Inventories Revisited – Making Your Asset Lists Work for You
Inventory_Web.jpgIT Security in the Investment Adviser space faces an interesting quandary: does security drive compliance, or does compliance drive security? From the security side, the continuous call is that compliance with regulations should come as a result of good security. In essence, we should be securing our networks, websites, and data from breach because it’s the right thing to do and compliance with SEC regulations will flow forth from this attitude of “security for security’s sake.” We know, however, that for many Chief Compliance Officers, the fear of breach compounded by the regulatory atmosphere is the only thing that will create the perfect storm to push a security initiative. Rightly or wrongly, while the SEC has brought down laundry-list of expectations on the CCO, they have also armed them with the proverbial hammer to affect change. And we’d recommend that you start change with altering your perspective on inventories.
The SEC, mirroring the NIST Cybersecurity Framework, has asked about inventories since the first sweep in 2014. Firms are responding by producing lists of hardware and software currently in use at the firm, sometimes from automated system reporting and other times through a potentially painful manual process. One of the most frequent questions our clients ask is: why? Why are inventories necessary? Why do we need to keep them updated? Why is the SEC asking me to produce inventories?
From a regulatory standpoint, the answer can be easy: robust and current inventories can be an easy way for the SEC to judge the maturity of a program at a glance. If you can easily provide inventories that are complete and concise, a non-technical regulator may be able to gain some level of assurance that you are, in fact, paying attention to their sweeps and recommendations. Paired with robust Policy and Procedure, it may be enough to make a regulator “go away” from the cybersecurity issue at that firm. And perhaps that’s all you want – you have just complied, but are you really secure?
By taking a more proactive approach, you can turn an inventory from a static document produced for regulators into something that actually can help you secure your business. It doesn’t take much in the way of monetary commitment, but it will take some time. Let’s face it – inventories aren’t sexy. Most CCOs or tech people I know shudder at the thought of poring over spreadsheets to ensure that inventories are up to date. And they see little purpose in it. It seems to them like an inventory might be better suited to the accounting function at a company seeking to prevent losses, but they form the foundation for a solid cybersecurity program and hardware inventories are just the start. What’s important as you think about inventories is to turn the standard thinking on its head: inventories aren’t so much about what you have, they’re about what you don’t have.
We’re taking for granted that you have already developed a hardware inventory. If you haven’t, we’d suggest putting one together to start. But what should be included on that inventory? Certainly computers and laptops that the company owns. On top of that, take a more expansive view. Include switches and firewalls, access points and printers. Make sure that you include mobile devices in your inventory – even if they are employee owned. The net of inventories should be cast wide across your organization. This will help you from a reactive standpoint – If you ever have an office theft, you can compare your inventory with what you can lay your hands on. But let’s go a step further and make your inventories a proactive security tool.
Take your developed inventory and compare it with an automated inventory drawn from your systems. This type of reporting can be produced from software tools, some free. When you compare the inventory you created with the automated inventory sweep you may discover devices on your network that aren’t in your inventory. Those are the items of concern. You have just created an inventory of everything that should be on your network, which suggests that anything else you find in an automated sweep shouldn’t be on your network, and requires investigation. Your formal inventory is your baseline, by comparing it with your actual state you will know if there is a deviation from your baseline. Deviations could be innocent, such as a new mobile device that an employee neglected to register, or they could be more sinister – a rogue access point, or perhaps an unauthorized network attached storage device.
Software inventories can be accomplished using a same technique. We’d recommend developing an inventory first by interviewing groups of users and asking the question: what do you need to work? You will begin to develop a list of those pieces of software essential to running your business. More importantly, you will learn what software your company doesn’t need to function. Armed with that information, a CCO working with their tech team can begin to develop a white-list/black-list approach that can prohibit unnecessary software from being installed and running. Once you’ve established what’s “good” on your network, you can begin to cull out the “bad” – rendering your systems more secure.
Data connections can feel more ephemeral, but they are no less important. If you have not yet worked through your “touch points” to the outside world – how do you know if you have any connections that don’t belong? Without identifying your proper and safe connections, you cannot begin to identify dangerous connections that could be indicators of compromise. There are software applications out there that can analyze your firm’s traffic patterns and begin to help you detect and prevent anomalous activity. It’s important to realize that just identifying your data paths won’t make your firm more secure. It’s identifying the paths that don’t fit your firm’s pattern and preventing them that will make you safer.
This proactive approach to inventories – comparing expected to actual, is the real goal of the exercise. The static inventories that you produce for an exam are really just a starting point. By knowing what your firm does use, you can operate in a reactive manner – responding to a lost laptop, or perhaps knowing that your firm doesn’t use a certain piece of software with a critical vulnerability. The compliance box may be checked, but your business isn’t necessarily achieving security. With just a little extra effort, you can make a meaningful impact on your firm’s security and on its ability to detect and perhaps contain an incident. If you work in this direction, you have achieved both security and compliance.
Artemis can assist you in developing and maintaining productive inventories to help you secure your business. Reach out to us to learn how to better secure your business through proper inventorying today!