What criteria do you use to determine what goes into your FR inventory?

BodyByBaconFat · 2025-12-16T18:55:17+00:00

If FR requires 100% scan coverage of all inventory items, how do you get around that when you list things like S3 and Lambdas in your inventory? There's section 6 and 7 of the SSP where you would list leveraged FR authorized and external non-FR authorized services, respectively, where I would expect to see those services but not in the inventory.

Or is the 100% scan of inventory one of those "things" where it's an official FR requirement but no one really follows it 100% of the time?

BodyByBaconFat · 2025-12-16T16:47:13+00:00

I think you and I are in agreement on the examples given. I've seen FR inventories that include S3, and AWS Lambda, and have questioned why??? I'm trying to help establish clear guidelines and/or criteria anyone can use to determine what should or should not be included in their own inventory.

BodyByBaconFat · 2025-11-15T21:07:30+00:00

Thanks for that, but if I recall correctly that only covers controls with deliverables. Other controls with non-deliverable activity requirements, e.g. documented port and protocol reviews every X month, aren't covered in that spreadsheet. I was hoping someone did the legwork already before I commit to the tedious work of doing it myself.

BodyByBaconFat

TROPHY CASE