# IT asset inventory

**What is an IT asset inventory?**

An IT asset inventory is an up to date list of every device, application, account and service your business uses. It records what exists, where it runs and who is responsible for it. The inventory is the basis for updates, backups and any response to a security incident.

Whatever is unknown in your IT goes without maintenance and without backup. The old computer in the warehouse that controls a machine, the network storage device in the server room, the router in a branch office: equipment like this often runs for years without an update, because it appears on no list. An attacker still finds it, since automated scanners search the internet continuously for reachable devices.

An inventory covers every device with a network connection: servers, desktops, laptops, company phones, network storage, routers, firewalls, printers, cameras and machines with a controller. Add the applications in use together with their version, the cloud services and subscriptions, the user and administrator accounts, the access held by external service providers, your internet domains and your backups. For each entry, record who is responsible and how long the manufacturer will still supply security updates.

A simple spreadsheet with a few columns is enough to begin: name, location, operating system and version, responsible person, end of manufacturer support, and whether the device is backed up. Two sources help you fill it in: the device list in your router, which shows everything currently connected, and your accounts department, where the invoices for software subscriptions and cloud services are filed. After that, a fixed appointment once a quarter keeps the list current.

Three questions show whether your inventory does its job. Can you say within a few minutes how many servers and how many workstations are in operation? When an employee leaves, do you know which accounts and access routes have to be closed? After a security incident, can you name the devices that might be affected? The inventory also supports the record of processing activities required by Article 30 of the General Data Protection Regulation, meaning the overview of which personal data is processed for which purpose, because it shows where that data is held.

Taking stock on site is part of the vetosec IT Check. Data capture is read-only, meaning we only read and document, and it runs without interruption while your business carries on. Within 14 working days you receive the documented findings, which also give you a starting point for an inventory you then maintain yourself.

## Related terms
- [Attack surface](https://vetosec.at/en/it-security/angriffsflaeche/)
- [Patch management and updates](https://vetosec.at/en/it-security/patch-management/)
- [Vulnerability scan](https://vetosec.at/en/it-security/schwachstellenscan/)
- [Permission model and least privilege](https://vetosec.at/en/it-security/berechtigungskonzept/)

## Source
https://vetosec.at/en/it-security/it-inventar/ (vetosec, grundlagen)
