Does your organization have a formal process to periodically identify and remove redundant systems, hardware, software, and services that could unnecessarily increase your attack surface?
Explanation
Redundant or unnecessary systems and components expand your organization's attack surface, creating additional entry points for attackers while increasing maintenance overhead. These might include legacy systems no longer in active use, duplicate software installations, orphaned cloud resources, or services running without business justification.
Evidence of fulfillment could include a documented inventory management process with timestamps of regular reviews, decommissioning procedures, and records of systems/software that have been identified as redundant and subsequently removed or consolidated. Screenshots of asset management tools showing regular cleanup activities would also serve as supporting evidence.
Implementation Example
Periodically identify redundant systems, hardware, software, and services that unnecessarily increase the organization's attack surface
ID: ID.AM-08.141
Context
- Function
- ID: IDENTIFY
- Category
- ID.AM: Asset Management
- Sub-Category
- Systems, hardware, software, services, and data are managed throughout their life cycles
Related questions
- Does your organization maintain comprehensive inventories of all hardware assets, including IT equipment, IoT devices, operational technology (OT), and mobile devices?
- Does your organization implement automated network monitoring to detect new hardware and update inventory records in real-time?
- Does your organization maintain a comprehensive inventory of all software and services, including commercial, open-source, custom, API, and cloud-based applications?
- Does your organization implement continuous monitoring for software and service inventory changes across all platforms, including containers and virtual machines?
- Does your organization maintain a comprehensive inventory of all systems within your environment?
- Does your organization maintain documented baselines of expected network communication patterns and data flows for both wired and wireless networks?

