Centralized Asset Inventory Control

Maintain a centralized, enforceable inventory of all enterprise-issued assets, with strong identity attribution. Assets such as laptops, mobile devices, removable media, and developer hardware, must be provisioned through a controlled process, with their issuance, reassignment, and return tied to a single authoritative system. Failure to implement this control undermines visibility, frustrates post-incident reconstruction, and enables subjects to operate untracked or pseudonymously, without an authoritative means to attribute an asset to a subject. 
 

Centralized asset inventory is not merely a logistical requirement, it is a foundational investigative control that enables attribution and identification across an organization's population.
 

Centralized Provisioning
All enterprise assets must be provisioned through a formal request-and-approval process managed by a single system of record (e.g., ServiceNow, Lansweeper, or equivalent). No devices should be issued without a documented change entry.

Persistent Identifiers
Each asset must be recorded with at least one hardware identifier (e.g., serial number, MAC address) and one software-level identifier (e.g., hostname, device GUID). These identifiers must persist across asset lifecycle events (provisioning, reassignment, decommissioning).

Subject Binding
Asset records must be explicitly bound to a subject using identity fields sourced from centralized systems. Required fields include:

• Active Directory username (sAMAccountName)
• Email address
• HR-assigned employee ID
• Manager or business unit affiliation
• Employment status (e.g., contractor, full-time, intern)

System Integration with HRIS
Asset inventory systems must integrate with the organization’s HR information system (HRIS) to ensure accurate identity attribution. Identity records must update automatically upon onboarding, transfer, or termination.

Access Enforcement
Devices not present in the inventory system must be blocked from:

• Network access (via NAC or DHCP enforcement)
• Corporate VPN or remote access platforms
• Enterprise SSO and SaaS authentication flows

Lifecycle Auditing
Asset inventory records must log all changes, including:

• Provisioning events
• Subject reassignments
• Transfers between business units
• Decommissioning or disposal actions

These logs must be exportable for investigative review and retained per incident response policy.

Inventory Reconciliation
A quarterly reconciliation process must occur between the asset management system and identity directory. Any orphaned, duplicate, or unassigned assets must trigger formal review.

Investigator Considerations

• During an insider threat investigation, asset-to-identity linkage provides immediate context on who possessed what device at any given time. It allows correlation of device telemetry (e.g., EDR data) with human actions.
• Unregistered or misattributed assets may indicate provisioning bypass, unauthorized hardware introduction, or deliberate obfuscation—each of which may constitute preparatory behavior.