#3. Continuous Controls Monitoring for Asset Management

“You can’t secure what you don’t know about.” This adage is the driving force behind making Asset Management the logical starting point for Continuous Controls Monitoring. Assets – be they devices, servers, applications, or data repositories – are the foundation of all other security controls. If your asset inventory is incomplete or outdated, any continuous monitoring efforts may miss blind spots. Many security frameworks highlight this: for example, the very first CIS Critical Security Control is to inventory and control assets because “you cannot defend devices and networks you don’t know about”. In the context of CCM, continuously monitoring asset management means ensuring you have an up-to-date picture of all assets and that controls like asset tracking, classification, and ownership are functioning. In Part 3, we’ll explore how to implement continuous monitoring for asset management both in cloud environments and on-premises, ensuring this critical foundational control remains effective.

Traditional asset management might involve updating a CMDB (Configuration Management Database) every so often or running network scans quarterly. Continuous monitoring takes this further. The goal is to have near-real-time awareness of new assets, changed assets, or decommissioned ones. How to do this? Leverage automated discovery tools:

• In cloud environments, use services like AWS Config, Azure Resource Graph, or third-party tools to automatically detect new instances, databases, containers, etc. These services can trigger events when a new resource appears. For instance, AWS Config can be set to evaluate rules whenever a resource is created or modified.
• On corporate networks, implement passive network monitoring or scheduled active scans to find devices. Modern solutions can listen for new devices broadcasting or pulling DHCP addresses. Agent-based asset discovery (like an endpoint agent that reports in when installed on a new machine) also helps.
• Integrate with change management: whenever IT deploys something new or changes an asset, a hook should update the inventory. Continuous monitoring here could mean a daily job that reconciles actual discovered assets vs. the inventory list and flags discrepancies.

A practical metric for CCM could be: “Number of unauthorized or untracked assets detected in the environment.” If your processes are sound, this number should trend toward zero. If an unknown server pops up, CCM should flag it immediately for investigation (Is it rogue? Was it deployed outside the standard process?). APRA CPS 234 implicitly touches this area by requiring up-to-date asset inventories and change processes (to avoid security gaps)​

It’s not just about knowing an asset exists – you also need to monitor key attributes of assets that drive security decisions:

• Ownership: Every asset should have an owner (person or team responsible). Continuous monitoring can check that each asset record in the inventory has an owner assigned, and alert if something is “orphaned.” This is important for accountability; a system with no owner might not get patched or monitored. For example, RFFR and ISO 27001 both expect asset ownership to be defined.
• Classification: If you use data or asset classification (public, internal, confidential, etc.), ensure assets are classified and monitor that classification is present. Why? Because many controls’ strictness (encryption, access, etc.) depend on classification. A continuous check could be “All databases storing customer data are flagged as Confidential in the inventory.” If one isn’t, that’s a gap to fix (either classify it properly or if it’s mis-classified, perhaps controls aren’t sufficient).
• Critical Asset List: Many organisations maintain a list of “critical” assets (for business continuity or security). Continuous monitoring should validate that this list is accurate – e.g., if a system’s usage spikes or new critical processes start running on it, maybe it should be re-classified as critical. This veers into asset behavior monitoring, which advanced programs do (using AI or analytics to detect when an asset’s importance is greater than assumed).

By continuously validating these attributes, you maintain a robust asset governance posture. It aligns with frameworks like ISO 27001’s section on asset management (A.8), which mandates asset inventories and ownership – now you’ll have automated evidence that those are in place and current.

Asset management covers both hardware and software. Continuous monitoring of software assets (applications, services, versions) is just as crucial:

• Deploy tools or agents that inventory software installed on endpoints and servers regularly. Many endpoint management tools can dump software lists. Cross-reference these against an approved software list. CCM can then alert on unauthorised software appearing (which could indicate a user installing something they shouldn’t, or even malware). This ties to Essential 8’s Application Control: ensuring only approved apps run. If your CCM sees a new EXE running on multiple PCs that’s not in the approved list, that’s a red flag to investigate – possibly an early catch of malicious activity or just an opportunity to enforce policy.

• In cloud, software inventory might mean tracking versions of container images or functions. Continuous scanning of container registries or IaC (Infrastructure as Code) definitions can alert on outdated or vulnerable components.

• Shadow IT: Continuous asset discovery often shines a light on “shadow IT” – systems or apps spun up without central IT’s knowledge (e.g., an engineer runs an unofficial server). By comparing network scan results with the official inventory, you’ll catch these. Once caught, they can be brought under governance or shut down. This is a common challenge and continuous monitoring is one of the best defenses; numerous breaches have occurred via forgotten or rogue assets.

