The main teams to tackle the PIR were the vulnerability management team and the asset management team. Each of the teams had a separate process to track the inventories.
The asset management team's process required that system owners log their systems that they put on the network in a central database and track them through the test, development, and production environments:
- Item #1: Process control is not centralized
- Item #2: Systems can be put on the network without any accountability of ownership at the local offices
As most commercial scanning tools are subscription-based, the vulnerability management team was responsible for keeping their toolset inventories up to date. This was done with a reconciliation between the toolset database and the asset management team's central database:
- Item #3: Discovery scanning is only being done on production networks
- Item #4: If the central database is not being maintained for production networks, the vulnerability scanning team is not providing the most accurate reports