The importance of IT inventories
If we would ask colleagues working in the field of information security, they would surely be able to point to several neglected areas and issues in their own field that need more attention. If you were to ask me, I would mention IT asset inventories, in this context IT asset, system and application inventories, which are typically lacking at the SME level, although which I consider to be of paramount importance from a security point of view.
In this article I would like to explain the importance of these inventories and approach them from several contexts based on my previous project experiences. If I had to explain the importance of the subject in one sentence, I would say: what we do not know, we cannot protect. I believe that it is worth exploring this issue in more depth than that.
- IT asset/device inventory:
- The IT asset inventory records the organisation's "tangible" IT assets, such as network devices, desktops, notebooks, mobile devices, servers, storage, storage media and more.
- IT application/system inventory:
- The IT application/system inventory records the systems and their components (e.g. servers, databases) operated by the organisation, as well as applications operated by third parties but used by the organisation. Classic elements are e.g. ERP and CRM systems, e-mail (whether on-premise or cloud platform), file servers and we could go on with solutions used in our daily work.
- I often find that if an organisation has a usable application/system inventory, it often does not include third-party applications (e.g. SaaS-based), which will not be found in one of the best starting points, the IP address register. However, these applications may contain personal and customer data that needs to be protected, which is why I see this as a problem and a risk, because there are also tasks to be performed at the organisational level to manage these (e.g. managing organisational access), even if they are hosted by another party.
- Information asset inventory:
- The compilation and updating of an information asset inventory are necessary for information security risk analyses when an organization chooses an asset-threat methodology. According to the terminology of ISO 27005, an (information) asset can be anything, anything that is of value to the organisation and therefore requires protection
- This category also includes IT assets, IT systems/applications, but also business processes, digital and paper-based data, people, premises, services (including both internet service and power supply) that are necessary for the operation of an organisation. Information assets are generally classified according to confidentiality, integrity, availability, from which their level of criticality is calculated.
- Not identical from an IT service management point of view, but very close to the ITIL configuration item (CI) concept, which is a component that needs to be managed to provide an IT service.
- Data inventory:
- A data asset inventory is a systematic record of an organisation's data assets, i.e. the paper-based and digital data used in business processes. If properly compiled, it can provide a complete picture of the organisation's data sources, including information on how data is collected, stored, accessed, and used. The data asset inventory will typically include a classification of data by confidentiality, integrity, availability.
- +1: Tangible asset inventory:
- Tangible assets are primarily an accounting category, assets that exist in a tangible form and provide a lasting service to the organisation's activities. This is relevant because IT assets are also included in this category and are often included in parallel records.
These inventories could be further broken down, but for the sake of simplicity I will not do so here. In this article, I will use the term inventory to refer to IT asset inventory and IT application/system inventory.
The importance of IT inventories - a holistic approach
In almost all my articles, I try to point out only document production-focused tasks for compliance, "tick-box" surveys based on superficial, yes-no answers how counterproductive are. Not exclusively, but it is one of the reasons for the emergence of information security memes. This article’s Readers on LinkedIn will have come across the following picture. I think it expresses the importance of inventories through the meme genre, which can be examined from security, operational, compliance and project management perspectives as well.
In agreement with the meme, referring to the beginning of the article, I think that without a complete (fully covered company), adequate (detailed enough), up to date (current) inventory, we cannot properly secure and protect the smooth running of our business because we cannot protect the assets and systems that we do not know about. We don't know about them because they are not in the inventory in the first place, but they exist and contribute to the functioning of the company. Items not included in the inventory create blind spots, which I illustrate below with some practical examples using some of the technology controls in Annex A of ISO 27001:2022
- Protection against malware (8.7):
- There is almost no company that does not use a classic antivirus, but EPP and EDR solutions are also common. These are installed on endpoints and servers, and in a good company their coverage is checked against the inventory information. If a device or system is not in the inventory, it may not be protected and will not detect and prevent attacks.
- Logging (8.15):
- If a company uses a SIEM system to centrally collect and analyse logs or deploys EDR agents on workstations to monitor endpoint activity, it will be implemented based on a log source list based on inventories. If a device or system is not listed in the inventory, it will most likely not be connected to SIEM and the EDR agent will not be connected to it, which will prevent a potential security incident from being detected. The same can happen if the logging requirements expected by the company are not set on all devices and systems.
- Backup (8.13):
- With ransomware attack trends, there is no need to argue the criticality of backups. The completeness of the backups, i.e. whether all systems are backed up, can only be verified by the inventory. What IT doesn't know about, there is a high probability that centrally managed backup processes will not be running and in the event of a successful ransomware attack or other catastrophic disruptive event, the company could suffer data loss.
- Management of technical vulnerabilities (8.8):
- If a company periodically performs vulnerability scanning on systems it operates, it is rare, but it may happen that the scope of the vulnerability scan is not defined at the IP range level, but by individual IP addresses. In such cases, the scope may be defined based on the inventory, and in case of an incomplete inventory this possibly resulting in some systems being excluded from the scan. Consequently, potential vulnerabilities that could be exploited in attacks may not be identified.
- New vulnerabilities can be identified not only through scans, but also from IT security news and vendor alerts. When monitoring these, it is recommended to assess the company's exposure (and patching if necessary) in case of critical vulnerabilities. Based on the points above, it is possible to guess which inventory data could be used to assess the exposure.
- Ultimately, the complete identification of end-of-life systems and devices that are no longer supported by the vendor is not conceivable without inventory or appropriate data (e.g. operating system and version), but the use and presence of such systems and devices can also pose a high risk.
As I described earlier, from a security perspective, it is essential to know about all devices and systems so they can be properly protected. From an IT operational point of view, it is cardinal that IT assets (devices, systems, applications, third party services) are properly managed throughout their lifecycle to ensure that IT services are provided in line with customer expectations and on an ongoing basis. This is ITIL 4’s IT asset management practice.
The first step in managing IT assets is to have reliable data on them, and this is, or should be, in inventories. ITIL 4 otherwise uses the term IT asset register, but they have the same meaning, they contain the assets and systems to be operated. If this is incomplete or not up to date, it can lead to operational tasks being missed, which can lead to operational and security incidents, which can lead to SLA violations and more.
In addition to IT asset management practice, Service configuration management is also related to the topic. The objective is to ensure the availability of accurate and reliable information about the configuration of services and the infrastructure that supports them. This information is recorded in a database, the configuration management database (CMDB), which contains not only the basic information but also the relationships between the elements and therefore it is more extensive than an inventory.
The availability of a complete and up-to-date inventory of a company's IT assets and systems is required by almost all information security and IT security standards or other frameworks, so without it, compliance is not possible. Let’s check the most know ones:
- ISO 27001:2022:
- 5.9 Inventory of Information and Other Associated Assets
- NIST CSF:
- ID.AM-1: Physical devices and systems within the organization are inventoried;
- ID.AM-2: Software platforms and applications within the organization are inventoried
- NIST SP 800-53 rev 5:
- CM-8: System Component Inventory
- CIS Controls v8:
- 1.1 Establish and Maintain Detailed Enterprise Asset Inventory
- PCI-DSS 4.0:
- 12.5.1 An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current.
In addition to the standard, it is also worth mentioning the legislation on a theoretical level, e.g. IT-Sig 2 and the NIS2 Directive.
Project management may at first seem irrelevant next to security and operational reasons, but it is far from negligible. In information security assessment projects – for example a simple gap assessment, risk analysis, business impact analysis – the availability of a complete, up-to-date inventory with the right content is an essential prerequisite. This is both necessary to define the scope of the project, moreover without the right data, it can be difficult to understand the IT part of the underlying business context. Without the business context, relevant risks may be identified with limited or insufficient weight. If the inventory is to be prepared as part of a survey project, the project will incur additional costs and a longer timeframe.
The existence of incomplete, or outdated inventories can be due to several factors, which can occur in combination of:
- Lack of internal regulation, expectation, or enforcement,
- Lack of or deviation from security and operational processes, especially change management,
- Lack of definition or control of accountability,
- Siloed operations, inventories with different formats and contents from one division to another,
- Systems operated and used without the knowledge of IT ("shadow IT").
Once the problem has been introduced, it is time to suggest possible practical solutions.
