IT Asset Management - National Cybersecurity Center of · PDF file · 2017-01-26NIST Special Publication 1800-5b. IT ASSET MANAGEMENT. Financial Services. DRAFT. Michael Stone National

Embed Size (px)

Citation preview

  • PRACTICE GUIDE | Financial ServicesNIST SP 1800-5a

    IT Asset ManagementExecutiveSummary TheNationalCybersecurityCenterofExcellence(NCCoE),partoftheNationalInstituteofStandards

    andTechnology(NIST),developedanexamplesolutionthatfinancialservicescompaniescanuseforamoresecureandefficientwayofmonitoringandmanagingtheirmanyIThardwareandsoftwareassets.

    ThesecuritycharacteristicsinourITassetmanagementplatformarederivedfromthebestpracticesofstandardsorganizations,includingthePaymentCardIndustryDataSecurityStandard(PCIDSS).

    TheNCCoEsapproachusesopensourceandcommerciallyavailableproductsthatcanbeincludedalongsidecurrentproductsinyourexistinginfrastructure.Itprovidesacentralized,comprehensiveviewofnetworkedhardwareandsoftwareacrossanenterprise,reducingvulnerabilitiesandresponsetimetosecurityalerts,andincreasingresilience.

    TheexamplesolutionispackagedasaHowToguidethatdemonstratesimplementationofstandards-basedcybersecuritytechnologiesintherealworld.Theguidehelpsorganizationsgainefficienciesinassetmanagement,whilesavingthemresearchandproofofconceptcosts.

    THE CHALLENGELargefinancialservicesorganizationsemploytensorhundredsofthousandsofindividuals.Atthisscale,thetechnologybaserequiredtoensuresmoothbusinessoperations(includingcomputers,mobiledevices,operatingsystems,applications,data,andnetworkresources)ismassive.Toeffectivelymanage,use,andsecureeachofthoseassets,youneedtoknowtheirlocationsandfunctions.Whilephysicalassetscanbelabeledwithbarcodesandtrackedinadatabase,thisapproachdoesnotanswerquestionssuchasWhatoperatingsystemsareourlaptopsrunning?andWhichdevicesarevulnerabletothelatestthreat?

    Computersecurityprofessionalsinthefinancialservicessectortoldustheyarechallengedbythevastdiversityofhardwareandsoftwaretheyattempttotrack,andbyalackofcentralizedcontrol:Alargefinancialservicesorganizationcanincludesubsidiaries,branches,third-partypartners,contractors,aswellastemporaryworkersandguests.Thiscomplexitymakesitdifficulttoassessvulnerabilitiesortorespondquicklytothreats,andaccuratelyassessriskinthefirstplace(bypinpointingthemostvaluableassets).

    THE SOLUTIONTheNISTCybersecurityIT Asset Management Practice Guideisaproof-of-conceptsolutiondemonstratingcommerciallyavailabletechnologiesthatcanbeimplementedtotrackthelocationandconfigurationofnetworkeddevicesandsoftwareacrossanenterprise.Ourexamplesolutionspanstraditionalphysicalassettracking,ITassetinformation,physicalsecurity,andvulnerabilityandcomplianceinformation.UserscannowqueryonesystemandgaininsightintotheirentireITassetportfolio.

    1

  • DRAFT

    Theguide:

    mapssecuritycharacteristicstoguidanceandbestpracticesfromNISTandotherstandardsorganizationsincludingthePCIDSS

    provides

    adetailedexamplesolutionwithcapabilitiesthataddresssecuritycontrols

    instructionsforimplementersandsecurityengineers,includingexamplesofallthenecessarycomponentsforinstallation,configuration,andintegration

    ismodularandusesproductsthatarereadilyavailableandinteroperablewithyourexistingITinfrastructureandinvestments

    Whilewehaveusedasuiteofcommercialproductstoaddressthischallenge,thisguidedoesnotendorsetheseparticularproducts,nordoesitguaranteeregulatorycompliance.Yourorganizationsinformationsecurityexpertsshouldidentifythestandards-basedproductsthatwillbestintegratewithyourexistingtoolsandITinfrastructure.Yourcompanycanadoptthissolutionoronethatadherestotheseguidelinesinwhole,oryoucanusethisguideasastartingpointfortailoringandimplementingpartsofasolution.

    BENEFITS Ourexamplesolutionhasthefollowingbenefits:

    enablesfasterresponsestosecurityalertsbyrevealingthelocation,configuration,andownerofadevice

    increasescybersecurityresilience:youcanfocusattentiononthemostvaluableassets

    providesdetailedsysteminformationtoauditors

    determineshowmanysoftwarelicensesareactuallyusedinrelationtohowmanyhavebeenpaidfor

    reduceshelpdeskresponsetimes:staffwillknowwhatisinstalledandthelatestpertinenterrorsandalerts

    reducestheattacksurfaceofeachdevicebyensuringthatsoftwareiscorrectlypatched

    SHARE YOUR FEEDBACKYoucangetacopyoftheguideathttp://nccoe.nist.govandhelpusimproveitbysubmittingyourfeedback.Asyoureviewandadoptthissolutionforyourownorganization,weaskyouandyourcolleaguestoshareyourexperienceandadvicewithus.

    [email protected]

    participateinourforumsathttps://nccoe.nist.gov/forums/financial-services

    Tolearnmore,youcancontactusatfinancial_nccoe@nist.govtoarrangeademonstrationofthisreferencesolution.

    2

    mailto:[email protected]:[email protected]://nccoe.nist.gov/forums/financial-serviceshttp://nccoe.nist.gov

  • DRAFT

    TECHNOLOGY PARTNERS

    ThetechnologyvendorswhoparticipatedinthisprojectsubmittedtheircapabilitiesinresponsetoacallintheFederalRegister.CompanieswithrelevantproductswereinvitedtosignaCooperativeResearchandDevelopmentAgreementwithNIST,allowingthemtoparticipateinaconsortiumtobuildthisexamplesolution.

