Can you answer this question: how do you know the laptop that shows up today in Tokyo is the same one that was in New York last week? Make sure you have a complete inventory of hardware and software so you can be confident your patching is thorough. If you're not sure you have a clear accounting, opportunities for security breaches exist. Credit: Thinkstock The Center for Internet Security (CIS) Critical Security Controls makes a good effort to prioritize IT Security controls. This prioritized list of controls provides an implementation pathway that closes the biggest security gaps first. There are 20 controls in total, and CIS calls out the “First Five” as being the most fundamental controls for an IT Security Program. They are:Inventory of Authorized and Unauthorized HardwareInventory of Authorized and Unauthorized SoftwareSecure Configuration for Hardware and SoftwareContinuous Vulnerability Assessment and RemediationControlled Use of Administrative PrivilegesSecurity specialists are sometimes surprised at the first two items in the list. Why are inventories of hardware and software the most fundamental items for IT Security? To answer that, I’d like to tell a story.A few years ago, I was the Chief Security Officer at a small financial services provider (a fintech company). This company had grown due to recent acquisitions and had become an increasingly significant industry provider of bank payment services. Because of this growth, the company attracted the attention of financial regulators who were increasingly interested in their IT security operations. One of the items of interest to the regulators was patch management. I spent a few weeks with the regulators discussing all aspects of the company’s IT security, including patching. One of the interviews started with, “Let’s talk about patch management. Are you patching your servers and workstations?” I had spent several months making sure our systems were patched and up to date, so I answered confidently that yes, we regularly patch our systems. His second question was far more difficult to answer. He asked, “How do you know?” Implied in his question were several other questions: “How do you know that you are patching ALL the systems?”; “How do you know that you are applying patches for ALL the software on those systems?”; “How do you know that the laptop that shows up today in Tokyo is the same one that was in New York last week?” Of course, answering these questions requires more work. The answers are possible because of those first two CIS controls. For example, “I know I’m patching all my servers because I have an inventory of them.” Or, “I know I’m patching all the workstations and laptops because I know what is authorized and not authorized on my network, and I can identify a laptop uniquely, regardless of where it is on the network.” Also, “I know that I’m patching all the software because I know what software is running on each system.” The first two Critical Security Controls are critical because they make all the other controls effective. The first two controls provide answers to the “how do you know” question. My experience was with regulators, but the issue is the same if a company gets breached, if data gets stolen, or even if you are just giving an accounting to executives or the board. Corporate executives, regulators, boards of directors and law enforcement will want assurances, even guarantees, that control measures are effective and complete. If the IT department doesn’t have a clear accounting of all the hardware, they cannot know that all the systems have been remediated. If IT doesn’t know what software is running, they cannot be sure the fixes will be effective everywhere. When reporting to the boss that “we fixed it” and she asks, “how do you know?” have a complete inventory of hardware and software. It’s a good way to start answering the question. Related content opinion IT service management: security’s best friend Your IT service management (ITSM) teams can serve up good security practices with your help. By Phil Richards Jul 11, 2018 6 mins IT Strategy IT Leadership Security opinion GDPR is live! – Now what? GDPR rules are a hot mess. Get clarity by further identifying all your GDPR weak spots. By Phil Richards Jun 08, 2018 5 mins Regulation Government Technology Industry opinion Nation state attacks – the cyber cold war gets down to business Cyber weaponry is moving to new frontiers: yours. Businesses are the next target on the nation state menu. Are you protected or vulnerable? By Phil Richards Apr 19, 2018 5 mins Cyberattacks Government Technology Industry opinion Getting to know your company’s risk appetite Your employees make risk/reward decisions daily. Have you defined risk boundaries for them? Unwanted risk or missed opportunities happen without clear direction. By Phil Richards Mar 16, 2018 5 mins Technology Industry Data and Information Security Privacy Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe