Updating Hosts Inventory in Isora GRC


Introduction

An accurate and up-to-date inventory of all IT assets ("technology resources" as defined by University Policy 7010) owned by VT Organizational Units (OUs) is the foundation for a successful Information Technology Risk Assessment (ITRA). The organizational ITRA relies on the OUs "hosts" inventory, which is documented on an inventory "sheet" in Isora GRC. Your OU may have as many "hosts" inventory sheets linked to your OU as you like, depending on how you prefer to organize your asset records. Inventory sheets can be created/deleted/updated at any time, and all valid users with any assigned role for an OU can edit inventory sheets for that OU.

Your OU's "hosts" inventory should include all VT-owned technology resources such as personal computer endpoints (desktop and laptop PCs) and servers (physical, virtual, and cloud instances), network infrastructure devices, smartphones, multi-function printers/scanners, as well as any Internet of Things (IoT) or special-purpose computing devices under the OUs responsibility which connects to a VT network, or handle/process/store university data. The hosts inventory should not include basic IP telephones, personally-owned computing devices, or assets owned and managed by another university organization. 

Your OU's "hosts" inventory should be maintained in Isora GRC according to the VT IT Risk assessment Standard. The standard outlines the OUs responsibility for inventory maintenance as follows:

            

Classification (Risk/Priority) GRC Inventory Maintenance

HIGH/CRITICAL

The OU's GRC inventory includes one or more High-Risk or Critical Priority assets

  		 High-Risk/Critical Priority asset inventory records must be documented immediately upon deployment and kept up-to-date by the asset owner whenever changes are made that impact the accuracy of the GRC asset inventory record(s).

MODERATE/ESSENTIAL

The OU's GRC inventory includes one or more Moderate-Risk or Essential-Priority assets and no Critical-Priority assets

  		 Moderate-Risk/Essential Priority asset inventory records must be documented and updated at least quarterly, as needed.

LOW/NON-ESSENTIAL

The OU's GRC inventory includes only Low-Risk and Non-Essential-Priority assets.

  		 Low-Risk/Non-Essential-Priority asset inventory records must be documented and updated at least annually, as needed.

Instructions

You can add assets to your sheet(s) using three methods: Manually via the CSV up load, GUI, or via the API.

To add assets to your sheet via CSV upload:

