CIS Controls: Hardware Asset List

The CIS Controls (cisecurity.org/controls)are a great guide for everyone within an organization.  The top 2 items are an inventory and control of hardware assets and an inventory and control of software assets (1 and 2 respectively).  This post will cover the reasons why a hardware asset list is important. If you want to see my post on why a software asset list is important, please click >here<.

#1 on the CIS security controls top 20 list is an “inventory and control of hardware assets.” Will refer to it as a hardware asset list for this post. While a lot of organizations do have a form of a hardware asset list, most lists are incomplete and missing simple items like keyboards and mice (more on that later). Of course there are some organizations that do not have a list at all. I’ll cover reasons why I think a hardware asset list is important for every organization to have as well as point out a few items that are often missing from hardware asset lists.

While this is not an all inclusive list, here are a few of the main points we will cover in this discussion:

  • Provides security, compliance and infrastructure teams with a list of hardware used in the environment

  • Provides a guide and justification for the Service Desk on what hardware has been approved (by procurement, security, compliance, etc.) for installation and support

  • Can help uncover duplicate hardware, which could lead to cost savings

  • Can help provide a list of outdated/unsupported hardware

  • Allows personnel in the organization know what hardware is available for use

  • The items often missing from an established hardware asset list

The security, compliance and infrastructure teams will benefit quite a bit from a hardware asset list for a variety of reasons. For compliance teams, having a list of approved hardware in the environment helps with audits (internal and external) as well as strengthening policies and procedures. It’s one thing to say in a policy, “It’s prohibited to use unapproved hardware”, but it takes on a whole new meaning when the policy can say, “Do not use any hardware not listed on the hardware asset list”. This removes all doubt and provides HR and Legal teams with a more solid guidance in the event disciplinary action needed to take place. A hardware asset list also provides security and compliance teams with a quick way to determine if something is used in their environment. If a vulnerability is announced in a piece of hardware, the compliance and security teams can look at the hardware asset list to see if that hardware is used within the environment and quickly alert the required teams to patch the vulnerability or remove the hardware if needed. Security, compliance and infrastructure teams benefit by having a source of record about what is permitted and used in the environment, which will help during incident response, planning, patching, testing and troubleshooting efforts.

One of the biggest advantages that is often overlooked but can provide a great justification for establishing a hardware asset list, is the impact it can have on the IT Service Desk. Service Desk teams spend a lot of time troubleshooting hardware problems, which ultimately impacts resources (personnel, time, budgets). One way to help alleviate this burden is to have and use a hardware asset list. If someone asks for a piece of hardware to be installed, the Service Desk can see if it is on the hardware asset list. If it isn’t, they can point the customer to the correct compliance/security process to request the hardware. If the Service Desk is asked to troubleshoot a piece of hardware not on the hardware asset list, they can notify the customer it isn’t approved for use in the environment and point the customer to the appropriate security/compliance process to have the hardware approved. Not only would a hardware asset list save the Service Desk resources from troubleshooting unapproved hardware, but will also protect the Service Desk, because they can point to the hardware asset list if they are asked to install unapproved hardware. Quite often, Service Desk personnel are put in a tough situation when asked to install potentially harmful or troublesome hardware without a process or hardware asset list in place. The hardware asset list will also provide a process safeguard to ensure hardware is correctly presented to security and compliance teams for a proper risk review.

One thing that often happens in an organization is the use of many different brands of hardware. Whether it is different brands of external hard drives, desktops, servers, etc., many organizations could benefit in several ways from having the same brand of hardware. It makes patching a lot easier, allows for the purchase of matching peripherals (i.e. docking stations, power supplies, etc.) and could also save the organization money on purchasing costs.

A hardware asset list can also be beneficial to infrastructure and procurement teams as it provides an easier way to track hardware for refresh cycles. It will allow for better budgeting, more effective use of resources and will hopefully prevent outdated/unsupported hardware from hanging around too long in the environment. As most of us know, unsupported hardware is very risky to have within an environment as vulnerabilities often go unpatched by the manufacturer.

Another great benefit of having a hardware asset list is the ability for everyone within the organization to see what hardware is approved and available for use. If someone needs a special piece of hardware, they can quickly see if it is already on the approved list. This will not only save the customer time from filling in the required approval request form, but would also save the compliance and security teams time as well. Which time savings equates to monetary savings for organizations.

Here are a few items often left off of hardware asset lists. While this is not an all-inclusive list, hopefully it is a big enough list to get you thinking about items floating around your organization that should be added to your hardware asset list:

  • Mice and keyboards with macro buttons. Why are these important to have on the list? They often require the installation of drivers and software. There have been instances where popular brands of mice and keyboards have had vulnerabilities in their software package, so not having these devices on the hardware list could lead to unpatched security vulnerabilities. The software for these devices should also be included in the software asset list as well. They could also just have hardware vulnerabilities as well, so they are important to include for more than just the software required.

  • External hard drives. These are important to have for the same reason as the mice and keyboards above. They could have vulnerabilities in the hardware or the software that is often included.

  • Scanners and printers. These are included more often than not, but wanted to list them just in case your organization does not include them on the hardware asset list. These fall in-line with the items listed above with vulnerabilities in the hardware and software being potential security risks for organizations. In fact, vulnerabilities in scanners and printers can be a much bigger problem for an organization than vulnerabilities in mice and keyboards.

  • Personal hubs and switches. I’m not talking about enterprise class hubs and switches here, I’m talking about the personal hubs and switches people buy at their local retailer and bring in without telling the Service Desk. It is best to have a brand of these devices preapproved and readily available in the event they are required by certain teams.