CM-08 Information System Component Inventory

Control: The organization develops, documents, and maintains a current inventory of the components of the information system and relevant ownership information.

Supplemental Guidance: The organization determines the appropriate level of granularity for the information system components included in the inventory that are subject to management control (i.e., tracking, and reporting). The inventory of information system components includes any information determined to be necessary by the organization to achieve effective property accountability (e.g., manufacturer, model number, serial number, software license information, system/component owner). The component inventory is consistent with the accreditation boundary of the information system. Related security controls: CM-2, CM-6.

Control Enhancements:

(1) The organization updates the inventory of information system components as an integral part of component installations.

(2) The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components.

Baseline: LOW CM-8 MOD CM-8 (1) HIGH CM-8 (1) (2)

Family: Configuration Management

Class: Operational

ISO 17799 mapping: 7.1.1, 15.1.2

COBIT 4.1 mapping: None.

PCI-DSS v2 mapping: 12.3.3, 12.3.4