    The National Cybersecurity Center of Excellence at the National Institute of Standards and Technology addresses businesses most pressing cybersecurity problems with practical, standards-based example solutions using commercially available technologies. As the U.S. national lab for cybersecurity, the NCCoE seeks problems that are applicable to wholesectors, or across sectors. The center's work results in publicly available NIST Cybersecurity Practice Guides that provide modular, open, end-to-endreferencedesigns.

    LEARN MORE Visithttp://nccoe.nist.gov

    ARRANGE A [email protected]

    240-314-6800

    3

    http://nccoe.nist.govmailto:[email protected]

  • NIST CYBERSECURITY PRACTICE GUIDE FINANCIAL SERVICES

    IT ASSET MANAGEMENT

    Approach, Architecture, and Security Characteristics

    For CIOs, CISOs, and Security Managers

    Michael Stone Chinedum IrrechukwuHarry Perper Devin Wynne

    Leah Kauffman, Editor-in-Chief

    NISTSPECIALPUBLICATION1800-5b

    DRAFT

  • NIST Special Publication 1800-5b

    IT ASSET MANAGEMENT

    Financial Services

    DRAFT

    Michael StoneNational Cybersecurity Center of Excellence

    Information Technology Laboratory

    Chinedum Irrechukwu Harry PerperDevin Wynne

    The MITRE Corporation McLean, VA

    Leah Kauffman, Editor-in-ChiefNational Cybersecurity Center of Excellence

    Information Technology Laboratory

    October2015

    U.S. Department of Commerce Penny Pritzker, Secretary

    National Institute of Standards and Technology Willie May, Under Secretary of Commerce for Standards and Technology and Director

  • DRAFT

    DISCLAIMERCertaincommercialentities,equipment,ormaterialsmaybeidentifiedinthisdocumentinordertodescribeanexperimentalprocedureorconceptadequately.SuchidentificationisnotintendedtoimplyrecommendationorendorsementbyNISTorNCCoE,norisitintendedtoimplythattheentities,materials,orequipmentarenecessarilythebestavailableforthepurpose.

    NationalInstituteofStandardsandTechnologySpecialPublication1800-5bNatlInst.Stand.Technol.Spec.Publ.1800-5b,49pages(October2015)CODEN:NSPUE2

    Organizationsareencouragedtoreviewalldraftpublicationsduringpubliccommentperiodsandprovidefeedback.AllpublicationsfromNISTsNationalCybersecurityCenterofExcellenceareavailableathttp://nccoe.nist.gov.

    Commentsonthispublicationmaybesubmittedto:[email protected]

    Publiccommentperiod:October26,2015throughJanuary8,2016

    NationalCybersecurityCenterofExcellenceNationalInstituteofStandardsandTechnology

    9600GudelskyDrive(MailStop2002)Rockville,MD20850Email:[email protected]

    iii

    http://nccoe.nist.govmailto:[email protected]:[email protected]

  • DRAFT

    NATIONAL CYBERSECURITY CENTER OF EXCELLENCETheNationalCybersecurityCenterofExcellence(NCCoE)attheNationalInstituteofStandardsandTechnology(NIST)addressesbusinessesmostpressingcybersecurityproblemswithpractical,standards-basedsolutionsusingcommerciallyavailabletechnologies.TheNCCoEcollaborateswithindustry,academic,andgovernmentexpertstobuildmodular,open,end-to-endreferencedesignsthatarebroadlyapplicableandrepeatable.ThecentersworkresultsinpubliclyavailableNISTCybersecurityPracticeGuides,SpecialPublicationSeries1800,thatprovideuserswiththematerialslists,configurationfiles,andotherinformationtheyneedtoadoptasimilarapproach.

    TolearnmoreabouttheNCCoE,visithttp://nccoe.nist.gov.TolearnmoreaboutNIST,visithttp://www.nist.gov.

    NIST CYBERSECURITY PRACTICE GUIDESNISTCybersecurityPracticeGuides(SpecialPublicationSeries1800)targetspecificcybersecuritychallengesinthepublicandprivatesectors.Theyarepractical,user-friendlyguidesthatfacilitatetheadoptionofstandards-basedapproachestocybersecurity.Theyshowmembersoftheinformationsecuritycommunityhowtoimplementexamplesolutionsthathelpthemalignmoreeasilywithrelevantstandardsandbestpractices.

    Thedocumentsinthisseriesdescribeexampleimplementationsofcybersecuritypracticesthatbusinessesandotherorganizationsmayvoluntarilyadopt.Thedocumentsinthisseriesdonotdescriberegulationsormandatorypractices,nordotheycarrystatutoryauthority.

    ABSTRACTWhileaphysicalassetmanagementsystemcantellyouthelocationofacomputer,itcannotanswerquestionslike,Whatoperatingsystemsareourlaptopsrunning?andWhichdevicesarevulnerabletothelatestthreat?AneffectiveITassetmanagement(ITAM)solutioncantietogetherphysicalandvirtualassetsandprovidemanagementwithacompletepictureofwhat,where,andhowassetsarebeingused.ITAMenhancesvisibilityforsecurityanalysts,whichleadstobetterassetutilizationandsecurity.

    ThisNISTCybersecurityPracticeGuideprovidesareferencebuildofanITAMsolution.Thebuildcontainsdescriptionsofthearchitecture,allproductsusedinthebuildandtheirindividualconfigurations.Additionally,thisguideprovidesamappingofeachproducttomultiplerelevantsecuritystandards.Whilethereferencesoluti