The Holy Grail: The Search for the Perfect Inventory Record

Wednesday, April 29, 2026 | 9:45AM–10:30AM PT | California Promenade, Second Floor
Session Type: Poster
Delivery Format: Poster Session
IT assets are more than just hardware and software information. Assets classes should include (1) hardware info; (2) data info; (3) software info; (4) user info; (5) network info; and (6) documentation. When there's an incident, we need to answer questions quickly in order to decide the level of response needed. To answer the "is this a data breach or plain compromise?" question, we need to answer these questions: (a.) Given an IP address, how does one find the business process associated with that machine? (b.) Was there high risk data on the device? (c.) How critical is that process to the university? (d.) Have all of the assets associated with a business process been recorded in the inventory database? (e.) What information categories (fields) should be included in a risk management asset inventory? Assets are not just hardware, software, or even data. Linking hardware, software and data inventories to business process high-level data flows is the new challenge in inventory management. Vendor solutions don't provide a single, comprehensive inventory record. This presentation will discuss some background and propose some ways to create a comprehensive inventory (the Holy Grail). We'll start off by defining what we think should be included in inventory records; describe the various sources of information for a general inventory database; and describe a pathway to address this problem.

Presenters

  • Randy Marchany

    University IT Security Officer, Virginia Tech

Resources & Downloads

  • A poster describing an inventory process

    Updated on 4/14/2026