Skip to content

Add Resource Inventory#33

Open
anatheka wants to merge 30 commits into
mainfrom
27-add-inventory-metrics
Open

Add Resource Inventory#33
anatheka wants to merge 30 commits into
mainfrom
27-add-inventory-metrics

Conversation

@anatheka

@anatheka anatheka commented Feb 7, 2025

Copy link
Copy Markdown
Collaborator

I'm not sure if this metric is sufficient. It’s possible that we may not have a discovery for a specific resource. In that case, the metric would appear compliant, but we would be missing that resource, which should classify the metric as non-compliant.

Another possibility is that the CSP or another provider has this inventory. In that scenario, we should consider adding a property to the Ontology and verifying it. This would be my preferred approach. @anatheka

@anatheka anatheka linked an issue Feb 7, 2025 that may be closed by this pull request
1 task
@anatheka anatheka self-assigned this Feb 7, 2025
@anatheka anatheka requested a review from immqu February 7, 2025 13:30
@anatheka

anatheka commented Feb 12, 2025

Copy link
Copy Markdown
Collaborator Author

Recheck in EUCS and C5 which levels of manifestation exist and which are relevant.

@anatheka anatheka marked this pull request as draft February 12, 2025 12:43
@immqu

immqu commented Feb 18, 2025

Copy link
Copy Markdown
Collaborator

Some requirements from the EUCS:

  • The CSP shall define and implement policies and procedures for maintaining an inventory of assets.
  • The CSP shall record for each asset the information needed to apply the risk management procedure defined in RM-01.
  • The CSP shall define and implement policies and procedures for maintaining an inventory of assets, which shall be performed automatically or by the people or teams responsible for the assets to ensure complete, accurate, valid and consistent inventory throughout the asset life cycle.
  • The CSP shall record for each asset the information needed to apply the risk management procedure defined in RM-01 and the measures taken to manage the risks associated to the asset through its life cycle.
  • The CSP shall define and implement policies and procedures for maintaining an inventory of assets, which shall be performed automatically and/or by the people or teams responsible for the assets to ensure complete, accurate, valid and consistent inventory throughout the asset life cycle.
  • The CSP shall record for each asset the information needed to apply the risk management procedure defined in RM-01 and the measures taken to manage the risks associated to the asset through its life cycle.
  • The information about assets shall be considered by monitoring applications to identify the impact on cloud services in case of events that could lead to a breach of information security objectives, and to support information provided to affected cloud customers in accordance with contractual agreements.
  • The CSP shall automatically monitor the process performing the inventory of assets to guarantee it is up-to-date.

But the first question is how we integrate an "inventory" into the ontology. Do you think it should be an Infrastructure resource @anatheka ? In practice, it could be a commercial inventory software or a cloud service.

@anatheka

anatheka commented Jul 4, 2025

Copy link
Copy Markdown
Collaborator Author

Some requirements from the EUCS:

  • The CSP shall define and implement policies and procedures for maintaining an inventory of assets.
  • The CSP shall record for each asset the information needed to apply the risk management procedure defined in RM-01.
  • The CSP shall define and implement policies and procedures for maintaining an inventory of assets, which shall be performed automatically or by the people or teams responsible for the assets to ensure complete, accurate, valid and consistent inventory throughout the asset life cycle.
  • The CSP shall record for each asset the information needed to apply the risk management procedure defined in RM-01 and the measures taken to manage the risks associated to the asset through its life cycle.
  • The CSP shall define and implement policies and procedures for maintaining an inventory of assets, which shall be performed automatically and/or by the people or teams responsible for the assets to ensure complete, accurate, valid and consistent inventory throughout the asset life cycle.
  • The CSP shall record for each asset the information needed to apply the risk management procedure defined in RM-01 and the measures taken to manage the risks associated to the asset through its life cycle.
  • The information about assets shall be considered by monitoring applications to identify the impact on cloud services in case of events that could lead to a breach of information security objectives, and to support information provided to affected cloud customers in accordance with contractual agreements.
  • The CSP shall automatically monitor the process performing the inventory of assets to guarantee it is up-to-date.

But the first question is how we integrate an "inventory" into the ontology. Do you think it should be an Infrastructure resource @anatheka ? In practice, it could be a commercial inventory software or a cloud service.

Yes, I believe you’re right—it could be either an infrastructure resource or a third-party tool/service.

@anatheka anatheka left a comment

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't looked at the ontology file. I do not understand why there are so many changes in one commit.

Comment thread metrics/Inventory/AutomaticDiscoveryEnabled/AutomaticDiscoveryEnabled.yml Outdated
Comment thread metrics/Inventory/AutomaticDiscoveryEnabled/AutomaticDiscoveryEnabled.yml Outdated
Comment thread metrics/Inventory/ResourceInventoryEnabled/ResourceInventoryEnabled.yml Outdated
Comment thread metrics/Inventory/ResourceInventoryEnabled/ResourceInventoryEnabled.yml Outdated
@anatheka anatheka marked this pull request as ready for review January 27, 2026 09:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add Inventory metrics

2 participants