Standards Group:
YALE-MSS-2: System Inventory
YALE-MSS-2.1: Establish the scope of the IT System
Details
Identification of an IT system's scope is a prerequisite for all subsequent control planning. You can’t protect what you have if you don’t know what you have.
Components include the hardware, software, and facilities that make up your system. Significant dependencies of other systems on yours and vice-versa must also be considered.
It is easy to overlook something if you haven’t fully defined it or taken inventory of it. Establish the scope of your IT System to understand its contents and relationship to systems with which it communicates. In some cases, this may require recasting your system's availability risk.
Appropriately classify all components (hardware, software, facilities of your system).
Know what groups are responsible for maintaining the various parts of your system.
Know what your system is dependent on and vice versa. Would an outage disrupt important business functions elsewhere? If so, your system will have a greater availability risk. Is your system reliant on the operation of other systems? This won't increase your system's availability risk, but it must be addressed in your Disaster Recovery planning.
Ensure dependent systems operate at the same or higher security posture as your system (i.e. risk classification)--interacting with lower-security systems may undermine the security of your system.