{"id":260,"date":"2023-05-22T09:32:54","date_gmt":"2023-05-22T09:32:54","guid":{"rendered":"https:\/\/codesupply.co\/nunc-libero-etiam-enim\/"},"modified":"2023-06-06T18:58:37","modified_gmt":"2023-06-06T18:58:37","slug":"cis-control-1-inventory-and-control-of-enterprise-assets-critical-security-controls-version-8","status":"publish","type":"post","link":"https:\/\/nootherjake.com\/blog\/cis-control-1-inventory-and-control-of-enterprise-assets-critical-security-controls-version-8\/","title":{"rendered":"CIS Control 1: Inventory and Control of Enterprise Assets"},"content":{"rendered":"\r\n<div class=\"flex-1 overflow-hidden\">\r\n<div class=\"react-scroll-to-bottom--css-ofdrp-79elbk h-full dark:bg-gray-800\">\r\n<div class=\"react-scroll-to-bottom--css-ofdrp-1n7m0yu\">\r\n<div class=\"flex flex-col text-sm dark:bg-gray-800\">\r\n<div class=\"group w-full text-gray-800 dark:text-gray-100 border-b border-black\/10 dark:border-gray-900\/50 bg-gray-50 dark:bg-[#444654]\">\r\n<div class=\"flex p-4 gap-4 text-base md:gap-6 md:max-w-2xl lg:max-w-xl xl:max-w-3xl md:py-6 lg:px-0 m-auto\">\r\n<div class=\"relative flex w-[calc(100%-50px)] flex-col gap-1 md:gap-3 lg:w-[calc(100%-115px)]\">\r\n<div class=\"flex flex-grow flex-col gap-3\">\r\n<div class=\"min-h-[20px] flex flex-col items-start gap-4 whitespace-pre-wrap break-words\">\r\n<div class=\"markdown prose w-full break-words dark:prose-invert light\">\r\n<p>The Center for Internet Security (CIS) released Version 8 of its CIS Controls document in May 2021. This document, consisting of 18 information security controls, is essential for organizations and security professionals to protect their data, networks, and systems.<\/p>\r\n<div style=\"width: 1200px;\" class=\"wp-video\"><video class=\"wp-video-shortcode\" id=\"video-260-1\" width=\"1200\" height=\"675\" preload=\"metadata\" controls=\"controls\"><source type=\"video\/mp4\" src=\"https:\/\/nootherjake.com\/blog\/wp-content\/uploads\/2023\/05\/cybersecurity-iso-27001-nist-csf-pci-dss-grc-information-security-isms-compliance-governance-risk-infosec.mp4?_=1\" \/><a href=\"https:\/\/nootherjake.com\/blog\/wp-content\/uploads\/2023\/05\/cybersecurity-iso-27001-nist-csf-pci-dss-grc-information-security-isms-compliance-governance-risk-infosec.mp4\">https:\/\/nootherjake.com\/blog\/wp-content\/uploads\/2023\/05\/cybersecurity-iso-27001-nist-csf-pci-dss-grc-information-security-isms-compliance-governance-risk-infosec.mp4<\/a><\/video><\/div>\r\n<p>A couple of clients I work with at the moment lack mature information security programs and struggle to navigate the overwhelming resources available. To address this, I recommend starting with concise and comprehensive CIS Controls. It provides an executive-friendly overview and specific control details for IT and security teams to implement effectively.<\/p>\r\n<p>In this article let&#8217;s focus on Control 01 &#8211; Inventory and Control of Enterprise Assets. This control emphasizes actively managing and tracking all enterprise assets, including end-user devices, network devices, IoT devices, and servers. By accurately knowing and monitoring these assets, organizations can identify unauthorized or unmanaged ones and take appropriate action.<\/p>\r\n<p>Maintaining an inventory of enterprise assets is crucial because organizations can only defend what they know. However, during my client engagements, I often discover inaccurate or incomplete inventories. This leaves their systems and organization vulnerable to potential attacks.<\/p>\r\n<p>Recently, I conducted a gap assessment for a client lacking a mature security program. Despite prioritizing advanced security tools, they neglected to maintain a definitive system inventory. As a result, outdated and unpatched servers were discovered, posing significant risks. This lack of control coordination and oversight can have serious consequences.<\/p>\r\n<p>To address this, organizations must implement policies and procedures to maintain an accurate inventory of all assets, including on-premises, cloud-based, and remote systems. Regular reviews and updates should be conducted, utilizing automated tools alongside manual verification. Comparing inventories with network vulnerability scans helps identify potential gaps and assign ownership for continuous updates.<\/p>\r\n<p>With an accurate inventory, organizations can effectively protect their systems. This includes ensuring the latest security patches, antivirus software, and intrusion detection systems are in place. Periodic checks of security tools on all systems are necessary for ongoing security assurance. By taking these steps, organizations can enhance their security posture and safeguard company and customer data.<\/p>\r\n<p>For further information, feel free to connect with me on Linkedin: <a href=\"https:\/\/www.linkedin.com\/in\/jakeadebayo\/\">https:\/\/www.linkedin.com\/in\/jakeadebayo\/<\/a> or via <a href=\"https:\/\/estreetsecurity.com\">https:\/\/estreetsecurity.com<\/a> to book an information security specialist today.<\/p>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<div class=\"absolute bottom-0 left-0 w-full border-t md:border-t-0 dark:border-white\/20 md:border-transparent md:dark:border-transparent md:bg-vert-light-gradient bg-white dark:bg-gray-800 md:!bg-transparent dark:md:bg-vert-dark-gradient pt-2\"><form class=\"stretch mx-2 flex flex-row gap-3 last:mb-2 md:mx-4 md:last:mb-6 lg:mx-auto lg:max-w-2xl xl:max-w-3xl\">\r\n<div class=\"relative flex h-full flex-1 items-stretch md:flex-col\">\r\n<div class=\"\">\r\n<div class=\"h-full flex ml-1 md:w-full md:m-auto md:mb-2 gap-0 md:gap-2 justify-center\">\u00a0<\/div>\r\n<\/div>\r\n<\/div>\r\n<\/form><\/div>\r\n\r\n\r\n\r\n<p><!--more--><\/p>\r\n\r\n\r\n\r\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\r\n<p>Objective: To establish and maintain a detailed enterprise asset inventory in an on-premises organization, you can consider using a combination of the following tools:<\/p>\r\n<cite>Project CISv8 Control 1.<\/cite><\/blockquote>\r\n\r\n\r\n\r\n<ol>\r\n<li>\r\n<h3 id=\"network-discovery-and-inventory-tools\">Network Discovery and Inventory Tools:<\/h3>\r\n<ul>\r\n<li>Nmap: Nmap is a powerful network scanning tool that can discover and map networked devices, identify open ports, and gather information about the systems on the network.