ID.AM-08.141

Does your organization have a formal process to periodically identify and remove redundant systems, hardware, software, and services that could unnecessarily increase your attack surface?

Explanation

Redundant or unnecessary systems and components expand your organization's attack surface, creating additional entry points for attackers while increasing maintenance overhead. These might include legacy systems no longer in active use, duplicate software installations, orphaned cloud resources, or services running without business justification. Evidence of fulfillment could include a documented inventory management process with timestamps of regular reviews, decommissioning procedures, and records of systems/software that have been identified as redundant and subsequently removed or consolidated. Screenshots of asset management tools showing regular cleanup activities would also serve as supporting evidence.

Implementation Example

Periodically identify redundant systems, hardware, software, and services that unnecessarily increase the organization's attack surface

ID: ID.AM-08.141

Context

Function
ID: IDENTIFY
Category
ID.AM: Asset Management
Sub-Category
Systems, hardware, software, services, and data are managed throughout their life cycles

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron