PRACTICE GUIDE | Financial ServicesNIST SP 1800-5a

IT Asset ManagementExecutiveSummary TheNationalCybersecurityCenterofExcellence(NCCoE),partoftheNationalInstituteofStandards

andTechnology(NIST),developedanexamplesolutionthatfinancialservicescompaniescanuseforamoresecureandefficientwayofmonitoringandmanagingtheirmanyIThardwareandsoftwareassets.

ThesecuritycharacteristicsinourITassetmanagementplatformarederivedfromthebestpracticesofstandardsorganizations,includingthePaymentCardIndustryDataSecurityStandard(PCIDSS).

TheNCCoEsapproachusesopensourceandcommerciallyavailableproductsthatcanbeincludedalongsidecurrentproductsinyourexistinginfrastructure.Itprovidesacentralized,comprehensiveviewofnetworkedhardwareandsoftwareacrossanenterprise,reducingvulnerabilitiesandresponsetimetosecurityalerts,andincreasingresilience.

TheexamplesolutionispackagedasaHowToguidethatdemonstratesimplementationofstandards-basedcybersecuritytechnologiesintherealworld.Theguidehelpsorganizationsgainefficienciesinassetmanagement,whilesavingthemresearchandproofofconceptcosts.

THE CHALLENGELargefinancialservicesorganizationsemploytensorhundredsofthousandsofindividuals.Atthisscale,thetechnologybaserequiredtoensuresmoothbusinessoperations(includingcomputers,mobiledevices,operatingsystems,applications,data,andnetworkresources)ismassive.Toeffectivelymanage,use,andsecureeachofthoseassets,youneedtoknowtheirlocationsandfunctions.Whilephysicalassetscanbelabeledwithbarcodesandtrackedinadatabase,thisapproachdoesnotanswerquestionssuchasWhatoperatingsystemsareourlaptopsrunning?andWhichdevicesarevulnerabletothelatestthreat?

Computersecurityprofessionalsinthefinancialservicessectortoldustheyarechallengedbythevastdiversityofhardwareandsoftwaretheyattempttotrack,andbyalackofcentralizedcontrol:Alargefinancialservicesorganizationcanincludesubsidiaries,branches,third-partypartners,contractors,aswellastemporaryworkersandguests.Thiscomplexitymakesitdifficulttoassessvulnerabilitiesortorespondquicklytothreats,andaccuratelyassessriskinthefirstplace(bypinpointingthemostvaluableassets).

THE SOLUTIONTheNISTCybersecurityIT Asset Management Practice Guideisaproof-of-conceptsolutiondemonstratingcommerciallyavailabletechnologiesthatcanbeimplementedtotrackthelocationandconfigurationofnetworkeddevicesandsoftwareacrossanenterprise.Ourexamplesolutionspanstraditionalphysicalassettracking,ITassetinformation,physicalsecurity,andvulnerabilityandcomplianceinformation.UserscannowqueryonesystemandgaininsightintotheirentireITassetportfolio.

1

DRAFT

Theguide:

mapssecuritycharacteristicstoguidanceandbestpracticesfromNISTandotherstandardsorganizationsincludingthePCIDSS

provides

adetailedexamplesolutionwithcapabilitiesthataddresssecuritycontrols

instructionsforimplementersandsecurityengineers,includingexamplesofallthenecessarycomponentsforinstallation,configuration,andintegration

ismodularandusesproductsthatarereadilyavailableandinteroperablewithyourexistingITinfrastructureandinvestments

Whilewehaveusedasuiteofcommercialproductstoaddressthischallenge,thisguidedoesnotendorsetheseparticularproducts,nordoesitguaranteeregulatorycompliance.Yourorganizationsinformationsecurityexpertsshouldidentifythestandards-basedproductsthatwillbestintegratewithyourexistingtoolsandITinfrastructure.Yourcompanycanadoptthissolutionoronethatadherestotheseguidelinesinwhole,oryoucanusethisguideasastartingpointfortailoringandimplementingpartsofasolution.

BENEFITS Ourexamplesolutionhasthefollowingbenefits:

enablesfasterresponsestosecurityalertsbyrevealingthelocation,configuration,andownerofadevice

increasescybersecurityresilience:youcanfocusattentiononthemostvaluableassets

providesdetailedsysteminformationtoauditors

determineshowmanysoftwarelicensesareactuallyusedinrelationtohowmanyhavebeenpaidfor

reduceshelpdeskresponsetimes:staffwillknowwhatisinstalledandthelatestpertinenterrorsandalerts

reducestheattacksurfaceofeachdevicebyensuringthatsoftwareiscorrectlypatched

SHARE YOUR FEEDBACKYoucangetacopyoftheguideathttp://nccoe.nist.govandhelpusimproveitbysubmittingyourfeedback.Asyoureviewandadoptthissolutionforyourownorganization,weaskyouandyourcolleaguestoshareyourexperienceandadvicewithus.

emailfinancial_nccoe@nist.gov

participateinourforumsathttps://nccoe.nist.gov/forums/financial-services

Tolearnmore,youcancontactusatfinancial_nccoe@nist.govtoarrangeademonstrationofthisreferencesolution.

2

mailto:financial_nccoe@nist.govmailto:financial_nccoe@nist.govhttps://nccoe.nist.gov/forums/financial-serviceshttp://nccoe.nist.gov

DRAFT

TECHNOLOGY PARTNERS

ThetechnologyvendorswhoparticipatedinthisprojectsubmittedtheircapabilitiesinresponsetoacallintheFederalRegister.CompanieswithrelevantproductswereinvitedtosignaCooperativeResearchandDevelopmentAgreementwithNIST,allowingthemtoparticipateinaconsortiumtobuildthisexamplesolution.