<\/li>\r\n<li>Open-AudIT: Open-AudIT is an open-source network auditing and inventory tool. It scans the network to discover devices, collects hardware and software information, and maintains an up-to-date inventory database.<\/li>\r\n<\/ul>\r\n<\/li>\r\n<li>\r\n<h3 id=\"configuration-management-tools\">Configuration Management Tools:<\/h3>\r\n<ul>\r\n<li><strong>Ansible:<\/strong> Ansible is an open-source configuration management tool that can help with inventory management. It automates the process of collecting configuration data from systems, tracks changes, and maintains an inventory of configuration details.<\/li>\r\n<li><strong>Puppet:<\/strong> Puppet is another popular configuration management tool that can assist in maintaining an inventory of on-premises systems. It can gather information about devices, manage configurations, and provide insights into the state of the infrastructure.<\/li>\r\n<\/ul>\r\n<\/li>\r\n<li>\r\n<h3 id=\"asset-management-systems\">Asset Management Systems:<\/h3>\r\n<ul>\r\n<li><strong>Snipe-IT:<\/strong> Snipe-IT is an open-source asset management system that allows you to track and manage physical assets within your organization. It provides features like asset tracking, warranty management, and customizable inventory fields.<\/li>\r\n<li><strong>GLPI:<\/strong> GLPI is an open-source IT service management and asset tracking system. It helps organizations manage inventory, track hardware and software assets, and maintain a centralized repository of asset-related information.<\/li>\r\n<\/ul>\r\n<\/li>\r\n<li>\r\n<h3 id=\"security-information-and-event-management-siem-tools\">Security Information and Event Management (SIEM) Tools:<\/h3>\r\n<ul>\r\n<li><strong>Elastic Stack (formerly ELK Stack):<\/strong> The Elastic Stack, comprising Elasticsearch, Logstash, and Kibana, can be utilized to collect, analyze, and visualize log data from various systems and devices. It can aid in identifying and monitoring assets within the organization.<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ol>\r\n<p>These tools, used in conjunction, can help establish and maintain a detailed enterprise asset inventory in an on-premises organization. They assist in discovering devices, collecting configuration information, tracking changes, and providing visibility into the hardware and software assets across the infrastructure.<\/p>\r\n<h3 id=\"project-objective\"><strong>Project Objective<\/strong><\/h3>\r\n<p><span style=\"font-weight: 400;\">The project objective is to implement the CIS control 1 (Control 01: Inventory and Control of Enterprise Assets) in order to improve the organization&#8217;s asset management capabilities. This will be accomplished by ensuring that your organization:<\/span><\/p>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Has Established and maintains a detailed enterprise asset inventory.<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Has Implemented and complies with policies that address unauthorized assets.<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Utilizes an active discovery tool.<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Uses Dynamic Host Configuration Protocol (DHCP) logging to update enterprise asset inventory.<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Uses a passive asset discovery tool.<\/span><\/li>\r\n<\/ul>\r\n<p><span style=\"font-weight: 400;\">By implementing these safeguards, the organization will be able to improve its asset management capabilities and reduce its risk of data breaches and other security incidents.\u00a0<\/span><\/p>\r\n<h3 id=\"scope-of-work\"><strong>Scope of Work<\/strong><\/h3>\r\n<h4 id=\"timeline\"><span style=\"font-weight: 400;\">Timeline<\/span><\/h4>\r\n<p><span style=\"font-weight: 400;\">The project will be completed in two weeks. The following is a detailed timeline of the project:<\/span><\/p>\r\n<h5 id=\"week-1\"><strong>Week 1<\/strong><\/h5>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Day 1: Kickoff meetings with stakeholders<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Day 2: Review existing asset inventory (if any)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Day 3: Install and configure GLPI\u00a0<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Day 4: Collect asset information using active and passive discovery tools<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Day 5: Import asset information into GLPI<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Day 6: Review and update asset inventory<\/span><\/li>\r\n<\/ul>\r\n<h5 id=\"week-2\"><strong>Week 2<\/strong><\/h5>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Day 7: Address unauthorized assets<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Day 8: Configure DHCP logging<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Day 9: Test asset inventory<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Day 10: Finalize asset inventory<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Day 11: Train stakeholders on asset inventory<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Day 12: Prepare final report<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Day 13: Present final report to stakeholders<\/span><\/li>\r\n<\/ul>\r\n<h3 id=\"cis-control-1-safeguards-coverage\"><strong>CIS Control 1 Safeguards Coverage<\/strong><\/h3>\r\n<h5 id=\"safeguard-1-establish-and-maintain-detailed-enterprise-asset-inventory\"><strong>Safeguard 1: Establish and Maintain Detailed Enterprise Asset Inventory<\/strong><\/h5>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Week 1, Day 3: Install and configure GLPI (Done)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Week 1, Day 4: Collect asset information using active and passive discovery tools.<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Week 1, Day 5: Import asset information into GLPI.<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Week 1, Day 6: Review and update asset inventory.<\/span><\/li>\r\n<\/ul>\r\n<h5 id=\"safeguard-2-address-unauthorized-assets\"><strong>Safeguard 2: Address Unauthorized Assets<\/strong><\/h5>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Week 2, Day 7: Identify unauthorized assets.<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Week 2, Day 8: Remove unauthorized assets from the network.<\/span><\/li>\r\n<\/ul>\r\n<h5 id=\"safeguard-3-utilize-an-active-discovery-tool\"><strong>Safeguard 3: Utilize an Active Discovery Tool<\/strong><\/h5>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Week 1, Day 4: Use active discovery tools to collect asset information.