Safeguard 1 - Inventory and Control of Enterprise Assets
Keeping an accurate, up-to-date endpoint inventory allows you, your department and the IT Security Office to collaborate and quickly respond to security incidents.
1.1 - Establish and Maintain Detailed Enterprise Asset Inventory
- This inventory should contain endpoints, servers, network infrastructure, multi-function print devices, and other special-purpose technology resources (IoT). Both physical and virtual assets should be included.
- Departmental asset inventories must be reported to the ITSO GRC system (Isora GRC) for the purpose of IT Risk Assessments. Any inventory records for assets classified as "high-risk" or "critical-priority" must be kept up to date in Isora GRC related to any new deployments or changes to those systems.
1.2 - Address Unauthorized Assets
A process must be put in place to address unauthorized assets on a weekly basis. Once the asset has been identified, the organization may choose to do the following:
- Remove the asset from the network.
- Deny the asset from connecting remotely.
- Quarantine the asset.
1.3 - Utilize an Active Discovery Tool
Network service owners must utilize an active discovery tool to identify assets connected to their network(s)/network segment(s) daily, at minimum.
Windows offers a service through Microsoft 365 Defender, known as Microsoft Defender for Endpoint. This service will allow you prevent, detect, and automate the investigation of and response to threats on endpoints. One of its core features is known as Asset Discovery, a service that will automatically scan your network's endpoints for a variety of devices such as computers, mobile devices, and network devices. The service can also determine the device's domain, exposure level, etc. More information on this service can be found on the Microsoft 365 Defender documentation page.
1.4 - Use DHCP Logging to Update Enterprise Asset Inventory
The use of Dynamic Host Configuration Protocol logging can help update the enterprise's asset inventory.
Windows offers logging via Event Logs, access them by doing the following:
- Press the Windows key
- Search for and open the control panel
- Select System and Security
- Select Administrative Tools
- Select Event Viewer
To ensure the service is running, do the following:
- Select the Start menu.
- Search for and select the Command Prompt.
Net Start. This will list the services running; look for DHCP server.
Now, to view the logs, do the following:
- Press Windows key + X and select Event Viewer.
- In the left pane, expand Applications and Services Logs.
- Expand Microsoft, then Windows, then DHCP-Client or DHCP-Server depending on which logs you would like to view.
If you have questions that are not covered in these procedures, please contact the VT IT Security Office email@example.com for a consultation.