Standard:
YALE-MSS-2.1: Establish the scope of the IT System
YALE-MSS-2.1.1: Identify and maintain a current inventory of all components and dependencies
Low Risk Endpoint
Not Required
Moderate Risk Endpoint
Not Required
High Risk Endpoint
Not Required
Low Risk Server
Not Required
Moderate Risk Server
Required
High Risk Server
Required
Low Risk Mobile Device
Not Required
Moderate Risk Mobile Device
Not Required
High Risk Mobile Device
Not Required
Low Risk Network Printer
Not Required
Moderate Risk Network Printer
Not Required
High Risk Network Printer
Not Required
Details
Examples of component information to identify and maintain over time are:
Basic Information
- Component names and IP addresses (e.g., web-host.yale.edu, 192.168.1.10)
- Component purposes
- Locations of components such as Yale West Campus, AWS, Azure, vendor's Cloud, etc.
Detailed Information
- Authentication and authorization methods used by components (CAS, Shibboleth, DUO, Active Directory, Grouper groups, etc.)
- Component types, including "physical machine," "virtual machine," and "Docker container"; as well as operating system and version (Windows 10, Linux Redhat 8, etc.)
- Component storage (local, NetApp, AWS S3 bucket, etc.)
- Whether a given component resides behind a proxy or load balancer
- Major software packages (and version numbers) installed on components (e.g., Apache HTTP Server version 2.4.56)
You are responsible for maintaining the security of all your IT system's components. This includes documenting dependencies even if you do not manage them.
How a system's inventory information is captured and maintained over time is up to the system owner. In some cases, gathering the relevant data may require help from an IT support contact. The inventory should be stored in a secure fashion and kept up-to-date.