| Control | Status | |
|---|---|---|
| Asset Governance | Mechanisms exist to facilitate an IT Asset Management (ITAM) program to implement and manage asset management controls. | |
| Asset-Service Dependencies | Mechanisms exist to identify and assess the security of technology assets that support more than one critical business function. | |
| Stakeholder Identification & Involvement | Mechanisms exist to identify and involve pertinent stakeholders of critical systems, applications and services to support the ongoing secure management of those assets. | |
| Asset Inventories | Mechanisms exist to perform inventories of technology assets that: (1) Accurately reflects the current systems, applications and services in use; (2) Identifies authorized software products, including business justification details; (3) Is at the level of granularity deemed necessary for tracking and reporting; (4) Includes organization-defined information deemed necessary to achieve effective property accountability; and (5) Is available for review and audit by designated organizational personnel. | |
| Automated Unauthorized Component Detection | Automated mechanisms exist to detect and alert upon the detection of unauthorized hardware, software and firmware components. | |
| Component Duplication Avoidance | Mechanisms exist to establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components that prevents assets from being duplicated in other asset inventories. | |
| Network Access Control (NAC) | Automated mechanisms exist to employ Network Access Control (NAC), or a similar technology, which is capable of detecting unauthorized devices and disable network access to those unauthorized devices. | |
| Dynamic Host Configuration Protocol (DHCP) Server Logging | Mechanisms exist to enable Dynamic Host Configuration Protocol (DHCP) server logging to improve asset inventories and assist in detecting unknown systems. | |
| Software Licensing Restrictions | Mechanisms exist to protect Intellectual Property (IP) rights with software licensing restrictions. | |
| Data Action Mapping | Mechanisms exist to create and maintain a map of technology assets where sensitive/regulated data is stored, transmitted or processed. | |
| Configuration Management Database (CMDB) | Mechanisms exist to implement and manage a Configuration Management Database (CMDB), or similar technology, to monitor and govern technology asset-specific information. | |
| Automated Location Tracking | Mechanisms exist to track the geographic location of system components. | |
| Asset Ownership Assignment | Mechanisms exist to ensure asset ownership responsibilities are assigned, tracked and managed at a team, individual, or responsible organization level to establish a common understanding of requirements for asset protection. | |
| Accountability Information | Mechanisms exist to include capturing the name, position and/or role of individuals responsible/accountable for administering assets as part of the technology asset inventory process. | |
| Provenance | Mechanisms exist to track the origin, development, ownership, location and changes to systems, system components and associated data. | |
| Network Diagrams & Data Flow Diagrams (DFDs) | Mechanisms exist to maintain network architecture diagrams that: (1) Contain sufficient detail to assess the security of the network's architecture; (2) Reflect the current architecture of the network environment; and (3) Document all sensitive/regulated data flows. | |
| Asset Scope Classification | Mechanisms exist to determine cybersecurity & data privacy control applicability by identifying, assigning and documenting the appropriate asset scope categorization for all systems, applications, services and personnel (internal and third-parties). | |
| Control Applicability Boundary Graphical Representation | Mechanisms exist to ensure control applicability is appropriately-determined for systems, applications, services and third parties by graphically representing applicable boundaries. | |
| Security of Assets & Media | Mechanisms exist to maintain strict control over the internal or external distribution of any kind of sensitive/regulated media. | |
| Unattended End-User Equipment | Mechanisms exist to implement enhanced protection measures for unattended systems to protect against tampering and unauthorized access. | |
| Kiosks & Point of Interaction (PoI) Devices | Mechanisms exist to appropriately protect devices that capture sensitive/regulated data via direct physical interaction from tampering and substitution. | |
| Physical Tampering Detection | Mechanisms exist to periodically inspect systems and system components for Indicators of Compromise (IoC). | |
| Secure Disposal, Destruction or Re-Use of Equipment | Mechanisms exist to securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components. | |
| Return of Assets | Mechanisms exist to ensure that employees and third-party users return all organizational assets in their possession upon termination of employment, contract or agreement. | |
| Removal of Assets | Mechanisms exist to authorize, control and track technology assets entering and exiting organizational facilities. | |
| Use of Personal Devices | Mechanisms exist to restrict the possession and usage of personally-owned technology devices within organization-controlled facilities. | |
| Logical Tampering Protection | Mechanisms exist to verify logical configuration settings and the physical integrity of critical technology assets throughout their lifecycle. | |
| Bring Your Own Device (BYOD) Usage | Mechanisms exist to implement and govern a Bring Your Own Device (BYOD) program to reduce risk associated with personally-owned devices in the workplace. | |
| Roots of Trust Protection | Mechanisms exist to provision and protect the confidentiality, integrity and authenticity of product supplier keys and data that can be used as a “roots of trust” basis for integrity verification. |