Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Inventory Insights: Elevating Your Compliance Game
Quick Take
On this episode of Compliance Unfiltered, the CU Guys dive into the critical role of inventory management within large-scale engagements.
They explore why inventory is central to security and compliance programs, share insights on integrating inventory into daily operations, and discuss common pitfalls organizations face. With Adam’s practical tips and real-world examples, this episode is a must-listen for anyone looking to enhance their compliance strategies.
Special thanks to listener Heidi for suggesting this topic!
Tune in and discover how to make inventory a core element of your compliance DNA, on this week’s Compliance Unfiltered!
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated. It’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the sunny side up eggs to your compliance breakfast, Mr. Adam Goslin. How the heck are you, sir?
I am doing just fantastic today, Todd. How about you?
Excellent. I’m doing great. Any day that we get to chat about some tips and tricks is a good day. Today, we’re going to talk about some tips and tricks for maintaining inventory within a large scale engagement. Now, this topic comes to us, Adam, from one of our loyal listeners, Heidi. Thanks very much for passing along your interest in the topic, Heidi, which we’re sure will hit home with many of our listeners. Adam, you have spoken for years about how important inventory is. Remind the listeners, what is it and why is it so critical?
Well, I mean, there’s a lot of companies that they look at the inventory, it’s like it’s one of the tasks on their list that they need to, you know, periodically do to check a box for compliance, et cetera. But the fact is, is that it’s literally central to everything that you’re doing on your security and compliance program, you know, the organizations, they should be looking at this inventory as it’s literally one of the most important elements of their protection program for the organization. You know, the inventory is what ought to be being leveraged for driving things like, you know, is our network diagram correct? Do we have all of the right stuff in our data flows to, you know, what are we going to go and pen test, you know, what are we going to vulnerability scan, central logging, file integrity? The list goes on and on and on, you know, and the inventory, you know, really is how you go about validating that things are in place. I mean, you know, just use, you know, one example, which I’ve seen this repetitively, you know, across the years, and I’ll just pick on central logging, right? Yeah, yeah, we got central logging and it’s deployed and, you know, blah, and everybody blows their trumpets and pulls their reports, et cetera, until somebody asks the dumb question, well, are we actually centrally logging all the stuff that we should? And you can almost like, you know, kind of hear everybody kind of nervously chuckle, you know, and somebody of course will, of course we are, you know, and meanwhile you sanity check it and oh, low and behold, you know, there’s this device that got deployed that, you know, nobody decided to go ahead and throw the logs into central logging, et cetera. So you basically have a rogue device that’s not pushing its logs through any of the oversight mechanisms that the organizations got together. So that’s just one example of just myriad of things that can go sideways when, you know, when the organization doesn’t have their arms truly around their inventory.
makes sense. Now, where do most organizations go wrong with their inventory?
Well, you know, when they’re, when they’re treating it as something that we just, you know, we do occasionally to check a box for compliance, that’s probably the single, you know, the single largest, uh, you know, large largest element, um, and when they’re not integrating that inventory literally into their daily life, you know, um, you ought to be able to be using that inventory day in, day out, uh, you know, repetitively for, you know, just sanity checking all of your controls. I mean, you know, one of the things that, you know, one of the things that’s a, it’s a tough transition for organizations, you know, you’ve got some organizations that are, you know, they’re going up against the security and compliance engagement for the first time, you know, and then they move from, okay, we finally got there to checking the box. We’ve got all this stuff, finger quotes in place to now I need to maintain this monstrosity and when they take that shift from trying to get there initially to managing and maintaining, you know, they, um, you know, a lot of them will, you know, initially take an approach of, Hey, this is, you know, this security compliance, this is like a once a year activity type of deal. And, you know, I instead, I, I just strongly implore organizations to, you know, leverage an active form of, uh, of management and oversight of your program, you know, as an example, like TCT, we literally have a weekly meeting where we’re sitting down and we’re talking about all the things that we, you know, need to be doing as an organization, et cetera. I mean, these ought ought to be, and that’s just the pulse check, let alone the fact that we’re doing tasks every single day with that, you know, that are, that are integrated into, you know, kind of that overall inventory. It’s a, it’s a big deal and companies need to, uh, embrace, uh, the, the kind of symbiotic relationship between their inventory and all the other controls that they’ve got as part of their, you know, overall structure program.
Sure. Now knowing that inventory changes happen when you add new stuff, modify things and remove elements, how should that be handled?
