Updating Hosts Inventory in Isora GRC


Introduction

An accurate and up-to-date inventory of all IT assets ("technology resources" as defined by University Policy 7010) owned by VT Organizational Units (OUs) is the foundation for a successful Information Technology Risk Assessment (ITRA). The organizational ITRA relies on the OUs "hosts" inventory, which is documented on an Asset Group (formerly called inventory sheets) in Isora GRC. Your OU may have as many Asset Groups linked to your OU as you like, depending on how you prefer to organize your asset records. Asset Groups can be created/deleted/updated at any time, and all valid users with any assigned role for an OU can edit groups for that OU.

Your OU's "assets" inventory should include all VT-owned technology resources such as personal computer endpoints (desktop and laptop PCs) and servers (physical, virtual, and cloud instances), network infrastructure devices, smartphones, multi-function printers/scanners, as well as any Internet of Things (IoT) or special-purpose computing devices under the OUs responsibility which connects to a VT network, or handle/process/store university data. The assets inventory should not include basic IP telephones, personally-owned computing devices, or assets owned and managed by another university organization. 

Your OU's "assets" inventory should be maintained in Isora GRC according to the VT IT Risk assessment Standard. The standard outlines the OUs responsibility for inventory maintenance as follows:

            

Classification (Risk/Priority)GRC Inventory Maintenance

HIGH/CRITICAL

The OU's GRC inventory includes one or more High-Risk or Critical Priority assets

  		High-Risk/Critical Priority asset inventory records must be documented immediately upon deployment and kept up-to-date by the asset owner whenever changes are made that impact the accuracy of the GRC asset inventory record(s).

MODERATE/ESSENTIAL

The OU's GRC inventory includes one or more Moderate-Risk or Essential-Priority assets and no Critical-Priority assets

  		Moderate-Risk/Essential Priority asset inventory records must be documented and updated at least quarterly, as needed.

LOW/NON-ESSENTIAL

The OU's GRC inventory includes only Low-Risk and Non-Essential-Priority assets.

  		Low-Risk/Non-Essential-Priority asset inventory records must be documented and updated at least annually, as needed.

Instructions

You can add assets to your group(s) using three methods: Manually via the CSV upload, GUI, or via the API.

To add assets to your group via CSV upload:

Video Tutorial: Hosts Inventory CSV Upload

 
  1.  Download the ITSO's host template file.
    1. You will need to open in Excel to edit. Allow any macros of VB code to run for this spreadsheet, this logic changes some selected values to the appropriate system codes in Isora GRC.
    2. If your asset inventory collection process is not suited for using the .xlsm version, you can download a blank .csv version of the hosts template here.
  2. Fill out the following columns for each asset, as applicable:
    1. Name = Name of asset. Preferably a Fully Qualified Domain Name (FQDN), if available.
    2. Description = General description of the asset, if desired. For any "high-risk" assets, please describe in this field any peripheral devices connected that interface with data (USB printer/scanner, external storage devices, etc)
    3. IPs = IP address of the machine, must be in proper format for IP v4/v6 (leave blank if DHCP)
    4. MACs = Hardware address of network interface(s)
    5. Inventory_tag = VT asset inventory tag number, if tagged
    6. Serial = Manufacturer's serial number of the asset
    7. System = Operating System (OS), platform, or other useful information
    8. Classification = Risk level of the asset based on the VT Risk Classification Standard. Note: The risk classification can be set during upload and confirmed later; or you can choose to leave this attribute blank during upload and set the classification during the Risk Classification step.
    9. Categories (for high-risk assets ONLY) = High-risk data type(s) being stored/processed by the asset:
      • "Health", "Student", "Bank Account", "SSN", "Credit/Debit Card", "PII (Military ID, Passport, Driver's License)", "Research - Export Controlled/CUI", or "Critical to University", or IT service provided by resource.
      • "Email", "AAA (authentication, authorization, accounting)", "DNS", "DHCP"
    10. Priority = Asset criticality to the organization
      • "Critical" - Loss of the asset for even a short period of time could prevent the organization from achieving its mission and/or could pose a risk to health ad safety if compromised.
      • "Essential" - The organization could work around the loss of the asset for several days or perhaps a week, but eventually the technology asset would have to be restored to a useable status.
      • "Non-essential" - The organization can operate with the asset for an extended (though perhaps finite) period, during which some units or individuals may be inconvenienced and/or need to identify alternatives.
    11. System_type = Desktop, laptop, server, etc.
    12. Location fields (Optional): Site/Building/Floor/Room = If you choose to use these fields, then you must reference a complete entry from the valid locations prepopulated in Isora GRC. If you need to reference a location not in the system, it can be added by the ITSO.
    13. User/Owner/IT Contact = These fields must reference valid Isora GRC user accounts, org codes, or use any properly formatted email address(VT Faculty/Staff emails ONLY; DO NOT enter student information into Isora GRC).
  3. Repeat until all assets are entered.
  4. Once complete, save the file as a CSV file(.csv format is required for upload to Isora GRC).
  5. Navigate to Isora GRC and authenticate through the VT Login service.
  6. Navigate to the Inventory module and choose the Assets tab. 

