One of the most important aspects of establishing good cybersecurity hygiene practices for any individual or organization is to keep an accurate account of all owned assets and inventory. The Center for Internet Security (CIS) ranks Inventory and Control of Hardware Assets as the first of their 6 Basic CIS Controls. This is especially critical when attempting to elevate your cybersecurity posture to meet specific requirements such as the Cybersecurity Maturity Model Certification (CMMC), NIST 800-53, or NIST 800-171. Having an accurate inventory in place to account for the location, ownership, purpose, and tracking information is crucial in understanding your organization’s digital ecosystem. In order to make smart and cost-effective decisions when pursuing a higher level of cybersecurity hygiene, a thorough understanding of what you have in the field is one of the first and most important steps you can take.
How you go about tracking your assets depends entirely on the size of your organization, the nature of your assets, and the level of effort it would take to keep the tracking system up to date. For small to medium-sized businesses, something as simple as a dedicated spreadsheet located in a shared space may be sufficient as long as there is an individual or team who owns the responsibility of maintaining and auditing the document. Ideally, and especially for larger businesses and those who have workloads in the cloud, there are a number of commercial products and services that can support that goal. Either way, a Configuration Management Database (CMDB) should ideally track important identifying information of the asset such as the type of asset (e.g. laptop, server, switch), the manufacturer, the model number, the device serial number, purchase date, device specifications, chain of custody, device name, and most importantly, track that IT assets role within the business and architecture.
Having control of all company assets is the first and arguably one of the most critical in a long series of steps in the pursuit of better cybersecurity practices. Having visibility into your organizational footprint is essential to have a comprehensive understanding of your businesses’ needs, their cybersecurity goals, and how to best achieve those goals.