1.2: Address Unauthorized Assets
Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset.
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
Devices |
Respond |
1, 2, 3 |
Dependencies
Safeguard 1.1: Establish and Maintain Detailed Enterprise Asset Inventory
Inputs
GV1: Detailed Enterprise Asset InventoryGV2: Unauthorized AssetsThe enterprise defined time frame for removing unauthorized assets (weekly or more often).
Assumptions
If the item is not reachable, it may be reasonable to assume it has been removed from the network and therefore dealt with.
Operations
If the optional disposition list is provided, the checks would be tailored to those dispositions. For the following, assume no disposition list is available:
At the time frame specified by Input 3, for each unauthorized asset in
GV2, check to see if the asset is present in the updated asset inventory fromGV1.- For those items in
GV2that are not inGV1, scan the network to determine if the item is still reachable on the network. Enumerate the items from
GV2that are unreachable (M4)Enumerate the items from
GV1that are unreachable (M5)
- For those items in
Measures
M1 =
GV1M2 = Count of
GV2M3 = Timeframe in days for Input 3
M4 = Count of items from
GV2that are unreachable after scanM5 = Count of items from
GV1that are unreachable after scan
Metrics
If M3 is greater than seven days, then this safeguard is measured at a 0 and receives a failing score. The other metrics don’t apply.
Coverage
Metric |
The ratio of unaccounted for, unauthorized assets, to the total assets in the asset
inventory.
|
Calculation |
If the value of M4 is 0, there are no unauthorized assets that remain unaccounted for.
In this case, the value of the metric is 1. Otherwise, the value is :code:`(M2 - M4) / M2 `
|