One of the things I find surprising is not that the considerable majority of organisations are not managing their IT hardware asset inventory; it’s that people think it is not necessary for good cybersecurity. Common practice from both internal IT people and external providers is to rely on RMM (remote monitoring & management) agents to meet IT operational security service levels such as patch & anti-malware management.
However, I find that few organisations have a process for authorising devices to connect the business network, nor a capability to prevent, detect or alert unauthorised devices being connected. Yet the key mantra across any management domain is: you can’t manage what you can’t see. Similarly: if you can’t see it, you can’t secure it, and manage your cyber-risk.
I regularly cite anti-malware software as an unfortunately common example (it also applies equally to patch management as well). IT Operations need to identify all the systems connected to the environment that require anti-malware installed, not just the number of systems with anti-malware installed. If these numbers can’t be reconciled daily, that simply means there are systems you don’t know about, potentially without anti-malware controls. This is certain to increase risk of compromise through any attack vector that delivers malware.
SANS Critical Security Controls lists “Inventory and Control of Hardware Assets” as its #1 basic control. The NIST cybersecurity framework lists “Asset Management as its #1 identify control. CERT NZ uses phrases such as “all systems”, whilst the Australian Signals Directorate says “identify systems that require protection”.
So what are the primary requirements, from a cyber-governance perspective, to establish the business risk objectives for asset management to mitigate this particular risk?
Firstly, organisations need an Asset Management Policy that incorporates hardware, software, and digital asset management. The policy needs to state that hardware asset management is fundamental to managing cyber-risk within the business. It needs to be socialised with anyone bringing devices into the organisation, and should be reflected for end users in the Acceptable Use Policy, as well as made crystal clear to IT Operations staff and suppliers.
Getting commitment and buy-in from IT Operations and external Managed Service Providers is essential. The responsibility for Asset Management largely relies on their shoulders, and they are likely to require additional resources to support the efforts to develop a full inventory of hardware assets.
Lastly, and assurance process and reporting to the board is required. This should demonstrate the reconciliation of hardware assets with security controls such as anti-malware and patching, by identifying gaps and resulting changes in risk.
Hardware asset inventory is a fundamental requirement to manage cyber-risk. Getting started with this conversation is essential for all organisations.