YALE-MSS-2.1: Establish the scope of the IT System

Standards Group:
YALE-MSS-2: System Inventory

YALE-MSS-2.1: Establish the scope of the IT System

Low Risk Endpoint Not Required Moderate Risk Endpoint Not Required High Risk Endpoint Not Required Low Risk Server Not Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Not Required

Details

Identification of an IT system's scope is a prerequisite for all subsequent control planning. You can’t protect what you have if you don’t know what you have.

Components include the hardware, software, and facilities that make up your system. Significant dependencies of other systems on yours and vice-versa must also be considered.

It is easy to overlook something if you haven’t fully defined it or taken inventory of it. Establish the scope of your IT System to understand its contents and relationship to systems with which it communicates. In some cases, this may require recasting your system's availability risk.

Appropriately classify all components (hardware, software, facilities of your system).

Know what groups are responsible for maintaining the various parts of your system.

Know what your system is dependent on and vice versa. Would an outage disrupt important business functions elsewhere? If so, your system will have a greater availability risk. Is your system reliant on the operation of other systems? This won't increase your system's availability risk, but it must be addressed in your Disaster Recovery planning.

Ensure dependent systems operate at the same or higher security posture as your system (i.e. risk classification)--interacting with lower-security systems may undermine the security of your system.

Controls