Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 72

Because of the size, complexity, and frequency of the task, an organization should use automated tools to assist in creating and maintaining the asset inventory. The tools should have awareness of all assets in the organization's enterprise and the ability to discover new assets introduced to the environment that have not been properly documented in the inventory. This data comes from either an asset management agent or a client installed on each asset or “baked in” to each system image. It can also be generated with various scanner and sensor tools, or, in the case of hosted or cloud assets, from a data feed or recurring report from the vendor (which may or may not be shared with clients, depending on the terms of their service-level agreements [SLAs] or terms of reference [TORs] with their clients).

An asset inventory tool should have a way to distinguish authorized devices and applications from unauthorized devices and an ability to send alerts when the latter are discovered. The tool should also collect and track individual asset details necessary for reporting, audits, risk management, and incident management. These details need to cover technical specifications, such as the following:

 HardwareManufacturerModel numberSerial numberPhysical locationNumber and type of processorsMemory sizeNetwork interfaces and their MACs and IPsHostnameHypervisor, operating systems, containers, virtual images running on this devicePurchase date, warranty informationLast update dates (firmware, hypervisor, etc.)Asset usage metrics

 SoftwarePublisherVersion number, service pack/hotfix number, and date of last updateDigital signatures on installation packagesLicense informationPurchase dateInstall date

In addition, operational security details should be collected, such as the type of data stored and processed on the asset, the asset classification and special handling requirements, the business processes or missions it supports, and the owner, administrators, end users, or user groups nominally authorized to use it, and their contact information.

There are of course many tools available that do these tasks or portions of these tasks. Most organizations already own many such tools. Consider the following:

 An Active Directory or Lightweight Directory Access Protocol (LDAP) server can provide a large portion of this information.

 Other integrated identity management and access control systems can provide some of this information and can be especially useful in identifying assets that aren't under management but are attached (or attempting to attach themselves) to your systems.

 Vulnerability scanners, configuration scanners, and network mapping tools can find and provide basic information about all the hosts in the organization's IP ranges.

 Tools that manage/track software licenses can perform a large portion of this task.

 Data loss prevention (DLP) solutions typically have a discovery capability that can serve this purpose.

For gaps in their available tools, organizations can and do compensate with manual efforts, spreadsheets, and scripting to pull and tabulate asset data. Dedicated asset inventory tools usually provide this functionality and preclude the need for manual data pulls and tool integration.

Regardless of the tool or combination of tools used, there should be one the organization deems authoritative and final so that it can be referenced throughout the organization. The information in this tool needs to be definitive. This is the data source to trust if there is conflict between what other tools are reporting. This should also be the source used for official reports and other data requests, such as part of an audit.