  7. If you do not yet have any asset groups, click the "plus (+)" next to the search box at the top-right of the screen:
  8. Enter the Owning unit and enter a name for the Asset Group. This name can be as descriptive as needed based on how you decide to organize your asset group(s).
  9.  If you need to edit basic group settings or remove a group, these controls are on the asset group pop-out panel which is accessed by clicking on the group name, then the arrow: 

  10. Once you're ready to add hosts to a group, in the upper righthand corner of the group, click the 3 vertical dots, then  "Import Assets".

  11.  Click in an empty area of the pop-up and then browse to the storage location where you saved your assets inventory CSV file and select the file. Alternatively, you may drag and drop the file into this window. 

  12. The file will then autmatically be uploaded and there should be a confirmation at the bottom of the screen:
  13.  If the upload is successful you will see your assets now listed in the Asset Group. You can download a CSV file of your assets at any time from your group using the "Export Assets (CSV)" function.

  

 

To add assets Manually using the GUI:

 
  1. Navigate to Isora GRC and authenticate through the VT Login servive
  2. Navigate to the Inventory module and choose the Assets tab. 
  3. If you do not yet have any asset groups, click the "plus (+)" next to the search box at the top-right of the screen:
  4. Enter the Owning unit and enter a name for the Asset Group. This name can be as descriptive as needed based on how you decide to organize your host sheet(s).
  5.  If you need to edit basic group settings or remove a group, these controls are on the asset group pop-out panel which is accessed by clicking on the group name, then the arrow: 
  6. To add individual assets to your group, click the "plus (+)" on the righthand side of the search box.


  7. Give the asset a name, preferably a Fully Qualified Domain Name (FQDN), if available. Then click "Create"
  8. Fill out the applicable fields in the Asset Details form. When you select an option or enter information into a field, it will automatically save. 
  9. To make changes to a single host, simply click on the host in your sheet, update any fields as needed.
  10. To make bulk changes to a group of assets simultaneously, select each of the assets you need to update, and then click the pencil icon at the bottom of the screen. Select the desired changes from the "Bulk Editing" pop-up menu then click "Confirm " at the bottom to save your changes/updates.

 

  

 

To manage your host inventory sheet(s) using the IsoraGRC-API:

 
  1. Your Isora GRC account must first be set to "enable token API access". This request can be made to the ITSO. Once enabled, you can retrieve your individual API token from your user profile within IsoraGRC by navigating to the "Settings" page.
  2. The SaltyCloud API documentation can be accessed here:
    https://saltycloud.atlassian.net/wiki/spaces/TES/pages/1275464403/API+Guide
  3. You may choose to develop your own method(s) of working with the API endpoints that suits your individual needs. The ITSO has also developed some basic capabilities for partially automating inventory retrieval from other systems and uploading these records to IsoraGRC.
  4. Please reference the following documentation to learn more about these capabilities:

    BigFix “light-touch” inventory upload guide

     

    Jamf “light-touch” inventory upload guide