Well, you want to end up with a full integration into your change control, so that one of the key activities there is the closeout procedures from each individual change control, making sure that we’re validating whether or not this is one of many things that ought to be done with every single add, modify, or remove is the one of the elements is, hey, let’s go ahead and double check. Was there a ripple impact to our inventory that we need to make an update of modification, et cetera? And this all goes under the guiding assumption that the organization is pushing everything through change control. If you’ve got a kind of a structured program where everything must go through change control, now I have a choke point that I can leverage for the organization to affect the updates to things like the inventory, so that every single time that I’m adding something new to our environment, doing patching on systems, removing, deprecating assets from the environment, if every single time you’re doing that and one of the tasks is to mirror that over to the inventory, well, now you’ve got a fighting chance for the assets, keeping those kind of in check, et cetera.
Well, in a large organization, this becomes challenging, right? What recommendations do you have there?
Well, certainly, you know, leveraging software, it depends on, you know, large organization means different things to different people, right? There was a time when you went from like, you know, 20 people to 50 people, and now they feel like you’re in a large organization, but then you got this other company that’s thousands of people or, you know, thousands of assets, etc. So, you know, it means different things to different people, but in a large scale organization, leveraging software for doing some of the, you know, some of the heavy lifting to scour the environment and sanity checking that, you know, that the software that you’re leveraging is actually deployed to all of the network segments and devices within the environment. So, those are things that ought to be included as part of the checks of things that go through change control as an example.So, if I am, hey, we’re going to go ahead and replace this myriad of systems with a set of new systems that we’re going to go ahead and build, we’re going to drop those onto a segregated network segment and da-da-da-da, as I’m going through and I’m doing the change control, making sure that, okay, well, now we’re deploying all of these new assets. Do they have all the things that are needed? Do they have the agents for the, you know, for the inventorying system? Do they have file integrity monitoring? Are they pushing their logs to central logging? Did we update the inventory? You know, et cetera. So, getting a kind of a finer point on your change control process, especially around new deployments and deprecations within the environment, that is a, you know, it is a helpful, a helpful part where I see a lot of organizations will kind of, I don’t know, I don’t want to say go wrong, whatever, but they put too much emphasis on the, you know, kind of auto scouring software that will, you know, kind of alert, you know, people that, hey, I see, I’ve seen something new or there used to be something here that no longer is, whatever. They put too much emphasis on that, on that automation. And, you know, my, my, instead, I would prefer that your change control process is what is driving the ads, removes and updates to the inventory. And using that periodic software validation, even if it’s finger air quotes live, it’s going through and doing live scans continuously, whatever, you know, that’s great, but use that as a backstop, not as the primary detection, you know, a detection device, you know, certainly it is an added layer of redundancy for, you know, for the way that the overall program runs. But, you know, if, if as part of every single change control, I’m making the updates to the inventory, now when the software is coming in, the, the, the item’s already there, it’s already within the inventory, it’s confirming that, oh, yeah, yeah, no, yeah, I’m not seeing a quote new device because that item’s already on the inventory. Now, that said, you know, you’ve got, you know, you, you’ve got, you, you want to use that as a backstop. And as items are, you know, kind of hitting through that, when you run your automated system and it says, Hey, I saw something new.
Well, instead of it being, Oh, well, geez, let’s go ahead and just get, you know, plow that onto the inventory. Instead, the question that I would be asking is, why in the hell is this item showing up that is being noted as new? It should have been updated into the inventory as part of our change control process. So what the hell went wrong? You know, and, and you’ve got to be able to, to tie, you know, investigations, et cetera, as things are showing up, you know, on the, on the inventory, tying investigations to it. Because if I’m discovering things that are new or disappearing or whatever that weren’t updated through change control, now I know I’ve got a, I’ve got a hole in the, in, in the system, if you will. So, you know, that’s, that’s the way that I go about, you know, kind of leveraging, leveraging that in the larger scale style environments.
So we talked a lot about devices. Is that all that should be included in the inventory?
