1.4: Maintain Detailed Asset Inventory

Sub-control 1.4 states that an accurate and up-to-date inventory of all technology assets with the potential to store or process information must be maintained. This inventory shall include all assets, whether or not they are connected to the organization’s network.

Asset Type	Security Function	Implementation Groups
Devices	Identify	1, 2, 3

Dependencies

None

Inputs

Endpoint Inventory (I1): The organization’s current inventory list (aka the “to be checked” list).
1. This list is a static list of the number of assets the organization currently has or believes they have. For example, the organization should be aware of the number of laptops, desktops, servers, routers, switches, wireless Access Points, or other devices that are capable of obtaining an IP address. Use the count, or number of these devices for this input. The CISO is the resource who has a complete list of devices.
"Ground Truth” Inventory (I2): A list to compare with input 1 (I1). This list is enhanced by manual verification. However, a tool-generated or aggregated list can also be substituted. This list should be an aggregation of the devices detected over a period of time, but preferably not from a single scan. Scans should be conducted frequently. For example, a scan using plugin 10180 has very little effect on network performance, and can be conducted daily.
1. Tenable Security Center uses Nessus as the active discovery tool, and stores the collected data in a cumulative database. The database is considered cumulative because all data collected on the assets using active, passive, and event scanning methods are stored in a single repository for analysis.
Procedural Write-up for Adding or Removing Assets to or from the Inventory: an input only for manual review. This is a required physical document detailing the procedure for adding or removing assets in the inventory.

Assumptions

Devices belonging to the organization, but not connected to the organization’s network, require manual discovery in order to be included in the “Ground Truth” inventory.
Audit File: Questions regarding connected devices.

Operations

If I1 is not provided, this sub-control is measured at a 0 (complete fail).
If I2 is not provided, no true accuracy measurement can be made for this sub-control. However, I2 can be obtained from the CIS Sub-Control 1 on the CAS Control 1 (IG1) Dashboard available within Tenable Security Center. The Tenable Security Center component provides a summary of devices found on the network, as identified by Nessus. The following screenshots show the captured plugin output and the filters used within the component to capture the required data.
An inverse search with this filter can be used to identify devices that are considered dead. The previous filter reports only on hosts that are alive and responsive. Altering the vulnerability text to “dead" displays a count of unresponsive devices.
Drill down into this component to view additional information on each scanned device. Often times, this can provide information about the type of device associated with the IPv4 address. This could include MAC Address and NetBIOS Information.
This, or any data contained within a component can be easily exported to a spreadsheet for further analysis and processing:
1. Click on the blue arrow in the top right corner of the component.
2. On the Vulnerability Analysis page, click Options.
3. Choose the method by which you want to export the data.
Optionally, you can also send the entire dashboard to a report:
1. On the Dashboards page, click Options.
2. Select Send to Report.
Calculate the intersection of I1 and I2. You can then see items that appear in one inventory but not the other.

Many of the tasks associated with this control are manual. However, active and passive discovery tools are available to assist you. In addition, using active and passive discovery tools to detect and inventory assets can help organizations meet the other Sub-Control CAS IG2 and IG3 requirements for Control 1. Tenable Security Center allows organizations at all IG’s to collect unique information about each asset scanned via an active scanning tool. Using Nessus, Tenable Security Center initially port scans each asset and collects any open ports grabbing service banners where applicable. Next, when scanned with credentials, Nessus logs in to the system and collects a multitude of system configuration data. While Tenable Security Center is known for vulnerability data collected, it also collects a wide range of asset identification attributes such as MAC address, and CPU GUIDs. CIS Control 1 (Inventory of Hardware Assets Dashboard) contains actively collected attributes for further analysis by the operations teams. For more information, see https://www.tenable.com/sc-dashboards/cis-control-1-inventory-of-hardware-assets.

Tenable Security Center Continuous View includes Tenable Nessus Network Monitor. Using Tenable Nessus Network Monitor, Tenable Security Center can discover assets on the network using a Switch Port Analyzer (SPAN) port. SPAN ports are also commonly referred to as Mirrored ports. These ports provide copies of traffic to a Network Interface Card (NIC) for analysis.

Tenable Nessus Network Monitor is a network discovery and vulnerability analysis software solution that delivers continuous network listening, profiling, and monitoring in a non-intrusive manner. Tenable Nessus Network Monitor monitors network traffic at the packet layer to determine topology, services, and vulnerabilities. It is tightly integrated with Tenable Security Center and Log Correlation Engine (LCE) to centralize both event analysis and vulnerability management for a complete view of your security and compliance posture.

Measures

Measure	Definition
M1 = List of items in the intersection of Input 1 and Input 2. M1 is derived from the Operations section of this document.	A list of items that are either: in I2 but not in I1, or items that are in I1 but not in I2. The creation of this list is a manual task that requires reviewing all the assets from each of those lists.
M2 = Count of items in M1	A count of the total number of items identified in M1.
M3 = List of items in Input 2	A list of found items that are unknown to the organization. This list contains items that have been scanned that are considered unknown/rogue to the organization This measure is aided by Tenable Security Center Continuous View using Nessus.
M4 = Count of items in M3	A count of the total number of items in M3.
M5 = List of items in I1 and not in I2	A list of devices that the organization believes they have, but that have not been found on the network.
M6 = Count of items in M5	A count of the total number of items in M5.
M7 = List of items in I2 and not in I1	A list of items that were identified from scanning but that are unknown to the organization.
M8 = Count of items in M7	A count of the total number of items in M7.

Metrics

Accuracy Score

Metric	Calculation
The percentage of the “Ground Truth” inventory that is accounted for in the organization’s current asset inventory.	M2 / M4 M2 is a count of the items from the intersection of I1 and I2. M4 is the count of the items that have been identified.

Metric

Calculation

The percentage of the “Ground Truth” inventory that is accounted for in the organization’s current asset inventory.

M2 / M4

M2 is a count of the items from the intersection of I1 and I2.

M4 is the count of the items that have been identified.

Procedure Review

After the accuracy score is calculated, there must be a manual review/rating of the inventory procedures. This includes adding and removing assets and the time allowable or expected for the acquisition or disposal of assets.

Reconcile I1 with any new devices that have been identified that should be part of the asset inventory. In many cases, devices can be added to an organization over time and not be properly accounted for. Once the list of assets is updated to reflect an accurate count, this input can be used as a definitive resource in other Sub-Controls.