Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]
Utilize an active discovery tool to identify devices connected to the organization's network and update the hardware asset inventory.
Utilize a passive discovery tool to identify devices connected to the organization's network and automatically update the organization's hardware asset inventory.
Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP address management tools to update the organization's hardware asset inventory.
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all hardware assets, whether connected to the organization's network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine name, data asset owner, and department for each asset and whether the hardware asset has been approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined, or the inventory is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network. The authentication system shall be tied into the hardware asset inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted network.