KSI-PIY-GIV—Generating Inventories
Formerly KSI-PIY-01
>Control Description
>NIST 800-53 Controls
>Trust Center Components3
Ways to express your implementation of this indicator — approaches vary by organization size, complexity, and data sensitivity.
From the field: Mature implementations express privacy governance through externally validated certifications backed by published PIA summaries — privacy certifications (ISO 27701, SOC 2 Privacy) demonstrate third-party validation, while PIA summaries show how privacy risks are actively identified and mitigated for each system and feature.
Privacy Certifications
Privacy certifications and attestations — third-party validation of privacy governance implementation
Privacy Impact Assessment Summary
PIA summaries expressing how privacy risks are identified and mitigated per system and feature
Privacy Policy
Human-readable privacy policy covering data collection, use, sharing, and individual rights
>Programmatic Queries
CLI Commands
aws configservice get-discovered-resource-counts --query "resourceCounts[].{Type:resourceType,Count:count}" --output tableaws configservice list-discovered-resources --resource-type AWS::EC2::Instance --query "resourceIdentifiers[].{Id:resourceId,Name:resourceName}" --output table>20x Assessment Focus Areas
Aligned with FedRAMP 20x Phase Two assessment methodology
Completeness & Coverage:
- •Does your automated inventory cover all information resource types — compute, storage, networking, databases, serverless functions, containers, SaaS integrations, and data stores?
- •Are there resource types that cannot be discovered automatically (shadow IT, manually provisioned resources, third-party managed components), and how are those tracked?
- •How do you ensure inventory generation captures resources across all cloud accounts, regions, and environments — including those managed by third parties?
- •When new cloud services or resource types are adopted, what process ensures they are included in automated inventory generation?
Automation & Validation:
- •How do you validate that your automated inventory matches the actual deployed environment — do you run reconciliation checks against cloud provider APIs?
- •What happens when inventory generation discovers a resource that is not in any known configuration management database — is it flagged for investigation?
- •How quickly can you generate a complete, real-time inventory on demand, and what is the maximum staleness of inventory data?
- •What automated checks detect inventory inaccuracies — resources that exist but are not inventoried, or inventoried resources that no longer exist?
Inventory & Integration:
- •What authoritative sources feed your inventory system (cloud provider APIs, Terraform state, Kubernetes API, CMDB), and which is considered the source of truth?
- •How do inventory data from multiple sources reconcile to produce a single, consistent view of all information resources?
- •What tools perform automated asset discovery beyond what cloud provider APIs report (network scanning, DNS enumeration, certificate transparency)?
- •How does inventory data integrate with vulnerability management, compliance assessment, and monitoring systems?
Continuous Evidence & Schedules:
- •How do you demonstrate that inventory data is real-time or near-real-time rather than generated on a periodic batch schedule?
- •Is the complete inventory available via API in a machine-readable format for assessor consumption?
- •What evidence shows inventory accuracy has been validated over the past 90 days — reconciliation reports, drift detection results?
- •How do you detect when inventory coverage degrades — for example, when a new cloud account is created but not integrated into the discovery system?
Update History
Ask AI
Configure your API key to use AI features.