CIS Control 1.2: Address Unauthorized Assets
Unauthorized devices on your network are a persistent security risk that many SMBs struggle to identify and remove consistently. CIS Control 1.2 requires you to establish a formal process to detect, assess, and remediate unauthorized assets on a weekly basis. Without systematic detection and response, these rogue devices become entry points for attackers.
What this means
Your organization must implement a documented, recurring process to identify devices connected to your network that lack proper authorization. Once detected, you must take deliberate action within a defined timeframe—either removing the asset from the network entirely, blocking remote access, or isolating it in quarantine. This control ensures visibility over every device and prevents unauthorized endpoints from becoming security liabilities.
How to comply
- 1.Establish a written asset authorization policy defining what qualifies as an authorized device and who approves new assets
- 2.Implement network discovery and monitoring tools to scan for connected devices at least weekly
- 3.Compare discovered assets against your authorized asset inventory to identify discrepancies
- 4.Document any unauthorized assets found, including device details, connection location, and risk level
- 5.Execute a response action within 7 days: remove from network, deny remote access, or move to isolated quarantine segment
- 6.Log all remediation actions and maintain records for audit purposes
- 7.Review and update your authorized asset inventory as new devices are approved
Evidence auditors look for
- Documented asset authorization policy and approval workflow
- Weekly network scan reports showing discovered vs. authorized devices
- Asset inventory spreadsheet or database with approval dates and owner information
- Remediation logs showing removal, access denial, or quarantine actions taken
- Change records documenting device moves, blocks, or disconnections
- Audit trail from network monitoring tool showing detection and response activities
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates weekly asset discovery scans, flags unauthorized devices against your inventory, and tracks remediation actions—eliminating manual weekly audits and ensuring you never miss a rogue asset.
See how GRCWatch handles this control automatically
Start free trial