The National Institute of Standards and Technology (NIST) is seeking comments on a new draft guide designed to help financial services firms monitor and manage IT hardware and software assets more efficiently and securely, the agency said Monday.
Working through the National Cybersecurity Center of Excellence (NCCoE), the agency draft guide, IT Asset Management (Special Publication 1800-5a) , is meant to demonstrate how existing data systems for physical assets, security systems, and IT support into a single system that makes it easier to gain an insight into a company’s entire IT asset portfolios.
“With a single system, companies will be better able to track, manage and report on an information asset throughout its entire life cycle. Benefits include lower total cost of ownership and less time needed to respond to incidents and to perform system patching and other tasks,” NIST said in a statement.
Financial institutions can have many employees who use a variety of technology devices and applications across a wide geographical area. “While these physical assets can be labeled and tracked using bar codes and databases, knowing what systems and applications are running on these devices is a much larger challenge. The inability to track the location and configuration of networked devices and software can leave an organization vulnerable to security threats,” NIST said.
“Following this guide will help organizations better manage their cybersecurity risk. A centralized view of asset information, including location, ownership, hardware, software and patch levels improves situational awareness and can reduce security and compliance costs,” Nate Lesser, deputy director of the NCCoE, said in a statement,
Lesser noted that identifying the scope of an organization’s risk is key to proper asset management and this is reflected by ‘identify’ being the first function in the NIST cybersecurity framework for critical infrastructure.
The draft guide was developed with input from the financial services industry and with collaboration with 10 technology vendors. It maps security characteristics to guidance and best practices from NIST and other standards organizations. Instructions for implementers and security engineers include examples of installation, configuration, and integration, the announcement said.
NIST highlighted that although the guide uses a suite of commercial products as an example to address IT asset management, it does not endorse any specific products.
IT Asset Management is one of a series of publications from the NCCoE, the NIST Cybersecurity practices Guide. This series targets specific cybersecurity challenges in the public and private sectors. The series shows members of the information security community how to implement solutions to align their companies with standards and best practices.