First, it is recommended to define roles and responsibilities for inventory management and control. I believe that the manager responsible for corporate IT operations is accountable (RACI: A) for ensuring that corporate IT inventories meet the requirements for content and format. The operator and technical owner of the devices and systems are responsible (RACI: R) for keeping the inventory up to date, ensuring that it is correct and that it is reviewed. It is not enough to fill and review the inventory, it is highly recommended that it is checked that it is correct. Therefore, depending on the size of the company, the information security or internal audit function of the company may be responsible (RACI: R) for the checks.
Before establishing the processes, it is recommended to regulate the requirements for the IT inventory, which should be done in the company's IT operational and/or information security policy.
I believe that inventory management does not need to be a separate process, but should be a step in the existing processes, especially the IT change management process. Leaving aside for a moment the issue and withdrawal of endpoints, IT assets (e.g. servers, network devices) and systems in a moderately mature company are introduced, upgraded, and phased out as part of the change management process. Accordingly, the recording of new systems, the updating of existing systems and the transfer of data from existing systems to the decommissioning/removal process - i.e. the related administration - should also be part of this process, thus ensuring the up-to-datedness of the inventory. This approach is in line with the ITIL recommendation.
The technology should not only be used to record assets and systems, but also to identify them. Suppose a company has identified inadequate IT inventory as a risk and now wants to address it, i.e. reduce the risk to an acceptable level.
First of all, it is recommended to collect all available data on existing devices and systems. This can be done by reviewing existing device, system, and IP address records, possibly rack cabinet installation diagrams. Physical assets are easier to check, it may be enough to go into the server rooms, if iLO or iDRAC remote management tools are used in the company, missing information (e.g. S/N) can be collected from there as well.
Recording systems is a more difficult task, as they are not tangible. For this task, the IP registry can be a good basis, but best practice recommends the use of asset discovery or network discovery tools, e.g. Nmap. Vulnerability scanning software also has host discovery functionality that can be used. After using discovery tools, it is a good idea to compare known and new assets, and then perform data augmentation if new hosts are discovered on the network. If an unknown host is discovered on the network, it should be identified as soon as possible and treated as a security incident if it is found to have connected the network unauthorised. If existing inventories are significantly outdated or inadequately structured, it may be appropriate to start a new inventory. It may be advisable to periodically map the corporate network and compare it with the inventory. CIS Controls v8 also suggests this for companies in Implementation Group 2 (medium maturity):
- 1.3 Utilize an Active Discovery Tool – Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the active discovery tool to execute daily, or more frequently
Third-party applications could be identified through interviews with business areas because a SaaS-based application is more difficult to identify than an asset on an enterprise network. However, it is not impossible; for this, account reviews, network, endpoint, application, and browser-level data collection are recommended by blogs on this topic.
Platform and content
An Excel spreadsheet may be an appropriate form of asset and system inventory for a small company, but there are limits. In such cases, it is worth considering the use of a dedicated software tool. There is a very wide range of these, and every company can find the right solution for themselves. If you are on a tight budget, you shouldn't immediately dismiss the idea of replacing Excel spreadsheets, as there are many solutions available that are free of charge in on-premise versions. It is worth choosing software that can be customised with custom fields and lists.
As regards the content of inventories, each company should define the data to be recorded. I consider the following as essential data for IT asset and system inventories:
- Name (or custom hostname) and description of the function,
- IP address,
- OS, DB, application’s name and their version, their support date,
- Manufacturer, Type (in case of hardware),
- Developer (in case of software),
- S/N (in case of hardware),
- Third party supplier, service provider (if applicable),
- Location (in case of hardware),
- Operator (technical owner),
- Business owner.
The minimum data content listed can be extended to include information on licensing, vendor support, public or customer exposure (e.g. whether published), criticality level. It is vital that there must be only one single inventory within an enterprise, covering all enterprise units and functions (operations and security use the same inventory). Otherwise, you will have to work with coexisting and legitimately different inventories, with problems coded into them.
In this article, I have tried to highlight the importance of visibility and the low level of control that inadequate inventories can cause in assets and systems. Beyond the problem statement, I have tried to give a possible practical solution for those who would solve the problem in their own company. Based on the findings of this article, perhaps the management of inventories no longer seems a tedious task and empty issue and the meme presented will be looked at in a different light.
- ITIL 4,
- ISO 27001:2022,
- ISO 27005:2022,
- CIS Controls v8.