Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorised devices are given access, and unauthorised and unmanaged devices are found and prevented from gaining access
CSC 1: Inventory of Authorised and Unauthorised Devices
Family | CSC | Control Description | Foundational | Advanced |
---|---|---|---|---|
System | 1.1 | Deploy an automated asset inventory discovery tool and use it to build a preliminary inventory of systems connected to an organisation’s public and private network(s). Both active tools that scan through IPv4 or IPv6 network address ranges and passive tools that identify hosts based on analysing their traffic should be employed. | Y | Use a mix of active and passive tools, and apply as part of a continuous monitoring program. |
System | 1.2 | If the organisation is dynamically assigning addresses using DHCP, then deploy dynamic host configuration protocol (DHCP) server logging, and use this information to improve the asset inventory and help detect unknown systems. | Y | |
System | 1.3 | Ensure that all equipment acquisitions automatically update the inventory system as new, approved devices are connected to the network. | Y | |
System | 1.4 | Maintain an asset inventory of all systems connected to the network and the network devices themselves, recording at least the network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, and the department associated with each device. The inventory should include every system that has an Internet protocol (IP) address on the network, including but not limited to desktops, laptops, servers, network equipment (routers, switches, firewalls, etc.), printers, storage area networks, Voice Over-IP telephones, multi-homed addresses, virtual addresses, etc. The asset inventory created must also include data on whether the device is a portable and/or personal device. Devices such as mobile phones, tablets, laptops, and other portable electronic devices that store or process data must be identified, regardless of whether they are attached to the organisation’s network. | Y | |
System | 1.5 | Deploy network level authentication via 802.1x to limit and control which devices can be connected to the network. The 802.1x must be tied into the inventory data to determine authorised versus unauthorised systems. | Y | Authentication mechanisms are closely coupled to management of hardware inventory |
System | 1.6 | Use client certificates to validate and authenticate systems prior to connecting to the private network. | Y |
NIST 800-53 rev4
These are the mapped NIST 800-53 controls linked to CSC1: Inventory of Authorised and Unauthorised Devices
CA-7: Continuous Monitoring
CM-8: Information System Component Inventory
IA-3: Device Identification and Authentication
SA-4: Acquisition Process
SC-17: Public Key Infrastructure Certificates
SI-4: Information System Monitoring
PM-5: Information System Inventory