Issue/Question
What is the USD security policy on the inventory of enterprise assets
Environment
Cause
Protect against cybersecurity threats, establish cybersecurity norms, enhance cybersecurity maturity
Resolution
Inventory and Control of Enterprise Assets
Policy Statement: The University acknowledges the critical importance of maintaining an accurate inventory of enterprise assets and ensuring effective controls over these assets to protect against cybersecurity threats. This policy establishes guidelines for inventorying and controlling enterprise assets to enhance the University's security posture.
Policy Implementation:
-
Asset Inventory:
- The University will maintain an up-to-date inventory of all enterprise assets, including hardware devices, software applications, network components, and data repositories.
- The asset inventory will include details such as asset name, type, location, owner, and criticality to the University's operations.
- Both active and passive discovery tools will be used to identify assets
- IPAM will be used to inventory devices based on DHCP information
-
Asset Classification:
- Enterprise assets will be classified based on their sensitivity, criticality, and value to the University, following a standardized classification scheme.
- Classification levels may include categories such as public, internal, confidential, and restricted, with corresponding access controls and protection measures.
- Assets that are surplused or unauthorized will be alerted on and blocked from the network.
-
Asset Ownership:
- Ownership of enterprise assets will be clearly defined and assigned to accountable individuals or departments responsible for their management and security.
- Asset owners will be responsible for maintaining accurate records, implementing appropriate security controls, and ensuring compliance with University policies and standards.
-
Access Controls:
- Access controls will be implemented to restrict access to enterprise assets based on the principle of least privilege, ensuring that users have only the access necessary to perform their job functions.
- Access to sensitive or critical assets will be granted based on formal authorization processes and reviewed periodically to ensure appropriateness.
-
Change Management:
- Changes to enterprise assets, including additions, modifications, and deletions, will be managed through a formal change management process.
- Change requests will undergo review and approval by designated change management authorities to assess potential impacts on security and ensure compliance with policies and procedures.
Compliance and Enforcement: All members of the University community are responsible for adhering to this policy and actively participating in asset inventory and control activities.
Policy Review: This policy will be reviewed annually to ensure alignment with emerging threats, changes in technology, and regulatory requirements. Updates will be made as necessary to maintain the effectiveness and relevance of inventory and control practices.
This policy provides a framework for implementing CIS Control 1 within a university environment, focusing on inventorying and controlling enterprise assets to mitigate security risks and protect University resources.
Please contact the Service Desk if you need further assistance