CIS Controls v8 Overview- Control 01

Stepping forward from our introduction to CIS Controls Version 8, we will look closer at each of the Controls.

Control 01: Inventory and Control of Enterprise Assets — Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.

What are Enterprise Assets?

Enterprise Assets are assets within an organization that can store or process data. This includes servers, workstations, mobile devices, network devices, Internet of Things (IoT) devices, and even printers. These assets can be physical, virtual, or in the cloud.

Why is this Control important?

One quickly finds the CIS Controls follow Peter Drucker’s quote — “if you can’t measure you can’t improve it”. Organizations simply cannot defend what they do not know they have, so knowledge of all enterprise assets is critical in security monitoring, incident response, system backup, and recovery.

And its Safeguards?

The control has five (5) Safeguards that detail out Asset Inventory, Unauthorized Assets, Active and Passive Discovery Tools, and DHCP. Successful implementation requires both technical and procedural actions to manage the enterprise assets and associated data throughout its life cycle. Asset and data owners are also identified which is key information for Business Governance.

How is this Control implemented?

Steps to compile the inventory often depend on the complexity of the organization. Large organizations use specialized products to maintain asset inventories for both enterprise and software assets (covered in Control 02). Small to medium organizations leverage security tools already installed such as a vulnerability scanner.

Key Reminder(s)

Organizations must remember this inventory is NOT a one-time occurrence, it is an ONGOING process that is a key input to the other controls. It is important to identify changes in the enterprise asset inventory to ensure security measures are fully in place.

In the next post, we will look at Control 02: Inventory and Control of Software. If you enjoyed this post, please 𝙇𝙞𝙠𝙚 and 𝙎𝙝𝙖𝙧𝙚!

Contact Temples Consulting (a CIS SecureSuite Partner) to schedule a no-cost consultation for Network Monitoring and Defense strategies based using the latest CIS Benchmarks.

If you enjoyed this post, please like and share!

#cybersecurity #security #infosec #informationsecurity #riskmanagement #ciscontrols #cissecuresuite #safeguards #cicontrolsv7 #ciscontrolsv8 #templesconsultinggroup #security #clarity #delivery #riskassessment #riskremediation #risk2remediation #software #cyber #governance #GRC