1.4: Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise’s asset inventory. Review and use logs to update the enterprise’s asset inventory weekly, or more frequently.
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
Devices |
Identify |
2, 3 |
Dependencies
Safeguard 1.1: Establish and Maintain Detailed Enterprise Asset Inventory
Inputs
List of DHCP servers
GV41: List of CMDB servers
Assumptions
CMDB servers are configured to pull from DHCP logs
Operations
For each DHCP server, enumerate those where DHCP logging is enabled (M2)
For each CMDB server, enumerate those where DHCP logs are used to update IP addresses (M4)
Measures
M1 = Count of Input 1
M2 = Count of DHCP servers with logging enabled
M3 = Count of Input 2
GV41M4 = Count of CMDB servers configured to use DHCP logs to update IP addresses
M5 = Count of devices in the DHCP server logs that are not included in the CMDB servers
M6 = Count of devices in the DHCP server logs that are included in the CMDB servers
Metrics
M4 > 0 indicates a non up-to-date asset inventory
DHCP Logging Quality
Metric |
Ratio of appropriately configured DHCP logging enabled to known DHCP servers
|
Calculation |
|