Asset monitoring can also verify that mandatory security agents or configurations are present on each asset. For example:

• Antivirus/EDR deployment: Continuous monitoring can pull a list of all devices and check if each has reported in to the antivirus console. If a device is not seen by the AV or EDR system in X days, that’s an alert – it might mean AV was turned off or the device is off network (which itself is a risk if it reconnects unprotected). An example metric: “% of assets with functioning anti-malware protection”, which should ideally be 100%​.
• Encryption status: If you require laptops to be encrypted, your endpoint management can often report compliance. Continuous control: “All company laptops have drive encryption enabled.” If an endpoint shows up without encryption (maybe a new laptop that wasn’t configured properly), CCM immediately flags it so IT can remediate.
• Backup agent installed: For critical servers, ensure backup agents are running. Continuous check might list servers not seen by the backup system.
• Configuration baselines: Although detailed config monitoring is a topic on its own in Part 5, at the asset level you can do a quick baseline check – e.g., is the firewall on for all endpoints, is auto-update enabled, etc.

By integrating these checks, asset management CCM overlaps with other domains (like malware protection) but from an inventory perspective: it’s making sure every asset that should have a given control does have it. This directly supports compliance too – for example, ASD Essential 8 expects organizations to monitor that controls like application control and AV are actually deployed to all systems.

To implement continuous asset monitoring, here are some approaches:

• CMDB Sync + Discovery: Use a CMDB that supports automated discovery integration. Many ITSM/CMDB solutions (ServiceNow, etc.) can import scan data. Set them to update frequently and have a status for “discovered not in CMDB” to prompt action.

• Network Scanning: Run low-impact network scans regularly to find new IPs. There are “continuous scan” modes or distributed sensors that can detect new devices in near real-time.

• Cloud Inventory APIs: Poll cloud infrastructure APIs (or use push-based events) to get a list of all resources. Compare it with tagged/known resources. Many organizations implement tagging standards (e.g., every cloud resource must have an “Owner” and “Project” tag). Continuous checks can find any resource lacking required tags or belonging to an unknown project – indicating potential shadow IT or mis-tagging.

• Dedicated Asset Management Tools: There are modern tools focused on attack surface management that continuously look for assets (including internet-facing ones). These can be leveraged to feed your internal asset register as well.

• Integration with DevOps: If your org uses Infrastructure as Code (Terraform, etc.), integrate CCM such that whenever new infrastructure is deployed, it’s automatically registered in the inventory and monitoring. This way, continuous monitoring is baked into the DevOps pipeline.

• MyRISK GRC Integration and Automation: MyRISK acts as a central hub for ingesting data from discovery tools, cloud APIs, and CMDBs. It can use workflow automation to correlate asset data, flag gaps, and initiate corrective actions. MyRISK’s AI agents can continuously scan for control failures—such as untagged resources, orphaned assets, or policy violations—and escalate issues through configurable workflows. This ensures near real-time visibility and governance over all assets, whether on-premises, in the cloud, or in CI/CD pipelines.

Asset management is especially challenging in the cloud era, where assets are ephemeral. A VM might spin up for an hour, do some work, and terminate. Traditional asset inventories might miss it. Continuous monitoring in cloud should account for this via real-time events. Use cloud trail logs or serverless functions triggered on resource creation to immediately log those assets. Even if ephemeral, it’s important to record them (for cost and security). For example, a continuous control could be “No untagged EC2 instances running” – which ensures even short-lived instances have the proper tags if they run (or else you catch them and can investigate who launched them). Container orchestration is similar: use Kubernetes admission controllers or monitoring to track what pods ran. This is advanced, but mature CCM in cloud goes to that level of granularity.

When reporting on asset management in CCM, some useful metrics:

• Asset inventory accuracy (%): e.g., “98% of assets in the environment are accounted for in the CMDB.” You can derive this by (assets known)/(assets discovered).
• Time to detect new asset: measure how long between a device appearing and it being inventoried. Continuous monitoring should drive this down. Perhaps your target is under 24 hours.
• Unauthorised assets count: number of assets in a given period that were flagged as unauthorised (no owner, not approved). Track trend – goal is zero.
• Asset control coverage: e.g., “100% of servers have security agent X installed” – perhaps showing any exceptions.

Framework tie-ins: ISO 27001 auditors will love to see evidence like “automated discovery scans run daily and feed our inventory, any discrepancies are investigated within 1 day”. It demonstrates a level of control well above minimum. Regulators like APRA also implicitly expect that kind of rigour, since maintaining an accurate asset register is the linchpin of several CPS 234 requirements (change management, incident scope, etc.). ACSC Essential Eight’s maturity model for “Inventory of authorized hardware and software” (if extended from CIS) would basically be met with such a continuous system.

By continuously monitoring asset management, you create a living, breathing asset register that underpins all other security efforts. This addresses one of the most common failure points in security: unknown assets. With this in place, subsequent parts of your CCM – whether it’s monitoring vulnerabilities, configurations, or incidents – will be far more effective because they’ll cover the whole environment. Asset management is often considered boring table-stakes, but when done continuously and correctly, it’s a powerful security control in itself. Part 3 has shown how to get there.

In Part 4, we will build on this foundation and discuss Continuous Monitoring of Identity and Access Management – ensuring the right people (and only the right people) have access, and catching any anomalies in real-time. Stay tuned, and keep a close eye on those assets!

This white paper, Part 3 of our series, provides a comprehensive guide to implementing CCM for Asset Management.