IT Asset Management for the Financial Services Sector

IT asset management (ITAM) is foundational to an effective cybersecurity strategy and is prominently featured in the SANS Critical Security Controls and NIST Framework for Improving Critical Infrastructure Cybersecurity.

Helping organizations centrally monitor and gain deeper insight into their entire IT asset portfolio

Large financial services organizations employ tens or hundreds of thousands of individuals. At this scale, the technology base required to ensure smooth business operations (including computers, mobile devices, operating systems, applications, data, and network resources) is massive. To effectively manage, use, and secure each of those assets, the organization needs to know its asset locations and functions. While physical assets can be labeled with bar codes and tracked in a database, this approach does not answer questions such as “What operating systems are our laptops running?” and “Which devices have vulnerabilities that can be exploited by a threat actor?”. 
Status: Finalized Guidance

Upon review, we recognize that this NIST/NCCoE publication contains potentially biased terminology. As new publications are developed, they will follow NIST’s inclusive language guidance.

NIST SP 1800-5: Complete Guide (HTML)Web Version NIST SP 1800-5: Complete Guide (HTML)
NIST SP 1800-5: Complete Guide (PDF)Document Version NIST SP 1800-5: Complete Guide (PDF)
NIST SP 1800-5A: Executive SummaryDocument Version NIST SP 1800-5A: Executive Summary
NIST SP 1800-5B: Approach, Architecture, and Security CharacteristicsDocument Version NIST SP 1800-5B: Approach, Architecture, and Security Characteristics

Project Abstract

Financial institutions deploy a wide array of information technology devices, systems, and applications across a wide geographic area. While these physical assets can be labeled and tracked using bar codes and databases; understanding and controlling the cybersecurity resilience of those systems and applications is a much larger challenge. Not being able to track the location and configuration of networked devices and software can leave an organization vulnerable to security threats. Further complicating this scenario, many organizations include subsidiaries, branches, third-party partners, contractors as well as temporary workers and guests. 

To address this cybersecurity challenge, the NCCoE developed a reference design that provides an organization with tools to centrally monitor and gain deeper insight into their entire IT asset portfolio using an automated platform. 

Read the project description

IT asset management (ITAM) is foundational to an effective cybersecurity risk management strategy in support of its overall enterprise risk management strategy. 

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

Join the Community of Interest

A Community of Interest (COI) is a group of professionals and advisors who share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Share your expertise and consider becoming a member of this project's COI. 

Request to Join
Employee speaking on video call with colleagues on online briefing with laptop at home