Date Published: October 2015
Comments Due:
Email Questions to:
Author(s)
Michael Stone (NIST), Chinedum Irrechukwu (MITRE), Harry Perper (MITRE), Devin Wynne (MITRE)
Editor(s)
Leah Kauffman (NIST)
Announcement
NIST's NCCoE program is excited to announce the release of the latest NIST Cybersecurity Practice Guide, "IT Asset Management" for the Financial Services sector. The document is a draft, and NIST welcomes your comments and feedback (see links below for comment form page).
What's the guide about?
Financial institutions deploy a wide array of information technology devices, systems, and applications across a wide geographic area. While these physical assets can be labeled and tracked using bar codes and databases, understanding and controlling the cybersecurity resilience of those systems and applications is a much larger challenge. Not being able to track the location and configuration of networked devices and software can leave an organization vulnerable to security threats. Additionally, many financial organizations include subsidiaries, branches, third-party partners, and contractors as well as temporary workers and guests; tracking and managing hardware and software across these groups adds another layer of complexity.
To address this cybersecurity challenge, NCCoE security engineers developed an example solution that allows an organization to centrally monitor and gain deeper insight into their entire IT asset portfolio with an automated platform. Using open source and commercially available technologies, this example solution addresses questions such as "What operating systems are our laptops running?" and "Which devices are vulnerable to the latest threat?"
The example solution gives companies the ability to track, manage, and report on information assets throughout their entire life cycle. This can ultimately increase cybersecurity resilience by enhancing the visibility of assets, identifying vulnerable assets, enabling faster response to security alerts, revealing which applications are actually being used, and reducing help desk response times.
While a physical asset management system can tell you the location of a computer, it cannot answer questions like, “What operating systems are our laptops running?” and “Which devices are vulnerable to the latest threat?” An effective IT asset management (ITAM) solution can tie together physical and virtual assets and provide management with a complete picture of what, where, and how assets are being used. ITAM enhances visibility for security analysts, which leads to better asset utilization and security. This NIST Cybersecurity Practice Guide provides a reference build of an ITAM solution. The build contains descriptions of the architecture, all products used in the build and their individual configurations. Additionally, this guide provides a mapping of each product to multiple relevant security standards. While the reference solution was demonstrated with a certain suite of products, the guide does not endorse these products in particular. Instead, it presents the characteristics and capabilities that an organization’s security experts can use to identify similar standards-based products that can be integrated quickly and cost-effectively with a financial service company’s existing tools and infrastructure.
While a physical asset management system can tell you the location of a computer, it cannot answer questions like, “What operating systems are our laptops running?” and “Which devices are vulnerable to the latest threat?” An effective IT asset management (ITAM) solution can tie together physical and...
See full abstract
While a physical asset management system can tell you the location of a computer, it cannot answer questions like, “What operating systems are our laptops running?” and “Which devices are vulnerable to the latest threat?” An effective IT asset management (ITAM) solution can tie together physical and virtual assets and provide management with a complete picture of what, where, and how assets are being used. ITAM enhances visibility for security analysts, which leads to better asset utilization and security. This NIST Cybersecurity Practice Guide provides a reference build of an ITAM solution. The build contains descriptions of the architecture, all products used in the build and their individual configurations. Additionally, this guide provides a mapping of each product to multiple relevant security standards. While the reference solution was demonstrated with a certain suite of products, the guide does not endorse these products in particular. Instead, it presents the characteristics and capabilities that an organization’s security experts can use to identify similar standards-based products that can be integrated quickly and cost-effectively with a financial service company’s existing tools and infrastructure.
Hide full abstract
Keywords
financial sector; asset management; information technology asset management (ITAM); information technology ; ; physical security; cybersecurity; operational security; personnel security
Control Families
Access Control; Assessment, Authorization and Monitoring; Identification and Authentication; Incident Response; Risk Assessment
