The main teams to tackle the PIR were the vulnerability management team and the asset management team. Each of the teams had a separate process to track the inventories.

The asset management team's process required that system owners log their systems that they put on the network in a central database and track them through the test, development, and production environments:

• Item #1: Process control is not centralized 
• Item #2: Systems can be put on the network without any accountability of ownership at the local offices

As most commercial scanning tools are subscription-based, the vulnerability management team was responsible for keeping their toolset inventories up to date. This was done with a reconciliation between the toolset database and the asset management team's central database:

• Item #3: Discovery scanning is only being done on production networks
• Item #4: If the central database is not being maintained for production networks, the vulnerability scanning team is not providing the most accurate reports