<\/span><\/li>\r\n<\/ul>\r\n<h5 id=\"safeguard-4-use-dynamic-host-configuration-protocol-dhcp-logging-to-update-enterprise-asset-inventory\"><strong>Safeguard 4: Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory<\/strong><\/h5>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Week 2, Day 8: Configure DHCP logging.<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Week 2, Day 9: Use DHCP logs to update asset inventory.<\/span><\/li>\r\n<\/ul>\r\n<h5 id=\"safeguard-5-use-a-passive-asset-discovery-tool\"><strong>Safeguard 5: Use a Passive Asset Discovery Tool<\/strong><\/h5>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Week 1, Day 4: Use passive asset discovery tools to collect asset information.<\/span><\/li>\r\n<\/ul>\r\n<h3 id=\"resources\"><strong>Resources<\/strong><\/h3>\r\n<p><span style=\"font-weight: 400;\">The following resources will be needed to complete the project:<\/span><\/p>\r\n<h5 id=\"safeguard-1-establish-and-maintain-detailed-enterprise-asset-inventory-2\"><strong>Safeguard 1: Establish and Maintain Detailed Enterprise Asset Inventory<\/strong><\/h5>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Asset inventory software &#8211; GLPI is an open-source IT asset management software that can be used to implement the CIS control 1 (Control 01: Inventory and Control of Enterprise Assets). GLPI can be used to collect information about all of an organization&#8217;s assets, including their hardware, software, and network devices. GLPI can also be used to track the ownership of assets, their licenses, and their configurations. GLPI is a powerful tool that can help organizations to improve their asset management and security.<\/span><\/li>\r\n<\/ul>\r\n<p><strong><i>Here are some of the features of GLPI that make it the most appropriate Asset Inventory software for your organization:<\/i><\/strong><\/p>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Asset Ownership: GLPI can be used to track the ownership of assets. This information can be used to ensure that assets are properly managed and that they are not being used by unauthorized users.<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Asset Licenses: GLPI can be used to track the licenses for all of an organization&#8217;s software. This information can be used to ensure that software is properly licensed and that organizations are not in violation of any licensing agreements.<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Asset Configuration: GLPI can be used to track the configuration of all of an organization&#8217;s assets. This information can be used to ensure that assets are properly configured and that they are not vulnerable to security threats.\u00a0<\/span><\/li>\r\n<\/ul>\r\n<p>&nbsp;<\/p>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Alternatives (Commercial Tools)<\/span>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Microsoft System Center Configuration Manager (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">IBM Tivoli Asset Management (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Oracle Enterprise Asset Management (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">SAP Asset Intelligence (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">ServiceNow IT Asset Management (compatible with GLPI)<\/span><\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Alternatives (Open Source Tools)<\/span>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Nagios (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Zenoss (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">OpenNMS (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Cacti (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Munin (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">GLPI (open source, compatible with itself)<\/span><\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n<h5 id=\"safeguard-2-address-unauthorized-assets-2\"><strong>Safeguard 2: Address Unauthorized Assets<\/strong><\/h5>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Commercial Tools<\/span>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Symantec Network Access Control (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Cisco Identity Services Engine (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Juniper Networks Secure Access Control (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Palo Alto Networks WildFire (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Check Point SandBlast (compatible with GLPI)<\/span><\/li>\r\n<\/ul>\r\n<\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Open Source Tools<\/span>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Snort (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Suricata (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">IDSWall (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Bro (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">nProbe (compatible with GLPI)<\/span><\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n<h5 id=\"safeguard-3-utilize-an-active-discovery-tool-2\"><strong>Safeguard 3: Utilize an Active Discovery Tool<\/strong><\/h5>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Commercial Tools<\/span>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Nessus (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">QualysGuard (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Rapid7 InsightVM (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Tenable Nessus (compatible with GLPI)<\/span><\/li>\r\n<\/ul>\r\n<\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Open Source Tools<\/span>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">OpenVAS (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Nmap (compatible with GLPI) &#8211; compatible with GLPI<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Zenmap (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Masscan (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">ZMap (compatible with GLPI)<\/span><\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n<h5 id=\"safeguard-4-use-dynamic-host-configuration-protocol-dhcp-logging-to-update-enterprise-asset-inventory-2\"><strong>Safeguard 4: Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory<\/strong><\/h5>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Commercial