Description
The purpose of this standard is to establish the minimum required information to be maintained in an IT Inventory for Lehigh-owned assets including end-user/server devices and information systems containing Lehigh data. IT inventories are to be made available to support secure information systems operations and governance.
Establish and maintain an accurate, detailed, and up-to-date inventory of all Lehigh-owned assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently.
Scope
This policy applies to Lehigh-owned assets and information systems containing Lehigh data managed centrally (LTS) or by individual Colleges/Units.
Security Requirements
Lehigh’s Information Security Program (ISP) is built around NIST 800-171 controls and other control frameworks, regulations, and guidance (eg, FERPA, HIPAA, GDPR, PCI, and others). This section should reference which frameworks are relevant to this particular standard.
...
1.1: Establish and Maintain Detailed Enterprise Asset Inventory
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently.
1.3: Utilize an Active Discovery Tool
Utilize an active discovery tool to identify assets connected to the enterprise's network. Configure the active discovery tool to execute daily, or more frequently.
1.4: Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory. Review and use logs to update the enterprise's asset inventory weekly, or more frequently.
1.5: Use a Passive Asset Discovery Tool
Use a passive discovery tool to identify assets connected to the enterprise's network. Review and use scans to update the enterprise's asset inventory at least weekly, or more frequently.
Minimum Data Required
The following are the minimum data elements which need to be recorded within the Information System Inventory.
...
Additional Hostnames
Operating System
Location
Internal: building and room
External: hosting provider including contact information
Lifecycle Status
Related
The Information System Inventory Standard is created under the Information Security Policy.
We often encounter situations where we notice unusual behavior with a server, service, or application but the situation is not yet a full incident. In those cases, we encourage the user of the #operations channel for transparency and discussion.
Definitions
System Owner - Individual accountable for system and data stored within system. Typically the person who purchases and funds the system.
Technical Owner - Individual or team with the responsibility for maintaining and updating the system.
Revision History
Date | Version | Description | Approval |
|---|---|---|---|
| 0.1 | Original Document | Draft |