System Inventory Process

An effective system security program and workable certification and accreditation program rely on a sound process for identifying and inventorying all the information systems under the control of an organization. Anyone who participated in inventorying systems as part of the Y2K effort knows how imposing a task this can be. The difficulty in inventorying information technology assets is caused by the lack of understanding of what constitutes a system, the failure to distinguish between systems, the rapid rate of creation of new systems, and then the failure to monitor the information technology operating environment. Yet, it is important that a reliable and complete system inventory be created and maintained because it is one of the most important steps in certification and accreditation. The goal of the systems inventory process is to provide assurance that systems requiring protection have been identified and are included in security planning and oversight.