By: Todd Busswitz, Manager at Schellman
Though all compliance frameworks require organizations to provide an inventory of in-scope systems for testing, oftentimes assessors will find these provided lists aren’t accurate. However, there are at least two big benefits to maintaining an accurate systems inventory—enhanced efficiency and better management.
Whether you’re being assessed against PCI DSS, SOC 2, ISO 27001, or FedRAMP, you’ll likely have the responsibility to create a repository of some kind listing what systems your assessors will need to test. Maintaining a current and accurate systems inventory can seem like such a small thing, but our years of experience performing audits of all kinds have taught us that it often slips through the cracks.
Such an issue can cause problems organizations don’t often anticipate, so in this article, we’ll explain two big incentives for supporting a detailed and accurate systems inventory, as well as some suggestions for how to best do that, because while this may seem like a relatively insignificant step in your compliance procedures, it can have more pay-off than you think.
What to Include in Your Systems Inventory
To maintain an adequate inventory for your various compliance requirements, you first have to create it, and a good inventory should include:
- Hostname
- Device type
- Operating system (OS)
- OS version
- IP address
- Function/role
The Challenges of Maintaining a Systems Inventory
There are a few reasons why keeping your systems inventory and all those details current and correct is difficult:
- Personnel Turnover: If your inventory manager leaves, new staff have to figure out the processes and points of contact to gather all of the systems that are in-scope for the assessment—and they may miss things while getting up to speed.
- Manual Management: Oftentimes, manually tracked inventories are missing device types that were present in the prior year’s assessment due to the responsible personnel forgetting the necessary updates. In other cases, the list may not get updated to include the current operating system versions of the devices or those versions that are at or past their end of support are often missed.
- Multiple Methods of System Tracking: If these multiple methods aren’t interconnected, the inventory can become disorganized.
2 Benefits of an Accurate and Updated Systems Inventory
1. More Efficiency in Your Compliance Assessments
A lack of an accurate inventory will often rear its ugly head during your compliance assessment(s)—in our experience, the process often begins with a person or group of people scrambling to gather a list of devices that are in scope, and it’s an uphill battle from there.
If there are errors in the list—or if there are several different lists—your assessor may have to continually resample due to these issues, adding work on both your and their side given the confusion and many resulting versions of the sample selection document that you’ll need to sort through.
However, an accurate inventory can significantly reduce that confusion and even increase efficiency during your assessment since your workload and confusion will be kept to a minimum if you have a clear understanding of the devices and evidence that are required from the start.
2. Better System Management Overall
Aside from enhanced efficiency, maintaining an accurate inventory will also allow you to manage your systems better in general. Think about it—your assets are constantly being patched or updated to address vulnerabilities or increase functionality/performance, and some eventually will pass to end-of-life (EOL) or end-of-support (EOS).
You need to be confident at all times whether your systems are up-to-date and functioning well/protecting your data, and an accurate inventory will enable that by making everything—the device types, operating system versions, device existence (present or missing)—easier to track, including answering questions like this:
- Does every system have the proper access controls in place?
- Do all devices have anti-malware/anti-virus installed (as required by the applicable framework)?
- Are file integrity monitoring (FIM) and intrusion detection/prevention (IDS/IPS) installed on all devices/systems that are required to have those tools?
- Are you paying for licenses on devices that have been decommissioned? Or worse, are you not paying for licenses on devices that we should have services?
Not only will you be better able to manage in real-time, but an accurate system inventory will also assist in budget planning since you’ll be able to more easily identify those future needs to replace those systems that are going to be EOL/EOS—something that can be very costly, as, without a good understanding of your future needs, you may struggle to find the necessary capital to make the changes. (And should you be forced to hold off for an extended period as a result, you also run the risk of non-compliance.)
How to Maintain an Accurate Systems Inventory
To help you reap these benefits, here’s how different organizations can sustain an accurate systems inventory.
Smaller Organizations
For a smaller environment, a manual approach should work fine, and one thing that can help in the keeping of an up-to-date list is to have at least a primary and secondary person assigned as responsible parties—these parties would then use the most efficient means for maintaining the current inventory that will work for your organization.
Larger Organizations
However, for a larger or more complex environment, an automated tool would be more appropriate, the benefits of which include:
- An always up-to-date inventory
- The ability to scan the network and identify systems that otherwise may be missed
- The ability to detect new systems that have been added to the environment
- Aid in exercises where system identification—including those with specific criteria—is necessary for rapid response (Incident Response, Forensics, breach scenarios, etc.)
To help you get started in finding one of these tools, Comparitech has a list of the best computer inventory management software for 2023, though there are plenty of tools that are available via your favorite search engine. Pick the tool that best meets your needs and budgetary limitations.
Other Considerations for More Efficient Compliance
When prioritizing the maintenance of your systems inventory, you’ll obviously select the process, manual or automated, that works best for your company, but just ensure that you do, as getting better control of the inventory is not just a part of your due diligence in providing a secure environment for your clients, but it’s also a requirement for many popular compliance frameworks.
You won’t regret the extra effort, as an accurate systems inventory will enhance your assessment efficiency as well as that of your overall systems management—all while maintaining your business viability moving forward.
About the Author
Todd Busswitz is a Manager with Schellman. Prior to joining Schellman in 2019, Todd worked as a QSA specializing in PCI engagements. As a Manager with Schellman, Todd is focused primarily on PCI assessments for organizations and across various industries.