Many compliance mandates require that you keep a device inventory.But those inventories are limited to a specific scope of devices. For example mandates such as PCI DSS (Payment Card Industry Data Security Standard) 3.0, require that you only inventory of devices applications that are involved in the processing or delivery of PCI information. Although this limited inventory would meet the compliance requirement, we recommend that keep a broader inventory to include all devices on your network.
Why? Recall the recent breachat Target. Hackers got into Target’s network from a computer that ran the HVAC system. The building’s HVAC system and was also run by an external third party organization.This particular computer was not involved in any processing, transmission or storage of PCI information and therefore did not need to be part of the PCI inventory, but it was the initial vector hackers entered Target’s network to steal PCI information.
So what you should your inventory include to really help you?
Remember that your inventory is a snapshot in time, so the longer between discoveries the less useful the information becomes and the more at risk your organization becomes. We recommend using a tool like AccelOps, which uses a configuration management database (CMDB) that can constantly monitors your environment for changes and vulnerabilities. Once a change or vulnerability is detected, you can be alerted to take the appropriate action.
The AccelOps CMDB allows for detailed device inventories, the solution also provides change and security monitoring, log management, and performance and availability monitoring in a single platform AccelOps comes with over 2,000 audit-ready rules and reports for PCI, HIPAA, SOX, COBIT, ISO, ITIL, GLBA,, GPG13, NERC, FERC..
Once your device inventory has been established it could answer questions like the following:
Want to discuss how a CMDB can make your I.T. Operations and compliance easier? Contact AccelOps to learn more.