Citation[edit | edit source]

National Institute of Standards and Technology, National Cybersecurity Center of Excellence, NIST Special Publication 1800-5: (DRAFT) IT Asset Management (Oct. 29, 2015) (full-text).

Overview[edit | edit source]

The National Cybersecurity Center of Excellence (NCCoE) invites comments on a draft practice guide designed to help financial services companies monitor and manage IT hardware and software assets more securely and efficiently.

Financial institutions can employ large numbers of people who use a variety of technology devices and applications across a wide geographic area. While these physical assets can be labeled and tracked using bar codes and databases, knowing what systems and applications are running on these devices is a much larger challenge. The inability to track the location and configuration of networked devices and software can leave an organization vulnerable to security threats.

The draft guide demonstrates how commercially available technologies can be used to track the location and configuration of networked devices and software across an organization.

The guide explains how users can tie existing separate data systems for physical assets, security systems and IT support into a single system that makes it easier to gain insight into their entire IT asset portfolio. With a single system, companies will be better able to track, manage and report on an information asset throughout its entire life cycle. Benefits include lower total cost of ownership and less time needed to respond to incidents and to perform system patching and other tasks.

Developed with input from the financial services industry, and in collaboration with ten technology vendors, the guide maps security characteristics to guidance and best practices from NIST and other standards organizations. Its instructions for implementers and security engineers include examples of installation, configuration and integration.

While the guide uses as examples a suite of commercial products to address this challenge, it does not endorse any particular products, nor does it guarantee regulatory compliance. A company can adopt this solution or one that adheres fully to these guidelines in whole, or it can use the guide as a starting point for tailoring and implementing parts of a solution.

Community content is available under CC-BY-SA unless otherwise noted.