NIST or CIS Cyber Security Frameworks... Does it Matter to ITAM?

The Perpetual Process Behind an Accurate Inventory

Although the above description may seem simple, much more is happening behind the scenes. For instance, the IT Asset Management (ITAM) program identifies and oversees the electronic waste disposal vendor. And a lot of data is being generated by different departments. This data must be curated to create meaningful information and linked to the asset. From one perspective, the ITAM Program operates in the same way, regardless of the security framework in place. However, the specific details of the framework may require the ITAM Program to make some adjustments. 

Cyber Security Frameworks and The ITAM Program

Two of the most well-known and widely adopted IT security frameworks are from NIST (National Institute of Standards and Technology) and CIS (Center for Internet Security). NIST’s framework includes 23 Functions and 108 Categories, which can be matched with ITAM Program elements in over 300 ways. Similarly, CIS’ framework has 19 Controls and 161 Safeguards that can be mapped to ITAM Program elements in over 400 ways.

Organizations choose between NIST or CIS based on their needs. The NIST framework is more abstract and has been adopted by larger organizations. Meanwhile, CIS provides greater detail and is often adopted by smaller organizations.

Many IT frameworks and IT Asset Management (ITAM) share a common trait in how they mature - starting small and gradually improving over time. There is a symbiotic relationship between these two areas, with a more mature ITAM program accelerating the maturity of frameworks. However, a key difference between the two is that IT security is a vertical function with horizontal requirements, whereas ITAM is a horizontal function with horizontal requirements. When implemented correctly, ITAM can benefit not only IT security but also other stakeholders such as finance, IT, HR, legal, etc. This means that ROI on ITAM improvements is often higher than those made within verticals.

Many organizations still struggle with IT security. The threat from malicious actors is constantly changing and seems to be never-ending. While it may not directly add value to the organization, security is crucial and cannot be ignored. We must accept this reality and focus on making the most of our IT security investment while safeguarding our data. What steps can we take moving forward?

Securing the Data

The role of the IT asset manager includes acquiring knowledge about IT security and enhancing the ITAM Program to facilitate IT security endeavors. Both roadmaps should complement each other for a cohesive approach toward achieving the common objective.

IT security professionals must work closely with ITAM and fully comprehend how it can effectively reduce their workload. ITAM is essentially the proactive arm of IT security and should be utilized accordingly.

IT professionals should collaborate with ITAM and IT security as many IT processes generate data that these departments require. The key challenge is ensuring that the data produced is high quality and deemed trustworthy.

IT security requires participation from everyone in the organization. What better discipline to support IT security in this endeavor than ITAM, which also requires everyone’s participation? The return on an organization’s investment in IT security is multiplied when ITAM is included. This increase in ROI is not only measured in euros, pounds, or dollars it is also, and perhaps most importantly, measured in the protection provided to your organization’s data.

NIST: https://www.nist.gov/cyberframework

CIS: https://www.cisecurity.org

Our ITAM/NIST/CIS mapping and training blaze the trail to protect what's most important, the data. Click here to learn more about the ITAM / Cyber Security Workshop