30 Days of IT Compliance Q&A #10: What Should My Device Inventory Include?

Many compliance mandates require that you keep a device inventory.But those inventories are limited to a specific scope of devices. For example mandates such as PCI DSS (Payment Card Industry Data Security Standard) 3.0, require that you only inventory of devices applications that are involved in the processing or delivery of PCI information. Although this limited inventory would meet the compliance requirement, we recommend that keep a broader inventory to include all devices on your network.

Why? Recall the recent breachat Target. Hackers got into Target’s network from a computer that ran the HVAC system. The building’s HVAC system and was also run by an external third party organization.This particular computer was not involved in any processing, transmission or storage of PCI information and therefore did not need to be part of the PCI inventory, but it was the initial vector hackers entered Target’s network to steal PCI information.

So what you should your inventory include to really help you?

1. All Devices connected to your network (wired and wireless)
   1. Devices need to be grouped to make it easier to find information.
2. Your inventory should be able to distinguish between PCI systems and the rest of your network.
3. Asset information should be gathered.
   • Name
   • Serial Numbers
   • Location information
   • CPU
   • Disk (Total Size, Used and Free Space)
   • Memory (Total Size, Used and Free memory)
   • Owner / Administrator or Responsible Party for the device.
4. Installed and Running software
   • Devices (Network Devices, Appliances)
   • Server
   • Ability to diff the different installed software periods to see what was installed or removed from the server/device.
5. Operating System versions and Build numbers
6. Installed Operating System Patches
7. Application Information (Name, Build and Version)
8. Process and Service Information
9. Topology Maps
   • Layer-2 (physical connection map)
   • Layer-3 (routing/network map)
   • Flow map (what ports and protocols are seen between devices)
10. User Information
    • Contact Information (Full Name, Title, Address, Telephone number)
    • Group Member Ships (e.g. member of the Domain Admins group)
11. Port Inventory
    • Switch Information (what MAC/device/user is connected to what physical port and VLAN).
12. Network Configurations
    • Running and Startup configurations
    • Ability to diff configurations to quickly see what changed on the device.
13. Automate the discovery process so it is always up to date.

Remember that your inventory is a snapshot in time, so the longer between discoveries the less useful the information becomes and the more at risk your organization becomes. We recommend using a tool like AccelOps, which uses a configuration management database (CMDB) that can constantly monitors your environment for changes and vulnerabilities. Once a change or vulnerability is detected, you can be alerted to take the appropriate action.

The AccelOps CMDB allows for detailed device inventories, the solution also provides change and security monitoring, log management, and performance and availability monitoring in a single platform AccelOps comes with over 2,000 audit-ready rules and reports for PCI, HIPAA, SOX, COBIT, ISO, ITIL, GLBA,, GPG13, NERC, FERC..

Once your device inventory has been established it could answer questions like the following:

1. Where is Microsoft IIS running in my environment (desktops and servers)?
2. What servers have a particular patch?
3. What servers do not have a particular patch?
4. What users have access to the ERP system (what users are members of the ERP user Group)?
5. What devices are involved in PCI information (router, switches, firewalls, physical/virtual servers, applications)
6. What is my layer-2 topology map of my PCI systems?
7. What was added to my network yesterday?

Want to discuss how a CMDB can make your I.T. Operations and compliance easier? Contact AccelOps to learn more.