Tools<\/span>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Microsoft DHCP Server (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">ISC dhcpd (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Dnsmasq (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">DHCPd3 (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">DHCP Server (compatible with GLPI)<\/span><\/li>\r\n<\/ul>\r\n<\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Open Source Tools<\/span>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">isc-dhcp-server (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Dnsmasq (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">DHCPd3 (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">DHCP Server (compatible with GLPI)<\/span><\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n<h5 id=\"safeguard-5-use-a-passive-asset-discovery-tool-2\"><strong>Safeguard 5: Use a Passive Asset Discovery Tool<\/strong><\/h5>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Commercial Tools<\/span>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Lansweeper (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">ManageEngine OpManager (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">SolarWinds Network Inventory Advisor (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Auvik Network Discovery (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">InterMapper (compatible with GLPI)<\/span><\/li>\r\n<\/ul>\r\n<\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Open Source Tools<\/span>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Sniffers (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Packet captures (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Netflow (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">IPFIX (compatible with GLPI)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">SPAN (compatible with GLPI)<\/span><\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n<h3 id=\"risks\"><strong>Risks<\/strong><\/h3>\r\n<p><span style=\"font-weight: 400;\">The following risks have been identified for this project:<\/span><\/p>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The project may not be completed on time or within budget.<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The asset inventory may not be accurate or complete.<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Unauthorized assets may not be identified or addressed.<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The active discovery tool may not be effective in identifying all assets.<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The DHCP logging software may not be effective in updating the asset inventory.<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The passive asset discovery tool may not be effective in identifying all assets.<\/span><\/li>\r\n<\/ul>\r\n<h3 id=\"mitigation-strategies\"><strong>Mitigation Strategies<\/strong><\/h3>\r\n<p><span style=\"font-weight: 400;\">The following mitigation strategies have been developed to address the risks identified for this project:<\/span><\/p>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The project will be closely managed to ensure that it is completed on time and with no extra budget than we already incur.<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The asset inventory will be regularly reviewed and updated to ensure that it is accurate and complete.<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">A process will be developed to address unauthorized assets.<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The active discovery tool will be tested to ensure that it is effective in identifying all assets.<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The DHCP logging software will be configured to update the asset inventory on a regular basis.<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The passive asset discovery tool will be tested to ensure that it is effective in identifying all assets.<\/span><\/li>\r\n<\/ul>\r\n<h3 id=\"compliance-documentation\"><strong>Compliance Documentation<\/strong><\/h3>\r\n<p>For an IG3 implementation of CIS Control 1, the following policy documents are required:<\/p>\r\n<ul>\r\n<li><strong>Asset Inventory Policy:<\/strong>\u00a0This policy defines the requirements for inventorying all assets within the organization, including hardware, software, and data.<\/li>\r\n<li><strong>Asset Classification Policy:<\/strong>\u00a0This policy defines the criteria for classifying assets based on their value and sensitivity.<\/li>\r\n<li><strong>Vulnerability Management Policy:<\/strong>\u00a0This policy defines the requirements for identifying, assessing, and remediating vulnerabilities in assets.<\/li>\r\n<li><strong>Incident Response Policy:<\/strong>\u00a0This policy defines the procedures for responding to security incidents, including detecting, investigating, and containing incidents.<\/li>\r\n<\/ul>\r\n<p>These policy documents should be developed in accordance with the organization&#8217;s overall security policy framework. They should be reviewed and updated on a regular basis to ensure that they reflect the current state of the organization&#8217;s assets and security risks.<\/p>\r\n<p>In addition to these policy documents, an IG3 implementation of CIS Control 1 may also require the following technical controls:<\/p>\r\n<ul>\r\n<li>Asset discovery and inventory tools<\/li>\r\n<li>Asset classification tools<\/li>\r\n<li>Vulnerability management tools<\/li>\r\n<li>Incident response tools<\/li>\r\n<\/ul>\r\n<p>These technical controls can help to automate and streamline the implementation of the policy requirements. They can also help to improve the accuracy and completeness of the asset inventory, vulnerability assessment, and incident response processes.