The National Cybersecurity Center of Excellence at the National Institute of Standards and Technology addresses businesses most pressing cybersecurity problems with practical, standards-based example solutions using commercially available technologies. As the U.S. national lab for cybersecurity, the NCCoE seeks problems that are applicable to wholesectors, or across sectors. The center's work results in publicly available NIST Cybersecurity Practice Guides that provide modular, open, end-to-endreferencedesigns.

LEARN MORE Visithttp://nccoe.nist.gov

ARRANGE A DEMONSTRATIONnccoe@nist.gov

240-314-6800

3

http://nccoe.nist.govmailto:nccoe@nist.gov

NIST CYBERSECURITY PRACTICE GUIDE FINANCIAL SERVICES

IT ASSET MANAGEMENT

Approach, Architecture, and Security Characteristics

For CIOs, CISOs, and Security Managers

Michael Stone Chinedum IrrechukwuHarry Perper Devin Wynne

Leah Kauffman, Editor-in-Chief

NISTSPECIALPUBLICATION1800-5b

DRAFT

NIST Special Publication 1800-5b

IT ASSET MANAGEMENT

Financial Services

DRAFT

Michael StoneNational Cybersecurity Center of Excellence

Information Technology Laboratory

Chinedum Irrechukwu Harry PerperDevin Wynne

The MITRE Corporation McLean, VA

Leah Kauffman, Editor-in-ChiefNational Cybersecurity Center of Excellence

Information Technology Laboratory

October2015

U.S. Department of Commerce Penny Pritzker, Secretary

National Institute of Standards and Technology Willie May, Under Secretary of Commerce for Standards and Technology and Director

DRAFT

DISCLAIMERCertaincommercialentities,equipment,ormaterialsmaybeidentifiedinthisdocumentinordertodescribeanexperimentalprocedureorconceptadequately.SuchidentificationisnotintendedtoimplyrecommendationorendorsementbyNISTorNCCoE,norisitintendedtoimplythattheentities,materials,orequipmentarenecessarilythebestavailableforthepurpose.

NationalInstituteofStandardsandTechnologySpecialPublication1800-5bNatlInst.Stand.Technol.Spec.Publ.1800-5b,49pages(October2015)CODEN:NSPUE2

Organizationsareencouragedtoreviewalldraftpublicationsduringpubliccommentperiodsandprovidefeedback.AllpublicationsfromNISTsNationalCybersecurityCenterofExcellenceareavailableathttp://nccoe.nist.gov.

Commentsonthispublicationmaybesubmittedto:financial_nccoe@nist.gov

Publiccommentperiod:October26,2015throughJanuary8,2016

NationalCybersecurityCenterofExcellenceNationalInstituteofStandardsandTechnology

9600GudelskyDrive(MailStop2002)Rockville,MD20850Email:financial_nccoe@nist.gov

iii

http://nccoe.nist.govmailto:financial_nccoe@nist.govmailto:financial_nccoe@nist.gov

DRAFT

NATIONAL CYBERSECURITY CENTER OF EXCELLENCETheNationalCybersecurityCenterofExcellence(NCCoE)attheNationalInstituteofStandardsandTechnology(NIST)addressesbusinessesmostpressingcybersecurityproblemswithpractical,standards-basedsolutionsusingcommerciallyavailabletechnologies.TheNCCoEcollaborateswithindustry,academic,andgovernmentexpertstobuildmodular,open,end-to-endreferencedesignsthatarebroadlyapplicableandrepeatable.ThecentersworkresultsinpubliclyavailableNISTCybersecurityPracticeGuides,SpecialPublicationSeries1800,thatprovideuserswiththematerialslists,configurationfiles,andotherinformationtheyneedtoadoptasimilarapproach.

TolearnmoreabouttheNCCoE,visithttp://nccoe.nist.gov.TolearnmoreaboutNIST,visithttp://www.nist.gov.

NIST CYBERSECURITY PRACTICE GUIDESNISTCybersecurityPracticeGuides(SpecialPublicationSeries1800)targetspecificcybersecuritychallengesinthepublicandprivatesectors.Theyarepractical,user-friendlyguidesthatfacilitatetheadoptionofstandards-basedapproachestocybersecurity.Theyshowmembersoftheinformationsecuritycommunityhowtoimplementexamplesolutionsthathelpthemalignmoreeasilywithrelevantstandardsandbestpractices.

Thedocumentsinthisseriesdescribeexampleimplementationsofcybersecuritypracticesthatbusinessesandotherorganizationsmayvoluntarilyadopt.Thedocumentsinthisseriesdonotdescriberegulationsormandatorypractices,nordotheycarrystatutoryauthority.

ABSTRACTWhileaphysicalassetmanagementsystemcantellyouthelocationofacomputer,itcannotanswerquestionslike,Whatoperatingsystemsareourlaptopsrunning?andWhichdevicesarevulnerabletothelatestthreat?AneffectiveITassetmanagement(ITAM)solutioncantietogetherphysicalandvirtualassetsandprovidemanagementwithacompletepictureofwhat,where,andhowassetsarebeingused.ITAMenhancesvisibilityforsecurityanalysts,whichleadstobetterassetutilizationandsecurity.

ThisNISTCybersecurityPracticeGuideprovidesareferencebuildofanITAMsolution.Thebuildcontainsdescriptionsofthearchitecture,allproductsusedinthebuildandtheirindividualconfigurations.Additionally,thisguideprovidesamappingofeachproducttomultiplerelevantsecuritystandards.Whilethereferencesoluti