management is a key dependency for cybersecurity operations. Building cybersecurity programs without asset management is like building on sand. 

Physical devices and systems within the organization are inventoried: defined 

You have to know something exists before you can secure it, which is a pretty elementary observation, but deceptively difficult to manage. It seems like nobody is getting this right.  

Even parsing the name is a little dodgy: 

  • “Physical” devices are called out separately from “systems.” Does the standard imply that “systems” are non-physical, i.e., software? What about hardware that is emulated in software, like vRouters or VMs? 

  • When a lot of our estate lives on somebody else’s system (Microsoft, Amazon, etc.), what is actually “within the organization”? 

  • Finally (and most frustratingly!) What does it mean for something to “be” inventoried? We’ve all “been” showered at one time or another, but we still have to do it periodically. So, how do we do it? And how often is enough? 

These three ideas can be condensed into two questions that you’ll need to address with your team. First, “What’s in scope?” Second, “How do we do this?” Everybody must make their own decisions, but let us offer you some advice. IT professionals tend to constrain the scope while InfoSec types want to expand it. Neither approach is defensible in the absence of context.  

So be smart about what is and isn’t done here. Tie back your conclusions to some rationale and document them. We recommend you err on the side of coverage for this one because it is a foundational control, and therefore one that other controls rely on. 

ID.AM-1: in the news 

Everything is digital now, so ID.AM-1 is basically everywhere, and so are ID.AM-1 war stories. Here are three examples, one each from enterprise, the IoT (Internet of Things), and the tabloids! 

Enterprise: If you were breathing in 2020, you learned about (and might’ve already forgotten) the SolarWinds hack. The story in fine detail is fascinating, but for our purposes, know that the SolarWinds client is the most popular asset management software on the market. If you’re starting up an ID.AM-1 implementation effort and want to use SolarWinds as a vendor, you’re going to get some friction—some of it justified. When you’re advocating for a tool and meet resistance, the best way to beat it is to become the expert. “How do we do this?” will always be a critical question. Learn more about this hack here

IoT: There’s a significant gulf between information technology (IT) and operation technology (OT). The first refers to your typical corporate IT environment and the second to the tech that makes it out to the shop floor, like gas valves or assembly line servos. Often IT is easier to oversee and OT is left outside of the inventory loop, as probably happened when hackers claimed that they didn’t merely pwn a local government water authority’s corporate network, but that they were ready to mess with the water supply too. So, “What’s in scope?” shows up here. 

Tabloids: Accurate and current asset inventories are the best way to make sure that you know when a laptop is dropped off at a repair service and is then forgotten about. And this is purely hypothetical, but they can be especially helpful if the laptop contains evidence of crime, classified info, or just family pictures. Not that anybody is referring to anything specific

My physical asset inventories failed: What am I going to see?  

If you aren’t asking this question after reading about it in the Washington Post, congratulations, you haven’t experienced the worst-case scenario (yet). If you’re diligent enough to confront these risks every day when they’re small, every tomorrow will be a little brighter. 

My physical asset inventories are incomplete. 

 

Policies are for little people. 

All requirements should start in a policy, so scan your IT/InfoSec policy on asset inventory. If you can trace from a policy to a standard and then to a procedure, that’s a great exercise. In general, the more specificity that has been documented, the more comfort you can derive from the exercise. Once you understand it, assess the policy for completeness; if it doesn’t provide for inventory of VMs, for example, you have a completeness problem. 

You had me at “tracing.” 

The canonical procedure to ensure that a population (inventory) is complete is to get an item and trace it back to the record. Widespread incompleteness is usually pretty easy to detect with a small sample. In this instance, you grab three laptops, a switch, select three VMs from a host machine and check to see if they’re in the inventory. Don’t congratulate yourself if they are all there, but that’s a pretty good start. If there is one missing, then you have a lead to follow, so go get ‘em gumshoe. 

Get SaaSsy. 

SaaS (software as a service) is a gray area. On the one hand, if they weren’t being used in the business, then the business wouldn’t be paying for them. On the other hand, they aren’t being managed or hosted by your organization, so it is defensible to exclude them from the inventory (though not preferred). Make a judgement as to what the actual requirement is and see if you comply. It might not make sense to include SaaS systems used only incidentally (maybe Marketing uses Canva four times a year) but it does make sense to include your SAP instance in the inventory. 

My physical asset inventories are inaccurate. 

 

Incompleteness and inaccuracy go hand in hand and can even blend together. For example, you might have a policy and a practice of booking all your monitors into inventory, and 98% of them are there, but 2% fell out. You need to pause for a bit in order to categorize that kind of problem, but the problem itself is still clear. 

It might go without saying, but you should expect an inventory record to be reasonably correct. Some types of inaccuracies are obvious. If you’re holding a laptop with a barcode ending in “246” but is listed in the asset inventory as “249,” that’s an obvious accuracy error. This isn’t the only kind of inaccuracy though. 

Another kind of inaccuracy relates to something that we haven’t talked about yet: What constitutes an inventory record? It certainly includes attributes like item ID and asset type, but it could also include location or cost. Specialty attributes will be needed for certain assets but not others. MAC address might be required for network-aware hardware but not for input peripherals. Don’t forget that for a record to be a record, it must be defined, so check that the inventory data is reasonable with respect to what is being recorded. 

