The inventory process, i.e. the assessment of assets and implemented countermeasures, consumes a significant amount of time in the risk and compliance management process. Assets and countermeasures have to be identified and classified in terms of confidentiality, integrity and availability requirements. Depending on the organization's size this process may include thousands of assets and countermeasures. This paper presents a novel inventory approach for assets and already implemented technical, physical, and organizational countermeasures (based on tools for network device mapping, software inventory, asset management, etc.). To efficiently assess implemented organizational countermeasures (policies, guidelines, etc.) we developed a keyword- and rule-based approach which automatically identifies existing policies in the ISO 27002 control context. The method and its implementation support middle and large organizations at efficiently assessing assets and implemented countermeasures by highly automating the inventory process. The method is not bound to any organization type or industry sector.
Fenz, Stefan; Heurix, Johannes; and Neubauer, Thomas, "How to Increase the Inventory Efficiency in Information Security Risk and Compliance Management" (2015). ECIS 2015 Completed Research Papers. Paper 44.