When we kicked off this series with Control 1.1: Establish and Maintain a Detailed Enterprise Asset Inventory, we focused on the Identify security function. That control is about visibility—knowing what you have so you can protect it. Today, we move to Control 1.2: Address Unauthorized Assets, which falls under the Respond security function. This shift is critical because once you know what assets exist, the next step is acting on what shouldn’t be there.

 Why This Control Is Important

Unauthorized assets are any devices, systems, or accounts that are not approved or documented in your organization’s asset inventory and lack explicit authorization to connect to your network or process organizational data. These can include:

• Unapproved hardware like personal laptops, rogue servers, or IoT devices.
• Shadow IT systems deployed without IT or security oversight.
• Unregistered cloud accounts or virtual machines outside sanctioned environments.
• Devices lacking proper ownership or approval status in your inventory.

Why does this matter? If your organization doesn’t control what connects to its network, you can’t guarantee data security. The risks range from data leaks to failed conditional access policies, and even network segmentation inconsistencies. In short, unauthorized assets create blind spots that attackers love to exploit.

 How Control 1.2 Builds on Control 1.1

Control 1.2 depends on the foundation laid by Control 1.1. If you haven’t established a detailed asset inventory, identifying unauthorized assets becomes nearly impossible. Think of it this way: you can’t spot an intruder if you don’t know who belongs in the room.

 What the Control Requires

The CIS guidance is straightforward:

 “Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset.”

There’s also a fourth option: authorize it—if the asset is legitimate but simply wasn’t documented. This flexibility allows organizations to adapt without unnecessary disruption.

 Easy Ways to Implement This Control

Here’s how most organizations can operationalize Control 1.2 without overcomplicating things:

1. Leverage Your Existing Inventory Tools – If you implemented Control 1.1, you likely have tools or processes for asset tracking. Extend these to flag unknown devices automatically.
2. Automate Detection – Use active or passive discovery tools to scan your network daily. These tools compare connected assets against your approved inventory and highlight discrepancies.
3. Create a Simple Response Workflow – Define clear steps for handling unauthorized assets:

• • Remove or quarantine the device immediately.
  • Notify the asset owner if identifiable.
  • Authorize and document if the asset is legitimate.
  • Escalate if the asset poses a security risk.

Start Small and Scale – Begin with critical systems and high-risk environments. Over time, expand coverage to IoT devices, remote endpoints, and cloud resources.

Embed the Process into Operations – Consistency is key. Make addressing unauthorized assets part of your weekly IT routine. Operationalizing security means turning these safeguards into repeatable processes.  

Final Thoughts

Control 1.2 isn’t just about compliance—it’s about reducing risk and strengthening your security posture. By addressing unauthorized assets promptly, you close gaps that attackers exploit and ensure your network remains trustworthy. Remember: you can’t protect what you don’t know you have, and you can’t ignore what shouldn’t be there.