Security Control 1 - Hardware Inventory

The first security control is "Inventory and Control of Hardware Assets open source". This inventory control focuses on managing all hardware devices on your network. Only allow authorized devices to connect and communicate on the network. Prevent unauthorized and/or unmanaged devices access to your network.

In this series of posts, I am walking through each of the CIS Information Assurance - 20 Security controls.

Google For You (GFY) - "Inventory and Control of Hardware Assets open source"

Inventory and Control of Hardware Assets

Goals of Hardware Inventory Asset management:

• Establish and maintain an Information Technology (IT) inventory with asset discovery audit trails
• Include servers equipment in the IT inventory
• Include network equipment in the IT inventory
• Include end-user equipment (desktop/laptop) in the IT inventory
• Include mobile devices in the IT inventory

A tool should provide the following functionality:

• Automatically discover and store IT asset data
• Track assets throughout their lifecycle
• Alert/Report on IT assets

Tool Features

Each asset inventory should have several required data items. A technical owner and/or user. The hardware properties such a type of device, interfaces, operating system, CPU, etc.

Automatically discover and store IT asset data

Automating detection of hardware assets is essential. Fixed devices don't move. But mobile devices can connect anywhere in the network and at different times of the day. Tracking the physical location as well day and time the devices connect. This helps to establish a baseline for each device and how it operates. But this functionality might happen outside the ITAM solution.

Track assets throughout their lifecycle

Every device in the network has a lifecycle. In the simplest form, your organization acquires a device. Implements that device in the network. At some later date, you will deactivate the device. And finally, you sell or thrown away the device. Keeping track of the status of each device is important.

For example, would you want a device that has been de-activated and ready for sale on the network? Should that raise an alert? Worse what do you do if a sold device shows up on the network?

Alert/Report on IT assets

One important benefit of asset tracking is vulnerability assessment. Alerts or searches based on current hardware devices can determine compliance status. With that information, you have a clear scope of what and how many devices need remediation.

Open Source Tools

• Snipe-IT
• LANsweeper

Commerical Alternatives

• CA IT Asset Manager
• Asset Explorer by Manage Engine
• Oracle Maintenance Management
• Enterprise Asset Management by IBM
• Remedy by BMC

Wrapping Up

The open source tools above provide basic IT asset management (ITAM). They may lack additional features such as IP Address Management (IPAM), Configuration management database (CMDB), or software inventory found in commercial products. For more robust feature sets consider the commercial tools.