<\/p>\r\n<p>Here are some additional details about each of the policy documents:<\/p>\r\n<ul>\r\n<li><strong>Asset Inventory Policy:<\/strong>\u00a0This policy should define the following:\r\n<ul>\r\n<li>The types of assets that should be inventoried<\/li>\r\n<li>The frequency of asset inventories<\/li>\r\n<li>The methods for asset inventory<\/li>\r\n<li>The format of asset inventory reports<\/li>\r\n<\/ul>\r\n<\/li>\r\n<li><strong>Asset Classification Policy:<\/strong>\u00a0This policy should define the following:\r\n<ul>\r\n<li>The criteria for classifying assets<\/li>\r\n<li>The impact of asset classification on asset management<\/li>\r\n<\/ul>\r\n<\/li>\r\n<li><strong>Vulnerability Management Policy:<\/strong>\u00a0This policy should define the following:\r\n<ul>\r\n<li>The processes for identifying vulnerabilities<\/li>\r\n<li>The processes for assessing vulnerabilities<\/li>\r\n<li>The processes for remediating vulnerabilities<\/li>\r\n<\/ul>\r\n<\/li>\r\n<li><strong>Incident Response Policy:<\/strong>\u00a0This policy should define the following:\r\n<ul>\r\n<li>The procedures for detecting incidents<\/li>\r\n<li>The procedures for investigating incidents<\/li>\r\n<li>The procedures for containing incidents<\/li>\r\n<li>The procedures for recovering from incidents<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n<p>By implementing these policies and controls, organizations can improve their ability to identify, assess, and mitigate risks to their assets. This can help to protect organizations from unauthorized access, use, disclosure, disruption, modification, or destruction of their assets.<\/p>\r\n<p><strong>Here is a table that summarizes the relationship between the ISO 27001 standards and the policies mentioned above:<\/strong><\/p>\r\n<div class=\"horizontal-scroll-wrapper\">\r\n<table>\r\n<tbody>\r\n<tr>\r\n<th>Policy<\/th>\r\n<th>Relevant ISO 27001 Standards<\/th>\r\n<\/tr>\r\n<tr>\r\n<td>Asset Inventory Policy<\/td>\r\n<td>5.9.1 Asset inventory, 8.2.1 Information classification, 8.2.2 Information labelling, 8.8.1 Technical vulnerability identification<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>Asset Classification Policy<\/td>\r\n<td>8.2.1 Information classification<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>Asset Management Policy<\/td>\r\n<td>5.9.1 Asset inventory, 8.1.3 Acceptable use of assets, 8.2.1 Information classification, 8.2.2 Information labelling, 8.8.1 Technical vulnerability identification, 8.8.2 Technical vulnerability remediation<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>Vulnerability Management Policy<\/td>\r\n<td>8.8.1 Technical vulnerability identification, 8.8.2 Technical vulnerability remediation<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>Incident Response Policy<\/td>\r\n<td>11.4 Incident response<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<\/div>\r\n<p><strong>The following ISO 27001 standards and ISO 27002 ISMS documents are relevant to the policies mentioned above:<\/strong><\/p>\r\n<ul>\r\n<li>\r\n<p><strong>Asset Inventory Policy:<\/strong> This policy is relevant to the following ISO 27001 standards and ISO 27002 ISMS documents:<\/p>\r\n<ul>\r\n<li>5.9.1 Asset inventory (ISO 27001)<\/li>\r\n<li>8.2.1 Information classification (ISO 27002)<\/li>\r\n<li>8.2.2 Information labelling (ISO 27002)<\/li>\r\n<li>8.8.1 Technical vulnerability identification (ISO 27002)<\/li>\r\n<\/ul>\r\n<\/li>\r\n<li>\r\n<p><strong>Asset Classification Policy:<\/strong> This policy is relevant to the following ISO 27001 standards and ISO 27002 ISMS documents:<\/p>\r\n<ul>\r\n<li>8.2.1 Information classification (ISO 27002)<\/li>\r\n<\/ul>\r\n<\/li>\r\n<li>\r\n<p><strong>Asset Management Policy:<\/strong> This policy is relevant to the following ISO 27001 standards and ISO 27002 ISMS documents:<\/p>\r\n<ul>\r\n<li>5.9.1 Asset inventory (ISO 27001)<\/li>\r\n<li>8.1.3 Acceptable use of assets (ISO 27002)<\/li>\r\n<li>8.2.1 Information classification (ISO 27002)<\/li>\r\n<li>8.2.2 Information labelling (ISO 27002)<\/li>\r\n<li>8.8.1 Technical vulnerability identification (ISO 27002)<\/li>\r\n<li>8.8.2 Technical vulnerability remediation (ISO 27002)<\/li>\r\n<\/ul>\r\n<\/li>\r\n<li>\r\n<p><strong>Vulnerability Management Policy:<\/strong> This policy is relevant to the following ISO 27001 standards and ISO 27002 ISMS documents:<\/p>\r\n<ul>\r\n<li>8.8.1 Technical vulnerability identification (ISO 27002)<\/li>\r\n<li>8.8.2 Technical vulnerability remediation (ISO 27002)<\/li>\r\n<\/ul>\r\n<\/li>\r\n<li>\r\n<p><strong>Incident Response Policy:<\/strong> This policy is relevant to the following ISO 27001 standards and ISO 27002 ISMS documents:<\/p>\r\n<ul>\r\n<li>11.4 Incident response (ISO 27001)<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n<p>These are just some of the ISO 27001 standards and ISO 27002 ISMS documents that are relevant to the policies\u00a0 mentioned above . There may be other documents that are also relevant, depending on the specific requirements of your organization.<\/p>\r\n<p>It is important to note that the ISO 27001 standards and ISO 27002 ISMS documents are just a set of guidelines. They do not provide specific requirements that must be met. Organizations are free to implement the controls that are most appropriate for their specific needs.<\/p>\r\n<p>If you are unsure of which controls you need to implement, you may want to consult with a security professional. They can help you assess your organization&#8217;s risk and recommend the appropriate controls.<\/p>\r\n<h3 id=\"here-is-a-table-that-maps-the-cis-controls-to-iso-27001-pci-dss-nist-and-soc-2\"><strong>Here is a table that maps the CIS Controls to ISO 27001, PCI DSS, NIST, and SOC 2:<\/strong><\/h3>\r\n<div class=\"horizontal-scroll-wrapper\">\r\n<table>\r\n<tbody>\r\n<tr>\r\n<th>CIS Control<\/th>\r\n<th>ISO 27001<\/th>\r\n<th>PCI DSS<\/th>\r\n<th>NIST<\/th>\r\n<th>SOC 2<\/th>\r\n<\/tr>\r\n<tr>\r\n<td>1.\u00a0<strong>Implement a risk management program<\/strong><\/td>\r\n<td>3.1, 3.2, 3.3<\/td>\r\n<td>4, 12, 13<\/td>\r\n<td>3.1, 3.2, 3.3<\/td>\r\n<td>1, 2, 4<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>2.\u00a0<strong>Implement a change management process<\/strong><\/td>\r\n<td>4.2, 4.3, 4.4<\/td>\r\n<td>8, 9, 10<\/td>\r\n<td>4.1, 4.2, 4.3<\/td>\r\n<td>3, 5, 6<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>3.\u00a0<strong>Use strong passwords and multi-factor authentication<\/strong><\/td>\r\n<td>8.2.1, 8.2.2<\/td>\r\n<td>6, 8<\/td>\r\n<td>8.1, 8.2, 8.3<\/td>\r\n<td>7, 8, 9<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>4.\u00a0<strong>Segment the network<\/strong><\/td>\r\n<td>10.4<\/td>\r\n<td>11<\/td>\r\n<td>10.1, 10.2, 10.3<\/td>\r\n<td>10, 11, 12<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>5.\u00a0<strong>Monitor and analyze logs<\/strong><\/td>\r\n<td>12.1, 12.2<\/td>\r\n<td>10, 11<\/td>\r\n<td>12.1, 12.2<\/td>\r\n<td>13, 14<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>6.