ISO/IEC 27001 Control 5.9: Inventory of information and other associated assets
Control
An inventory of information and other associated assets, including owners, should be developed and maintained.
Necessity of MidPoint
MidPoint is optional for implementation of this control.
Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.
Implementation Overview
MidPoint can manage applications, roles and entitlements that are closely related to assets.
Implementation Details
Application inventory capability of midPoint is essential first step to catalog assets. MidPoint capability to maintain various relations of objects (object governance) can be used to track owners of applications, roles and other asset-related objects. Applications can be classified, setting classification-specific requirements and policies on applications by using policy rules. Applications without owners or classifications can be reported and displayed on dashboards. Application roles are linked to the application, enabling application-level policies to be applied to all users using the application. When a dedicated application inventory or asset management system is available, midPoint can automatically synchronize the data into its own repository, increasing automation. Organizations (orgs) can group applications (and other assets) in order to organize them and apply consistent policies.
Implementation Notes
-
Applications are "archetyped" services in midPoint. I.e. applications are services that have "Application" archetype applied.
-
Applications act as approximation of assets in current midPoint asset management model. This roughly aligns with the underlying technological representation of assets, and it is a practical method for many organizations. Dedicated concept of "asset" is likely to appear in future midPoint versions. Other service-like objects can be assets too (servers, devices, virtual machines), as can be organization-like objects (facilities, localities).
-
Users (personnel) are assets too, naturally "inventorized" in midPoint identity repository.
Rationale
MidPoint can coule application inventory and asset management with identity and access control management, providing visibility, automation and policy evaluation and enforcement. When necessary, midPoint can act as an application inventory system, even covering parts of asset management.