Finally, be careful about fields without data. They create ambiguity about the record. It might mean “no data.” Or it could mean “not applicable.” It might even mean “Help, my asset Inventory failed,” and we’re not going to lie to you: That’s an issue. 

Top Ten Warning Signs of a Failed Physical Asset Inventory. 

Just about all successful paths in InfoSec controls will lead back to a robust asset inventory. So it doesn’t take much to decide if there is a problem. The threshold for an exception is low. 

1. Network logs show activity from unknown machines, and colleagues say that’s just how IP addresses work. 

2. There are charges for VMs that you aren’t aware of, and you’re the only one that wonders about that. 

3. You just heard that the CIO told a newly established team in Ukraine to “just go buy some MacBooks” and found out about it yesterday. True story. 

4. You don’t have an automated solution, despite living in the 21st century. 

5. When an auditor asks, “How do I prove this inventory is complete?” middle managers tell childhood anecdotes that seem to be designed to endear them to the auditor. 

6. Swaths of the estate, e.g., routers, aren’t in the inventory—intentionally. 

7. When you ask, “Who owns asset management?” you can’t get a clear answer. 

8. You’ve recently gone through an acquisition and can’t see the other organization’s assets. 

9. Asset inventory says that you have ten machines in the Philippines, but your company doesn’t do business there. True story. 

10. You can’t find your own assigned laptop in the asset inventory. 

My physical asset Inventory is stellar: What does it look like? 

The secret to identifying a stellar asset inventory is understanding whether it is used. All controls have a dual nature. A control can be used to prove something to auditors or compliance professionals, but that certainly isn’t ideal. Nobody likes auditors and nobody cares about compliance. When a control is embedded in the business process, you can use it to get some business value; so make that the goal. You can expect people to use it unless it is authorized by management, and is also complete and accurate. 

It will be authoritative. 

In most organizations, policy is the most powerful source of authority. Your InfoSec policy has to outline the high-level requirements of your asset inventory. Among them: (1) defining the IT assets that are in scope; (2) how current the Asset Inventory data must be; and (3) references to pertinent practices and standards that should also exist to articulate the finer details of your asset inventory. 

It will be complete. 

Everything that ought to be in the asset inventory needs to be in the asset inventory. As new machines are commissioned, there is a step in the process to make sure that they’re booked. As old machines are taken out of service, they are removed from the inventory. Standard builds include an inventory agent (or other mechanism) that ensures that a machine checks in with the inventory periodically. Periodic reconciliations are performed between the asset inventory and other sources of data e.g., purchases, decommission logs, and network scans. Identify and support complementary controls like MAC filtering. 

It will be accurate. 

A well-executed asset inventory will include asset data like current IP Address, current OS, etc. Realistically, you have to use an automated solution to have any hope of maintaining an accurate asset inventory. But it can become quite a benefit because you’ll be able to use it for so many other things, for example software updates, license audits, etc. 

Remediating or implementing an IT asset inventory process. 

One saving grace of an IT asset inventory is its simplicity: It either exists and is accurate—or it doesn’t. But don’t let its simplicity deceive you. You’ll need a plan, some help, and you’ll need to be clever. 

Design it before you build it. 

Making a list of every single IT asset is quite an undertaking. Make sure that you have a workable design before you actually start working on it. Without a good plan, you’ll probably fall into a few rabbit holes. 

The key considerations for a plan will be the types of IT assets that will be included in the inventory, the type of information that will be in each inventory record, and the method used when the inventory is updated. You should also have a sense of the amount progress you’ll make in forming up the inventory on a quarterly basis. 

Befriend your local consultant. 

Implementing an asset inventory is usually a once-or-twice-a-career event. So that even if you have become expert in the area, convinced enough middle management types of its importance, and you’ve booked enough time, you’re likely to fall into some traps. Needing something to go well, but not having enough experience implicates Horstman’s Christmas Rule. So find help. 

Notice that we said “befriend” not “hire.” If you’re so inclined, go ahead and hire them. But your local consultant will be more than happy to share war stories over a beer. And an hour debriefing an experienced hand is worth the time invested. 

Leverage Father Time 

Rapid change can be difficult, but you can also leverage it. It might not make sense to start an asset inventory project with already deployed items because we’re always upgrading our systems. The typical corporate laptop is flipped every two years. Servers (especially virtual ones) can be swapped even faster. Software tooling is about the same.  

Depending on the amount of labor and bandwidth you have available, maybe you just start at the first steps of the provisioning and de-provisioning processes. That way, every time that a machine or software is put into or taken out of production, it is automatically put into inventory. It’s relatively painless, and after a couple of years you’ll have a much smaller footprint to remediate. 

IT physical asset inventory: Other sources of authority. 

CIS CSC 1 

COBIT5 BAI09.01 and BAI09.02 

ISO 27001:20123 A.8.1.1 and A.8.1.2 

NIST 800-53 Rev 4: CM-8 and PM-5 

Chatting About IT Asset Inventory. 

Jamie talks to xyz: [Link1] 

Resources for the journey—because you don’t have to take our word for it.