Video Tutorial: Hosts Inventory CSV Upload

  1.  Download the ITSO's host template file.
    1.  You will need to open in Excel to edit. Allow any macros of VB code to run for this spreadsheet, this logic changes some selected values to the appropriate system codes in Isora GRC.
    2. If your host inventory collection process is not suited for using the .xlsm version, you can download a blank .csv version of the hosts template here.
  2. Fill out the following columns for each asset, as applicable:
    1.  Name = Name of asset
    2.  Description = General description of the asset, if desired. For any "high-risk" assets, please describe in this field any peripheral devices connected that interface with data (USB printer/scanner, external storage devices, etc)
    3.  IPs = IP address of the machine, must be in proper format for IP v4/v6 (leave blank if DHCP)
    4. MACs = Hardware address of network interface(s)
    5. Inventory_tag = VT asset inventory tag number, if tagged
    6.  Serial = Manufacturer's serial number of the asset
    7.  System = Operating System (OS), platform, or other useful information
    8.  Classification = Risk level of the asset based on the VT Risk Classification Standard. Note: The risk classification can be set during upload and confirmed later; or you can choose to leave this attribute blank during upload and set the classification during the Risk Classification step.
    9. Categories (for high-risk assets ONLY) = High-risk data type(s) being stored/processed by the asset:
      • "Health", "Student", "Bank Account", "SSN", "Credit/Debit Card", "PII (Military ID, Passport, Driver's License)", "Research - Export Controlled/CUI", or "Critical to University", or IT service provided by resource.
      • "Email", "AAA (authentication, authorization, accounting)", "DNS", "DHCP"
    10. Priority = Asset criticality to the organization
      • "Critical" - Loss of the asset for even a short period of time could prevent the organization from achieving its mission and/or could pose a risk to health ad safety if compromised.
      • "Essential" - The organization could work around the loss of the asset for several days or perhaps a week, but eventually the technology asset would have to be restored to a useable status.
      • "Non-essential" - The organization can operate with the asset for an extended (though perhaps finite) period, during which some units or individuals may be inconvenienced and/or need to identify alternatives.
    11.  System_type = Desktop, laptop, server, etc.
    12. Location fields (Optional): Site/Building/Floor/Room = If you choose to use these fields, then you must reference a complete entry from the valid locations prepopulated in Isora GRC. If you need to reference a location not in the system, it can be added by the ITSO.
    13.  User/Owner/IT Contact = These fields must reference valid Isora GRC user accounts, org codes, or use any properly formatted email address(VT Faculty/Staff emails ONLY; DO NOT enter student information into Isora GRC).
  3. Repeat until all assets are entered.
  4. Once complete, save the file as a CSV file(.csv format is required for upload to Isora GRC).
  5. Navigate to Isora GRC and authenticate through the VT Login service.
  6. Navigate to the Inventory module and choose the Hosts tab. if you do not yet have any host inventory sheets. click "New Sheet".
  7. Enter the OU code and enter a name for the inventory sheet. This name can be as descriptive as needed based on how you decide to organize your host sheet(s).
  8.  If you need to edit basic sheet settings or remove a sheet, these controls are on the righthand side. Once you're ready to add hosts to a sheet, click on the sheet's name to view/edit the sheet.

  9. In the upper righthand corner of the sheet, Click "Upload CSV".

  10.  Click "Choose File and then browse to the storage location where you saved your hosts inventory CSV file and select the file. Then, click "Upload".

  11.  If the upload is successful you will see your assets in the "Hosts" section. You can download a CSV file of your hosts at any time from your sheet using the "download csv" function.
  

 

To add assets Manually using the GUI:

  1. Navigate to Isora GRC and authenticate through the VT Login servive
  2. Navigate to the Inventory module and choose the Hosts tab. If you do not yet have any host inventory sheets, click "New Sheet".
  3. Enter the OU code and enter a name for the inventory sheet. This name can be as descriptive as needed based on how you decide to organize your host sheet(s).
  4. If you need to edit basic sheet settings or remove a sheet, these controls are on the righthand side. Once you're ready to add hosts to a sheet, click on the sheet's name to view/edit the sheet.

  5. To add individual hosts to your sheet, click "Add Host" on the righthand side.


  6. Fill out the applicable fields in the New Host form, and then click "Save: when you're finished adding the new host to your sheet. 
  7. To make changes to a single host, simply click on the host in your sheet, update any fields as needed, and click "Save".
  8. To make bulk changes to a group of hosts simultaneously, select each of the hosts you need to update, and then select the desired action from the Apply to selected hosts... drop-down menu. Modify the selected attribute(s) as needed, then click "Submit" to save your changes/updates.

    9.   

 

  

 

To manage your host inventory sheet(s) using the IsoraGRC-API:

  1. Your Isora GRC account must first be set to "enable token API access". This request can be make to the ITSO. Once enabled, you can retrieve your individual API token from your user profile within IsoraGRC by navigating to the "Settings" page.
  2. The SaltyCloud API documentation can be accessed here:
    https://saltycloud.atlassian.net/wiki/spaces/TES/pages/1275464403/API+Guide
  3. You may choose to develop your own method(s) of working with the API endpoints that suits your individual needs. The ITSO has also developed some basic capabilities for partially automating inventory retrieval from other systems and uploading these records to IsoraGRC.
  4. Please reference the following documentation to learn more about these capabilities:

    BigFix “light-touch” inventory upload guide

     

    Jamf “light-touch” inventory upload guide

      
    5.