Manage Assets and Protect Data
After completing this unit, you’ll be able to:
- Define why inventory and control of enterprise assets is critical.
- Describe procedures and tools to inventory and control software assets.
- Explain Safeguards to protect data.
- List procedures and tools for secure configuration.
Inventory and Control Enterprise Assets
Now that you have a better idea of what the Center for Internet Security, Inc. (CIS®) Critical Security Controls® (CIS Controls®) are, let’s take a look at the 15 Controls and associated Safeguards for Implementation Group 1 (IG1). As a reminder, IG1 is a set of essential cyberhygiene controls that can be executed with limited expertise.
Meet Nicole, a new chief information security officer (CISO) at a university. Nicole knows it’s critical to manage all assets connected to the university’s infrastructure. The university’s assets include end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers. To strengthen the university’s inventory and control of its assets, Nicole works with her asset management team to manage the inventory of assets and their associated data throughout their lifecycle.
She starts by working with the team to identify and maintain a current and accurate view of all their assets, including cloud, mobile, and Internet of Things (IoT) devices.
To do so, she makes use of these tools and methods outlined in these guides.
- The CIS Controls v8 Mobile Companion Guide for tablet and smart phone guidance
- The CIS Controls v8 Internet of Things Companion Guide for IoT guidance
Nicole then works with her team to implement the following Safeguards to inventory and control the university’s assets.
- Establish and Maintain Detailed Enterprise Asset Inventory: The team establishes an inventory of all assets that store or process data, to include end-user devices, network devices, non-computing/IoT devices, and servers. By doing this inventory, the team not only identifies authorized devices on the network, but also may identify rogue or unknown assets for further investigation.
- Address Unauthorized Assets: The team puts in place a process to address unauthorized assets regularly.
Organizations can’t defend against what they don’t know they have. Nicole knows that these Safeguards will help the organization establish an inventory of its assets, and better protect the organization's data.
Inventory and Control Software Assets
Now that Nicole better understands the university’s assets, she turns to inventory and control of software assets (operating systems and applications). Nicole manages all software on the university’s network so that only authorized software is installed and allowed to execute. If she finds any unauthorized and unmanaged software, she needs to prevent it from installation or execution. She calls her team together and explains that a complete software inventory is a foundation for preventing attacks.
Nicole also works with her team to implement these Safeguards to inventory and control the university’s software assets.
- Establish and Maintain a Software Inventory: The team maintains an inventory of all licensed software installed on the university’s assets, including the title, publisher, initial install/use data, and business purpose for each entry.
- Ensure Authorized Software Is Currently Supported: The team verifies that only currently supported software (and its version) is designated as authorized in the software inventory for enterprise assets.
- Address Unauthorized Software: The team ensures that they either remove unauthorized software from use on organization assets or give it a documented exception.
Nicole knows that by implementing these Safeguards, the team will be better able to patch vulnerable software, and guard against known attacks in case a vulnerability has been discovered but a patch has not yet been released.
Next, Nicole develops processes and technical controls to identify, classify, securely handle, retain, and dispose of data. To enhance the university’s data protection, Nicole works with her data protection team to develop a data management process that includes a data governance framework, data classification guidelines, and requirements for protection, handling, retention, and disposal of data. The team works with the department heads across the university to inventory data and identify software accessing data at various sensitivity levels and the assets that house those applications.
In addition, Nicole works with her team to implement these Safeguards to protect data.
Establish and Maintain a Data Management Process:The team establishes a data management process to address data sensitivity, data owners, handling of data, data retention limits, and disposal requirements, based on the sensitivity and retention standards for the university. This includes creating a data governance framework by asking:
- What type of data does the university process or store?
- Where is the data processed or stored?
- Who has access to each type of data?
- Establish and Maintain a Data Inventory: The team maintains a data inventory, based on the university’s data management process.
- Configure Data Access Control Lists: The team configures data access control lists (ACLs) based on a user’s need to know, and applies these access permissions to local and remote file systems, databases, and applications.
- Enforce Data Retention: The team retains data according to the enterprise's data management process.
- Securely Dispose of Data: The team securely disposes of data as outlined in the university’s data management process, and verifies the disposal process and method are commensurate with the data sensitivity.
- Encrypt Data on End-User Devices: The team encrypts data on end-user devices containing sensitive data.
Nicole knows that the university’s data is no longer contained solely within its border—it’s in the cloud, on portable end-user devices where users work from home, and is often shared with partners or online services that might process or store data anywhere in the world. She knows these Safeguards are crucial to protecting data, no matter where it lies.
Securely Configure Enterprise Assets and Software
Finally, Nicole is ready to establish and maintain the secure configuration of the organization’s assets and software.
Procedures and Tools for Secure Configuration
To securely configure the university’s assets and software, she works with her configuration management team to make use of available security baselines for university systems. A security baseline is a group of recommended configuration settings. One baseline they use is the CIS Benchmarks™ Program, which contains more than 100 configuration guidelines across 25+ vendor product families to safeguard systems against evolving cyberthreats. The team augments these baselines to satisfy the university’s security policies and regulatory requirements as needed.
Security baselines are important because they are the minimum security controls required for safeguarding an organization’s information systems, ultimately ensuring the confidentiality, integrity, and availability (CIA) of critical system resources. Here is an example of the steps to build a secure baseline image.
- Determine the risk classification of the data handled or stored on the asset.
- Create a security configuration script that sets system security settings to meet the requirements to protect the data used on the asset.
- Install the base operating system software.
- Apply appropriate operating system and security patches.
- Install appropriate application software packages, tools, and utilities.
- Apply appropriate updates to operating systems.
- Install local customization scripts to this image.
- Run the security script created earlier to set the appropriate security level.
- Run a Security Content Automation Protocol (SCAP) compliant tool to record and score the system setting of the baseline image.
- Perform a security quality assurance test.
- Save this base image in a secure location.
In addition, Nicole works with her team to implement these Safeguards to securely configure the university’s assets and software:
- Establish and Maintain a Secure Configuration Process: The team establishes a secure configuration process to consistently secure university assets and software.
- Establish and Maintain a Secure Configuration Process for Network Infrastructure: The team maintains a secure configuration for network devices, and reviews and updates documentation annually, or when significant changes occur that could impact this Safeguard.
- Configure Automatic Session Locking on Enterprise Assets: The team configures automatic session locking on assets after a defined period of inactivity to prevent anyone from having access to assets.
- Implement and Manage a Firewall on Servers: The team implements a firewall on servers where supported, such as virtual firewalls, operating system firewalls, or third-party firewall agents to prevent unauthorized access to assets.
- Implement and Manage a Firewall on End-User Devices: The team manages a host-based firewall or port-filtering tool on end-user devices.
- Securely Manage Enterprise Assets and Software: The team securely manages assets and software, for example managing configuration through version-controlled-infrastructure-as-code.
- Manage Default Accounts on Enterprise Assets and Software: The team manages default accounts on university assets and software.
Nicole knows that, as delivered from manufacturers and resellers, the default configurations for the university’s assets and software are normally geared towards ease-of-deployment and ease-of-use rather than security, and that implementing these Safeguards can help make them more secure.
Sum It Up
In this unit, you’ve been introduced to why inventory and control of assets is critical. You’ve learned about procedures and tools to inventory and control software assets. You’ve also learned about Safeguards to protect data, and reasons why secure configuration of enterprise assets and software is critical.
In the next unit, you learn about account management and access control, and Safeguards to continuously manage vulnerabilities.