Oh, hell no. There’s a whole bunch of things that need to be tracked. Assets are literally one element of just absolute gob of things that ought to be maintaining oversight, et cetera, from an inventorying perspective. So I’ll give you some examples. You’ve got things like installed software on your various machines, what versions those are, things along those lines. You’ve got third-party components that are being leveraged for things like web or APIs, things along those lines where you bolt it in third-party components into your web-based products. You’ve got payment scripts. You’ve got cryptographic cipher suites and protocols that are in use, wireless access points, custom and bespoke software, and, and, and, and, and. The bottom line is that just like I spoke about leveraging the change control as kind of the central choke point, if all of these things, every time, all that whole list that I just mentioned, if every time I’m doing something and it’s going through change control and you’ve got the integrated options in your change control process to backfill, you know, if you will, the, the various inventories that you’ve got, then, you know, now you’ve got a mechanism that you can, that you can leverage and dial in and hone. It’s not easy, you know, but it’s definitely something that needs to be done.Certainly, you know, for some organizations, you know, they, they, they should integrate all of these various elements, you know, into one central inventory, you know, just so that it’s easier to manage and maintain, especially, especially for the smaller, smaller mid-range organizations. I’ll typically recommend, hey, you know, get one inventory and, you know, maybe you, you know, maybe using different tabs or something or, you know, or, or whatnot, but just, you know, one spot where all this stuff is. The difficulty comes in when you’ve got larger scale organizations. What I’ll typically see is that the, these various repositories of inventory will be split out. You know, into, you know, into different functional groups within the organization that have responsibility for managing and maintaining, you know, each of those inventories based on their, you know, kind of their function. So as an example, we talk about, like, you know, maybe the installed software that’s on laptops, workstations, desktops is part of the, you know, kind of your day by day IT, you know, IT support group. Maybe the, you know, the, the server administrators for web-based, you know, web-based features and functions of the organization, maybe they’ll take on the payment scripts and, you know, cipher suites and, you know, and custom and bespoke software, things along those lines, third-party components. So I’ll see different organizations opt to do it differently, but it doesn’t diminish the, you know, kind of that philosophy of, you know, active management, active maintenance, raising the alarm when something’s, you know, unexpected shows up, you know, those all need to remain kind of pivotal to how the organization goes about doing what it does. That’s true.
It makes a ton of sense, so what does it mean when you get a surprise in your monitoring system with something new, modified, or removed?
Well, I mean, literally it means somebody’s not following the process. So, you know, if you’ve gone through, you’ve established this, you know, kind of internal operational procedures for how we’re going to act, how we’re going to do, how do things navigate, you know, up from, you know, development through to production, et cetera, and leveraging your change control, you know, when you’re finding surprises in the monitoring system, literally it’s somebody didn’t do their job, you know. Now, is it possible that something nefarious is going on? Sure, that’s a possibility. But, you know, it’s definitely an activity which is dramatically raising the risk profile of the organization since we effectively have uncontrolled events that are occurring within the environment, and that needs to get addressed immediately. There also needs to be, you know, there also needs to be consequences for repeat offenders. You know, certainly I’m a bigger fan of, you know, I’m a bigger fan of, you know, things like retraining, you know, et cetera for the, you know, for the first couple of offenses, whatever, but at a certain point in the game, I mean, this individual is causing risk to the company, and so there needs to be a, you know, there needs to be an escalated series of steps that are followed so that the, you know, the operational teams, you know, clearly understand what is their responsibility and how important this is. The bottom line is, is that if the organization doesn’t take this shit seriously, then why in the hell is anybody, you know, any of the personnel going to take it seriously? You know, and many folks mean well, you know, maybe they went about making some type of, you know, some type of a change, whatever it may be, and they intended to go make the update, you know, et cetera, to, you know, to the inventory, but then got distracted by some shiny object, but at the end of the day, it’s just not a kind of a valid excuse for why you’re not following the, you know, kind of the organizational credo, if you will.
No, and you’re absolutely right, I mean, it’s about creating a culture of compliance. I couldn’t agree more. Parting shots and thoughts for the folks this week, Adam.
Well, bottom line, inventory has to be central. It has to be a central core element of your security and compliance program. It needs to be part of the DNA of that program. It needs to be maintained, kept up to date, and making sure that procedures are followed. You know, the inventory, it ought to be leveraged as a sanity check, you know, to a myriad of other controls within the environment. You know, just to confirm that they’re configured appropriately, you know, the one thing that used to drive me nuts is when I’d be going and walking into the kind of the annual assessment, right, and that’s where the assessors are, you know, are going through doing their validations and sanity checking, hey, is this thing set up correctly? And we’re discovering things at the annual assessment. You know, that’s not the time, certainly not the time you want to be figuring this crap out, right? You know, and not because it’s, okay, is it not cool to find this stuff out in front of your assessor? Of course it isn’t. But really to me, more importantly is, how long has this thing been broken? Has it been broken for a week? Has it been broken for three quarters? You know, that type of thing. You’re literally putting, injecting risk into your overall program by not taking this stuff seriously. So, you know, the inventory is certainly an element which doesn’t get enough attention when people are talking about their programs and the importance of the various elements. So the inventory, we need to kick that up a notch on the importance factor. But again, thanks very much to Heidi for the recommendation. And if any of the listeners have any topics they’d like to hear us cover here on Compliance Unfiltered, do us a favor. We’d love hearing from you. So send an email with your suggestions to [email protected].
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
