Host Inventory Controls and Systems Survey: Evaluating the CIS Critical Security Control One in Higher Education Networks

Abstract

Within the field of information security, the identification of what we are trying to secure is essential to reducing risk. In private networks, this means understanding the classification of host end-points, identifying responsible users, and knowing the location of hosts. For the context of this paper, the authors are considering the challenges faced by higher education institutions in implementing the first Center for Internet Security (CIS) Critical Security Control: inventory of authorized and unauthorized devices. The authors developed and conducted a survey of chief information security officers at these institutions. The survey evaluated their confidence in meeting the goals of host inventory tracking. The results of the survey, along with analysis of the implications for information security operations, are presented in this paper. Changes in technology, such as BYOD, IoT, wireless, virtual machines, and application containers, are contributing to changes in the effectiveness of host inventory controls.