One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 2682724 |
| Date de publication | 2021-04-23 10:00:00 (vue: 2021-04-23 11:05:37) |
| Titre | Lessons learned from building an inventory of systems |
| Texte |
IT asset inventory vs an ISI – What’s the difference?
Many frameworks, standards, and regulations require organizations to have an IT Asset Management program in place. However, the understanding of what separates a mature Information System Inventory (ISI) from an IT Asset Inventory and the benefits realized from an ISI are generally less well understood. Naturally this may lead to a higher likelihood of deprioritizing an ISI in favor of what are viewed as more pressing security needs.
Figure 1. An Information System Inventory (ISI) is a record of Information Systems in an organization and includes information traditionally in an IT Asset Inventory.
But a properly constructed ISI should be prioritized as the foundation on which organizations implement a System Development Lifecycle (SDLC) program, facilitate Security Operations activities, make informed risk management decisions, move towards a more data centric view of security and mature their security posture as a whole. The ISI is an opportunity for an organization to have a core source of intelligence that ties security information across the organization together. Having the ability to view risk at multiple levels (network level, system level, division level, organizational level etc.) is becoming ever more important as organizations implement more complex environments and move away from a traditional network perimeter.
Policy, process & training: Ensuring reliable information
One of the best places to start maturing the ISI is to mature the categorization process. Without measures in place to ensure repeatability and consistency, information may become suspect and of little value. It is critical to implement a process that satisfies the need for stringent accuracy, but that is not so cumbersome it makes efficient use of personnel resources difficult. One of the most effective ways to balance this need for accuracy with the need for agility, is to invest significant time in process creation, documentation, and training. This includes defining and documenting the process itself, definitions for each field and each possible field answer, and the creation of tools such as interview templates and forms.
Utilizing training sessions and tabletop exercises then ensure all interviewers implement the processes in a consistent and accurate manner. As categorizations are conducted on an annual or recurring basis, it is important to continuously update the process documentation, definitions, and training to align with the implemented process.
Figure 2. A possible process for categorizing an Information System
It is also important to design the categorization process to allow for documentation of reasoning behind critical fields. Besides the obvious benefit of providing a high level of confidence that the information is accurate and easing the quality assurance process, this also has the added benefit of capturing inevitable grey areas and edge cases not considered in the original process. As the organization continues to mature their ISI and the categorization process evolves, notes on previously categorized systems are also invaluable in backfilling information for newly identified business uses. This reduces re-work required, helps ease maintenance of the ISI, and provides a more accurate picture of current risk.
Figure 3. A short list of possible categorization fields and reasoning fields for critical fields. |
| Envoyé | Oui |
| Condensat | “expect although it 199 5/6 abandoned ability able about above acceptable accomplish according accuracy accurate achieve across actionable actions activities added aggregated aggregation agility align all allow allows also annual answer any apps are areas asks asset assets assumed assurance authority automatically automation automation/orchestration availability available away backfilling balance based basis because become becoming been behind below benefit benefits besides best between both bottom boxes breach brings build building built business but capturing case cases categorization categorizations categorized categorizing centric change choices ciso classification closed cloud cmdb cmdbs collaborative collected collection communicated company complex compliance components compromised concluded conducted confidence configuration connected connections consider considered consistency consistent constructed continues continuity continuously cooperative core correct create creating creation criteria critical cumbersome current custodians custom cyber cybersecurity cycle dashboard dashboards data database decisions defined defining definitions department departments depending deprioritizing design designed developing development difference different difficult digestible direct disaster disclosure discovered discoveries discovery display displayed displays division documentation documenting documents down each ease easily easing edge educates effective efficient enabler ensure ensuring environments especially essential establish etc even event ever evolves ex: exercises expect expected explaining exploration external facilitate familiar favor features field fields figure find fips first forms foundation frameworks from frost functions future gain gathered generally gives goals great green grey guidance has have having help helps high higher however identified impact impacting impacts implement implemented important incident include includes indicate inevitable information informed inputs insight intelligence interview interviewee interviewees interviewer interviewer’s interviewers invaluable inventory invest investigation isi isi’s its itself key lead learned less lessons level levels leveraged life lifecycle likelihood link linkage linkages list little lowest made maintain maintained maintenance make makes making managed management manner manual manually many mature matures maturing maximum may measured measures meet meeting mitigate mitigated monitoring more most move multiple must naturally near nearly need needs network network/system new newly non not notes notified number objectives obvious off often once one opened operations opportunity orchestration order organization organization’s organizational organizations original out outside over oversight” overview owned owner owner; owners ownership partly party percent percentages perimeter personnel picture place places plan planned planning policy populated position positive possible posture potential practice pressing previously prioritized priority private probing process processes production professional program prohibitive properly provide provides providing public purchased quality questions rating real realized reasoning recommendations record recovery recurring reduces regulations relationship relationships reliable relies rely repeatability reports representatives require required resistance resources response responsibility rest retired risk role root saas same sample satisfies sdlc security selection senior separate separates server services sessions set several shared shift short should show shown siem significant single software some source sources spending split stakeholders standards start step stratecast stringent such sufficient suit sullivan support supported supports survey suspect system system’s systems tabletop tailor tailored task technical templates than then theoretically therefore these third thousands tickets tie tied ties time time/labor timelines together tools top topology towards tracked trad |
| Tags | Vulnerability Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.