The National Cybersecurity Center of Excellence (NCCoE) invites comments on a draft practice guide designed to help financial services companies monitor and manage IT hardware and software assets more securely and efficiently.
Financial institutions can employ large numbers of people who use a variety of technology devices and applications across a wide geographic area. While these physical assets can be labeled and tracked using bar codes and databases, knowing what systems and applications are running on these devices is a much larger challenge. The inability to track the location and configuration of networked devices and software can leave an organization vulnerable to security threats.
The draft guide, IT Asset Management (Special Publication 1800-5a) demonstrates how commercially available technologies can be used to track the location and configuration of networked devices and software across an organization.
"Following this guide will help organizations better manage their cybersecurity risk. A centralized view of asset information, including location, ownership, hardware, software and patch levels improves situational awareness and can reduce security and compliance costs," said Nate Lesser, deputy director of the NCCoE, which is part of the National Institute of Standards and Technology (NIST). "Identifying the scope of an organization's risk is key to proper asset management, as reflected by 'identify' being the first function in the cybersecurity framework NIST developed for critical infrastructure, including the financial sector."
The guide explains how users can tie existing separate data systems for physical assets, security systems and IT support into a single system that makes it easier to gain insight into their entire IT asset portfolio. With a single system, companies will be better able to track, manage and report on an information asset throughout its entire life cycle. Benefits include lower total cost of ownership and less time needed to respond to incidents and to perform system patching and other tasks.
Developed with input from the financial services industry, and in collaboration with 10 technology vendors, the guide maps security characteristics to guidance and best practices from NIST and other standards organizations. Its instructions for implementers and security engineers include examples of installation, configuration and integration.
While the guide uses as examples a suite of commercial products to address this challenge, it does not endorse any particular products, nor does it guarantee regulatory compliance. A company can adopt this solution or one that adheres fully to these guidelines in whole, or it can use the guide as a starting point for tailoring and implementing parts of a solution.
The guide is one in a new series of publications from the center, called NIST Cybersecurity Practice Guides (Special Publication Series 1800), which target specific cybersecurity challenges in the public and private sectors. The practical, user-friendly guides show members of the information security community how to implement example solutions that help them align more easily with relevant standards and best practices.
The draft guide can be downloaded from the NCCoE website, which includes a form for submitting comments.
The NCCoE is the nation's cybersecurity laboratory, addressing businesses' most pressing cybersecurity problems with practical, standards-based solutions using commercially available technologies. The center collaborates with industry, academic and government experts to build modular, open, end-to-end reference designs that are broadly applicable and repeatable.