Asset Management for Enterprise Security
In efforts to improve the security posture of an organization, it is often important to gain greater control and efficiency when managing assets—technology systems, software, documentation, and employees. One of the problems we continually find with some of our customers cardholder data environment (CDE) is their ability to keep an accurate inventory of the various components involved. Maintaining an up-to-date CDE and keeping track of all of the systems can become more challenging than initially thought.
In today’s business world, organizations find themselves juggling an ever-increasing number of hardware and software products, and keeping a proper system component inventory can seem like more trouble than it’s worth—however, this plays a significant role in the establishing and control of an information systems security plan. It is also required by the PCI Data Security Standard (PCI DSS) under Requirement 2.4.
Asset Management Benefits Compliance
PCI DSS requires PCI-compliant businesses to “maintain an inventory of system components that are in scope for PCI DSS.” Below are some general recommendations that should prove effective at maintaining an accurate inventory and compliance with PCI DSS.
- Discovery Scanning – Performing periodic asset discovery & inventory scanning will allow for your organization to enumerate all of your in-scope PCI systems.
- Personnel Interview(s) – Polling and interviewing relevant personnel can help to ensure the software and hardware inventory is being tracked efficiently and updated appropriately.
- Standard of Service – Identify how the assets are to perform and to what condition. This should include the various parts of the asset system or group (a simple performance specification).
- Proof of Concept – Many organizations struggle with simply starting an inventory management program. For this reason, most companies could benefit greatly from performing a walkthrough or proof of concept. This will help to narrow your requirements and better understand the various components required for an effective asset management program.
With a wide-variety of tools and management systems available to assist with this process, often it is beneficial to contract a third-party to perform an analysis of the environment and discovery scanning. In addition, this is even more crucial for organizations attempting to meet or maintain compliance regulations such as PCI DSS, HIPAA, DIACAP/NIST and Sarbanes-Oxley as it will confirm the in-scope assets to be regulated.
When contracting a third-party to support your team with asset management and compliance scoping it is important you factor in the following:
- Proper Budgeting – Establish a budget that accounts for your organizational goals and compliance requirements.
- Develop a Plan –Ensure the organization performing the assessment is aware of the organizational objectives you wish to accomplish with the tracking of assets (e.g., Regulatory compliance, security improvement(s), etc.). This will prove to establish what needs to be tracked, how systems should be managed, and key personnel involved with these systems.
- Policy – Reputable organizations should have not only the experience required to assist with asset management, but most should also have examples of policies or best business practices that can be modified and/or adopted by your organization.
With an accurate Inventory Management program organizations will be better prepared for deploying security techniques and technologies, implementing compliance requirements, and tracking systems through their entire life-cycle. In addition, having an effective control on system inventory will inevitably save on organizational resources and the financial burden experienced due to improper scoping.