NIST SPECIAL PUBLICATION 1800 -5 IT Asset Management Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How -To Guide s (C) Michael Stone Chinedum Irrechukwu Harry Perper Devin Wynne Leah Kauffman, Editor -in-Chief This publication is available free of charge from: http://doi.org/10.6028/NIST.SP.1800 -5 The first draft of this publication is available free of charge from: https://www.nccoe.nist.gov/sites/default/files/library/sp1800/fs -itam-nist-sp1800 -5-draft.pdf NIST SPECIAL PUBLICATION 1800 -5 IT Asset Management Includes Executive Summary (A); Approach, Architecture, an d Security Characteristics (B) ; and How -To Guides (C) Michael Stone National Cybersecurity Center of Excellence Information Technology Laboratory Chinedum Irrechukwu Harry Perper Devin Wynne The MITRE Corporation McLean, VA Leah Kauffman, Editor -in-Chief National Cybersecurity Center of Excellence Information Technology Laboratory September 2018 U.S. Department of Commerce Wilbur Ross , Secretary National Institute of Standards and Technology Walter G. Copan, Undersecretary of Commerce for Standards and Technology and Director NIST SPECIAL PUBLICATION 1800 -5A IT Asset Management Volume A : Executiv e Summary Michael Stone Leah Kauffman, Editor -in-Chief National Cybersecurity Center of Excellence Information Technology Laboratory Chinedum Irrechukwu Harry Perper Devin Wynne The MITRE Corporation McLean, VA September 2018 This publication is available free of charge from: http://doi.org/10.6028/NIST.SP.1800 -5 The first draft of this publication is available free of charge from: https://www.nccoe.nist.gov/sites/default/files/library/sp1800/fs -itam-nist-sp1800 -5-draft.pdf NIST SP 1800 -5A: IT Asset Management 1 This publication is available free of charge from: http://doi.org/10.6028/NIST.SP.1800 -5 Executive Summary ▪ The National Cybersecurity Center of Excellence (NCCoE), part of the National Institute of Standards and Technology (NIST), developed an example solution that financial services companies can use for a more secure and efficient way of monitoring and managing their many information technology (IT) hardware and software assets. ▪ The security characteristics in our IT asset management platform are derived from the best practices of standards organizations, including the Pay ment Card Industry Data Security Standard (PCI DSS). ▪ The NCCoE’s approach uses open source and commercially available products that can be included alongside current products in your existing infrastructure. It provides a centralized, comprehensive view of networked hardware and software across an enterprise, reducing vulnerabilities and response time to security alerts, and increasing resilience. ▪ The example solution is packaged as a “How To” guide that demonstrates implementation of standards -based cybers ecurity technologies in the real world. The guide helps organizations gain efficiencies in asset management, while saving them research and proof of concept costs. CHALLENGE Large financial services organizations employ tens or hundreds of thousands of ind ividuals. At this scale, the technology base required to ensure smooth business operations (including computers, mobile devices, operating systems, applications, data, and network resources) is massive. To effectively manage, use, and secure each of those assets, you need to know their locations and functions. While physical assets can be labeled with bar codes and tracked in a database, this approach does not answer questions such as “What operating systems are our laptops running?” and “Which devices are vulnerable to the latest threat?” Computer security professionals