\u00a0<strong>Use security tools and technologies<\/strong><\/td>\r\n<td>13.1, 13.2, 13.3<\/td>\r\n<td>1, 2, 3<\/td>\r\n<td>13.1, 13.2, 13.3<\/td>\r\n<td>15, 16, 17<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>7.\u00a0<strong>Educate and train employees<\/strong><\/td>\r\n<td>14.1, 14.2<\/td>\r\n<td>14<\/td>\r\n<td>14.1, 14.2<\/td>\r\n<td>18, 19<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>8.\u00a0<strong>Develop and implement incident response plans<\/strong><\/td>\r\n<td>16.1, 16.2<\/td>\r\n<td>15<\/td>\r\n<td>16.1, 16.2<\/td>\r\n<td>20, 21<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>9.\u00a0<strong>Maintain a secure configuration<\/strong><\/td>\r\n<td>17.1, 17.2<\/td>\r\n<td>7<\/td>\r\n<td>17.1, 17.2<\/td>\r\n<td>22, 23<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>10.\u00a0<strong>Protect data in transit and at rest<\/strong><\/td>\r\n<td>18.1, 18.2<\/td>\r\n<td>5, 6<\/td>\r\n<td>18.1, 18.2<\/td>\r\n<td>24, 25<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<\/div>\r\n<p><em>&#8220;Disclaimer: This table is not exhaustive, and there may be other mappings that are not listed here. It is important to consult with a security professional to ensure that your organization is in compliance with all applicable standards and regulations.&#8221;<\/em><\/p>\r\n<p><span style=\"font-weight: 400;\">I have also listed here\u00a0 the document numbers in ISO 27001:2022 and 27002:2022 and other ISMS standards that are relevant to each of the 5 CIS Control 1 safeguards:<\/span><\/p>\r\n<figure id=\"attachment_4437\" aria-describedby=\"caption-attachment-4437\" style=\"width: 1861px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-4437\" src=\"https:\/\/nootherjake.com\/blog\/wp-content\/uploads\/2023\/05\/CIS-Controls-1-mapping-to-ISO-27001-NIST-PCI-DSS-GRC-compliance-cybersecurity-and-information-security-1.png\" alt=\"CIS Controls 1 mapping to ISO 27001, NIST, PCI DSS, GRC, compliance, cybersecurity, and information security\" width=\"1861\" height=\"901\" srcset=\"https:\/\/nootherjake.com\/blog\/wp-content\/uploads\/2023\/05\/CIS-Controls-1-mapping-to-ISO-27001-NIST-PCI-DSS-GRC-compliance-cybersecurity-and-information-security-1.png 1861w, https:\/\/nootherjake.com\/blog\/wp-content\/uploads\/2023\/05\/CIS-Controls-1-mapping-to-ISO-27001-NIST-PCI-DSS-GRC-compliance-cybersecurity-and-information-security-1-300x145.png 300w, https:\/\/nootherjake.com\/blog\/wp-content\/uploads\/2023\/05\/CIS-Controls-1-mapping-to-ISO-27001-NIST-PCI-DSS-GRC-compliance-cybersecurity-and-information-security-1-1024x496.png 1024w, https:\/\/nootherjake.com\/blog\/wp-content\/uploads\/2023\/05\/CIS-Controls-1-mapping-to-ISO-27001-NIST-PCI-DSS-GRC-compliance-cybersecurity-and-information-security-1-768x372.png 768w, https:\/\/nootherjake.com\/blog\/wp-content\/uploads\/2023\/05\/CIS-Controls-1-mapping-to-ISO-27001-NIST-PCI-DSS-GRC-compliance-cybersecurity-and-information-security-1-1536x744.png 1536w, https:\/\/nootherjake.com\/blog\/wp-content\/uploads\/2023\/05\/CIS-Controls-1-mapping-to-ISO-27001-NIST-PCI-DSS-GRC-compliance-cybersecurity-and-information-security-1-380x184.png 380w, https:\/\/nootherjake.com\/blog\/wp-content\/uploads\/2023\/05\/CIS-Controls-1-mapping-to-ISO-27001-NIST-PCI-DSS-GRC-compliance-cybersecurity-and-information-security-1-800x387.png 800w, https:\/\/nootherjake.com\/blog\/wp-content\/uploads\/2023\/05\/CIS-Controls-1-mapping-to-ISO-27001-NIST-PCI-DSS-GRC-compliance-cybersecurity-and-information-security-1-1160x562.png 1160w\" sizes=\"auto, (max-width: 1861px) 100vw, 1861px\" \/><figcaption id=\"caption-attachment-4437\" class=\"wp-caption-text\">CIS Controls 1 mapping to ISO 27001, NIST, PCI DSS, GRC, compliance, cybersecurity, and information security<\/figcaption><\/figure>\r\n<p><strong>Safeguard 1: Establish and Maintain Detailed Enterprise Asset Inventory<\/strong><\/p>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ISO 27001:2022 &#8211; 4.2.1: Information asset inventory<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ISO 27002:2022 &#8211; 5.1: Information classification<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ISO 27002:2022 &#8211; 5.2: Information ownership<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ISO 27002:2022 &#8211; 5.3: Asset management<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ISO\/IEC 27001:2022 &#8211; Information security management systems (ISMS) &#8211; 12.2.1<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ISO\/IEC 27002:2022 &#8211; Code of practice for information security management (ISMS) &#8211; 10.1<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Payment Card Industry Data Security Standard (PCI DSS) &#8211; 12.2<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Health Insurance Portability and Accountability Act (HIPAA) Security Rule &#8211; 164.308(a)(1)(ii)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Sarbanes-Oxley Act (SOX) Section 404 &#8211; 302(a)(2)(A)(ii)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Federal Information Security Management Act (FISMA) &#8211; 3.1.1<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">SOC 2 &#8211; Security<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">NIST &#8211; Identify<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">GDPR &#8211; Pseudonymization and encryption of personal data<\/span><\/li>\r\n<\/ul>\r\n<p><strong>Safeguard 2: Address Unauthorized Assets<\/strong><\/p>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ISO 27001:2022 &#8211; 4.2.2: Access control<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ISO 27002:2022 &#8211; 6.3: Access control<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ISO\/IEC 27001:2022 &#8211; ISMS &#8211; 12.2.2<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ISO\/IEC 27002:2022 &#8211; ISMS &#8211; 10.2<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">PCI DSS &#8211; 12.3<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">HIPAA Security Rule &#8211; 164.308(a)(1)(iii)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">SOX Section 404 &#8211; 302(a)(2)(A)(iii)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">FISMA &#8211; 3.1.2<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">SOC 2 &#8211; Availability<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">NIST &#8211; Protect<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">GDPR &#8211; Implementing appropriate technical and organizational measures to ensure the security of personal data<\/span><\/li>\r\n<\/ul>\r\n<p><strong>Safeguard 3: Utilize an Active Discovery Tool<\/strong><\/p>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ISO 27001:2022 &#8211; 10.2: Network security<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ISO 27002:2022 &#8211; 12.1: Network security<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ISO\/IEC 27001:2022 &#8211; ISMS &#8211; 12.2.3<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ISO\/IEC 27002:2022 &#8211; ISMS &#8211; 10.3<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">PCI DSS &#8211; 12.4<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">HIPAA Security Rule &#8211; 164.308(a)(1)(iv)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">SOX Section 404 &#8211; 302(a)(2)(A)(iv)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">FISMA &#8211; 3.1.3<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">SOC 2 &#8211; Processing Integrity<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">NIST &#8211; Detect<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">GDPR &#8211; Taking steps to ensure that only authorized persons have access to personal data<\/span><\/li>\r\n<\/ul>\r\n<p><strong>Safeguard 4: Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory<\/strong><\/p>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ISO 27001:2022 &#8211; 10.2: Network security<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ISO 27002:2022 &#8211; 12.1: Network security<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ISO\/IEC 27001:2022 &#8211; ISMS &#8211; 12.2.4<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ISO\/IEC 27002:2022 &#8211; ISMS &#8211; 10.4<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">PCI DSS &#8211; 12.5<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">HIPAA Security Rule &#8211; 164.308(a)(1)(v)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">SOX Section 404 &#8211; 302(a)(2)(A)(v)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">FISMA &#8211; 3.1.4<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">SOC 2 &#8211; Confidentiality<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">NIST &#8211; Respond<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">GDPR &#8211; Responding to requests from individuals for access to their personal data<\/span><\/li>\r\n<\/ul>\r\n<p><strong>Safeguard 5: Use a Passive Asset Discovery Tool<\/strong><\/p>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ISO 27001:2022 &#8211; 10.2: Network security<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ISO 27002:2022 &#8211; 12.1: Network security<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ISO\/IEC 27001:2022 &#8211; ISMS &#8211; 12.2.5<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ISO\/IEC 27002:2022 &#8211; ISMS &#8211; 10.5<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">PCI DSS &#8211; 12.6<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">HIPAA Security Rule &#8211; 164.308(a)(1)(vi)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">SOX Section 404 &#8211; 302(a)(2)(A)(vi)<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">FISMA &#8211; 3.1.5<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">SOC 2 &#8211; Privacy<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">NIST &#8211; Recover<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">GDPR &#8211; Reporting data breaches to the supervisory authority<\/span><\/li>\r\n<\/ul>\r\n<p>&nbsp;<\/p>\r\n<h3 id=\"communication-plan\"><strong>Communication Plan<\/strong><\/h3>\r\n<p><span style=\"font-weight: 400;\">The following communication plan has been developed to keep stakeholders informed of the progress of the project:<\/span><\/p>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Weekly status meetings will be held with stakeholders.<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">A monthly progress report will be sent to stakeholders.<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">A final report will be presented to stakeholders at the end of the project.<\/span><\/li>\r\n<\/ul>\r\n<h3 id=\"approvals\"><strong>Approvals<\/strong><\/h3>\r\n<p><span style=\"font-weight: 400;\">The following approvals are required for this project:<\/span><\/p>\r\n<ul>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Project charter<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Project plan<\/span><\/li>\r\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Final report<\/span><\/li>\r\n<\/ul>\r\n<h3 id=\"conclusion\"><strong>Conclusion<\/strong><\/h3>\r\n<p><span style=\"font-weight: 400;\">This scope of work plan provides a detailed overview of the steps that will be taken to implement the CIS control 1 (Control 01: Inventory and Control of Enterprise Assets) at your organization. By following this plan, we can ensure that organization has a comprehensive understanding of its assets and that its systems and data are protected from unauthorized access.<\/span><\/p>\r\n<p>&nbsp;<\/p>\r\n<p>Search terms related to this article include: Information security controls, Hardware inventory, Hardware control, Software inventory, Software control, Data protection, Data security, Secure configuration, Configuration management, Account management, Password management, Access control, Privilege management, Vulnerability management, Patch management, Audit log management, Security logging, Email protection, Web browser protection, Malware defense, Antivirus, Antimalware, Data recovery, Disaster recovery, Network security, Port security, Protocol security, Network monitoring, Intrusion detection, Intrusion prevention, Application security, Software security, Wireless security, Wifi security, Physical security, Environmental security, Incident response, Security incident management, Business continuity, Disaster recovery, Penetration testing, Cybersecurity, CIS Controls v8, CIS Controls 18, CIS Controls list, CIS Controls framework, Phishing, Vulnerability management, Security awareness training, Phishing and social engineering, Password security, Data protection, Secure computing practices, Incident response.<\/p>\r\n<p>&nbsp;<\/p>\r\n","protected":false},"excerpt":{"rendered":"A step-by-step guide for implementing Governance, Risk &#038; Compliance audits for compliance with ISO 27001, SOC2, NIST, HIPAA,  PCI DSS, GDPR and more.\n","protected":false},"author":1,"featured_media":4421,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"video","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"csco_singular_sidebar":"left","csco_page_header_type":"standard","csco_page_load_nextpost":"default","csco_post_video_location":[],"csco_post_video_url":"","csco_post_video_bg_start_time":0,"csco_post_video_bg_end_time":0,"footnotes":""},"categories":[4],"tags":[153,127,88,125,86,98,155,97,144,107,131,92,152,115,61,116,160,162,161,159,77,51,68,124,85,64,158,121,136,122,82,99,83,69,137,100,133,94,149,112,53,59,60,52,58,118,117,79,78,56,55,150,113,154,67,63,142,143,105,106,70,71,73,72,57,135,96,54,141,138,104,101,65,126,166,87,130,91,50,157,163,165,148,111,139,102,128,89,140,103,62,167,123,84,164,151,132,114,93,48,49,120,119,145,81,80,108,66,129,90,134,95,147,110,156,146,109],"class_list":{"0":"post-260","1":"post","2":"type-post","3":"status-publish","4":"format-video","5":"has-post-thumbnail","7":"category-grc","8":"tag-critical-security-controls-version-8","9":"tag-access-control","10":"tag-accesscontrol","11":"tag-account-management","12":"tag-accountmanagement","13":"tag-anti-malware","14":"tag-antimalware","15":"tag-antivirus","16":"tag-application-security","17":"tag-applicationsecurity","18":"tag-audit-log-management","19":"tag-auditlogmanagement","20":"tag-business-continuity","21":"tag-businesscontinuity","22":"tag-center-for-internet-security-cis-controls","23":"tag-cis-controls","24":"tag-cis-controls-18","25":"tag-cis-controls-framework","26":"tag-cis-controls-list","27":"tag-cis-controls-v8","28":"tag-ciscontrols","29":"tag-cloud-security-various-standards-like-csa-star","30":"tag-common-criteria-for-information-technology-security-evaluation","31":"tag-configuration-management","32":"tag-configurationmanagement","33":"tag-controlled-unclassified-information-cui-framework","34":"tag-cybersecurity","35":"tag-data-protection","36":"tag-data-recovery","37":"tag-data-security","38":"tag-dataprotection","39":"tag-datarecovery","40":"tag-datasecurity","41":"tag-defense-federal-acquisition-regulation-supplement-dfars-cybersecurity-requirements","42":"tag-disaster-recovery","43":"tag-disasterrecovery","44":"tag-email-protection","45":"tag-emailprotection","46":"tag-environmental-security","47":"tag-environmentalsecurity","48":"tag-etc","49":"tag-federal-information-security-management-act-fisma","50":"tag-federal-risk-and-authorization-management-program-fedramp","51":"tag-fedramp","52":"tag-general-data-protection-regulation-gdpr","53":"tag-hardware-control","54":"tag-hardware-inventory","55":"tag-hardwarecontrol","56":"tag-hardwareinventory","57":"tag-health-information-trust-alliance-hitrust-common-security-framework","58":"tag-health-insurance-portability-and-accountability-act-hipaa-security-rule","59":"tag-incident-response","60":"tag-incidentresponse","61":"tag-information-security-controls","62":"tag-international-electrotechnical-commission-iec-62443-industrial-automation-and-control-systems-security","63":"tag-international-traffic-in-arms-regulations-itar","64":"tag-intrusion-detection","65":"tag-intrusion-prevention","66":"tag-intrusiondetection","67":"tag-intrusionprevention","68":"tag-isms","69":"tag-isms-contosl","70":"tag-isms-security","71":"tag-isms-standards","72":"tag-iso-iec-270012013-information-security-management-system","73":"tag-malware-defense","74":"tag-malwaredefense","75":"tag-national-institute-of-standards-and-technology-nist-cybersecurity-framework","76":"tag-network-monitoring","77":"tag-network-security","78":"tag-networkmonitoring","79":"tag-networksecurity","80":"tag-north-american-electric-reliability-corporation-nerc-critical-infrastructure-protection-cip","81":"tag-password-management","82":"tag-password-security","83":"tag-passwordmanagement","84":"tag-patch-management","85":"tag-patchmanagement","86":"tag-payment-card-industry-data-security-standard-pci-dss","87":"tag-penetration-testing","88":"tag-phishing","89":"tag-phishing-and-social-engineering","90":"tag-physical-security","91":"tag-physicalsecurity","92":"tag-port-security","93":"tag-portsecurity","94":"tag-privilege-management","95":"tag-privilegemanagement","96":"tag-protocol-security","97":"tag-protocolsecurity","98":"tag-sarbanes-oxley-act-sox","99":"tag-secure-computing-practices","100":"tag-secure-configuration","101":"tag-secureconfiguration","102":"tag-security-awareness-training","103":"tag-security-incident-management","104":"tag-security-logging","105":"tag-securityincidentmanagement","106":"tag-securitylogging","107":"tag-soc-1-audit","108":"tag-soc-2-audit","109":"tag-software-control","110":"tag-software-inventory","111":"tag-software-security","112":"tag-softwarecontrol","113":"tag-softwareinventory","114":"tag-softwaresecurity","115":"tag-system-and-organization-controls-soc-for-cybersecurity","116":"tag-vulnerability-management","117":"tag-vulnerabilitymanagement","118":"tag-web-browser-protection","119":"tag-webbrowserprotection","120":"tag-wi-fi-security","121":"tag-wi-fisecurity","122":"tag-wifi-security","123":"tag-wireless-security","124":"tag-wirelesssecurity","125":"post_format-post-format-video","126":"cs-entry","127":"cs-video-wrap"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/nootherjake.com\/blog\/wp-json\/wp\/v2\/posts\/260","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nootherjake.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nootherjake.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nootherjake.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nootherjake.com\/blog\/wp-json\/wp\/v2\/comments?post=260"}],"version-history":[{"count":35,"href":"https:\/\/nootherjake.com\/blog\/wp-json\/wp\/v2\/posts\/260\/revisions"}],"predecessor-version":[{"id":4457,"href":"https:\/\/nootherjake.com\/blog\/wp-json\/wp\/v2\/posts\/260\/revisions\/4457"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nootherjake.com\/blog\/wp-json\/wp\/v2\/media\/4421"}],"wp:attachment":[{"href":"https:\/\/nootherjake.com\/blog\/wp-json\/wp\/v2\/media?parent=260"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nootherjake.com\/blog\/wp-json\/wp\/v2\/categories?post=260"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nootherjake.com\/blog\/wp-json\/wp\/v2\/tags?post=260"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}