A few weeks ago, we published an article related to the challenges of security system sprawl. As a bonus, we featured a panel discussion that our very own eric Moreau was part of that discusses this exact topic.
This week, we take a deeper dive into one of the core concepts we discussed: inventory control. Check out the original article here...
If you manage cameras, access control, intercoms, recording systems, servers, and cloud apps across multiple sites, you already know the truth: you can’t secure what you can’t see. The #1 force-multiplier for every other best practice—segmentation, patching, strong auth, monitoring—is a complete, current, and credible inventory. Think of it as the system of record for your security estate. Without it, you’re guessing. With it, you’re managing.
A living inventory isn’t a one-time spreadsheet that goes stale. It’s:
Authoritative: One source of truth that other tools reference.
Structured: Clear fields, consistent naming, and unique IDs.
Connected: Feeds and is fed by discovery tools, VMS/ACS exports, network scans, and ticketing.
Maintained: Owned by someone, updated on change, and reviewed on a schedule.
Capture every addressable thing in the security ecosystem:
Edge devices: Cameras, door controllers, readers, intercoms, sensors, encoders.
Compute & storage: VMS/ACS servers, recorders, NVRs, cloud tenants.
Network touchpoints: Switches/ports used by security, VLANs, firewalls, VPN jump hosts.
Credentials & keys: Admin accounts, API tokens, service accounts, who owns them, and rotation dates.
Lifecycle & risk: Firmware levels, support status, warranty, EoS/EoL dates, risk and criticality.
If you track nothing else, track these consistently:
AssetID (unique), Subsystem (VMS/ACS/intercom), DeviceType, Site/Location
Network identity: IP, VLAN, switch/port, hostname, MAC, zone
Security posture: Firmware version, baseline/hardening profile, TLS enabled, default creds removed, MFA for admins
Ownership & access: Admin account owner, remote access method, logging target (SIEM)
Lifecycle: Install date, End-of-Support date, warranty end, last patch date, next patch window
Risk & criticality: Ranked 1–5 for quick triage
Pull from what you already have: Export device lists from VMS/ACS, recorder appliances, and cloud consoles.
Sweep the network: Use IT’s CMDB/NAC, switch CDP/LLDP tables, and IPAM to find “unknown” devices in security VLANs.
Normalize names: Adopt a naming convention (e.g., SITE-BLDG-FLR-AREA-DEVTYPE-###).
Fingerprint posture: Script against vendor APIs (where available) to collect firmware, crypto settings, and uptime.
Tie to people: Assign an internal owner for each admin account and an ops owner per asset or site.
Map to risk: Mark EoS gear, default-creds risks, and anything off the hardening baseline.
Make it the hub: Connect the inventory to your ticketing system—no change (move/add/update/decommission) closes without an inventory update.
Review rhythm: Monthly delta review; quarterly deep dive. Treat the inventory like a production system.
Segmentation that sticks: You can’t design sensible ACLs without knowing flows and endpoints.
Patching without panic: Firmware targets and windows are obvious when posture is visible.
Least privilege in practice: You finally see which admins and service accounts exist—and fix them.
Vendor accountability: Time-bound access, per-ticket credentials, and clean revocation.
Budget clarity: Lifecycle rollups reveal refresh waves before they become emergencies.
Reduce unknown devices in security VLANs to near zero.
Eliminate default passwords and shared admin accounts on Tier-1 systems.
Create an EoS/EoL heat map to steer Q1 budget toward highest risk.
Stand up baseline configs for a top camera family and a door controller model.
Coverage: % of estimated devices captured (target ≥ 98%)
Currency: Mean days since latest firmware release per device class
Baseline conformance: % of assets on the standard hardening profile (target ≥ 90%)
Auth strength: % of admin accounts with MFA (target 100%)
Access hygiene: Mean time to revoke vendor access after ticket close
Spreadsheet sprawl: Use a single master (even if it starts as a CSV) and publish read-only views. Better: put it behind a simple database or asset tool ASAP.
No owner: Assign an Inventory Product Owner and back them with a change policy.
Stale by design: Automate ingestion (APIs, exports, scheduled scans) and set calendar reviews.
Too many fields: Start with the 80/20 set; add fields when you can populate them consistently.
Days 1–30: Build v1.0 inventory; normalize names; identify unknowns; flag default-creds and EoS risks.
Days 31–60: Publish v1.1 with posture fields; implement hardening baselines for one camera/one controller family; route logs to SIEM.
Days 61–90: Tie inventory to change tickets; enforce time-bound vendor access; schedule quarterly firmware windows; present lifecycle budget.
Isn’t this IT’s job?
Security systems now ride the same networks and face the same threats. Partner with IT, but own your domain details (video/door semantics, retention, analytics).
We’re understaffed—how do we start?
Start narrow: one site, one device family, the 80/20 fields. Automate small wins (API pulls) and expand.
Dont have the resources you need internally?
Perhaps a firm like Theseus Professional Services can help. We can provide contracted support to help with every aspect of your security challenges from system design to implementation verification to future migration planning.
Drop us a line to explore what we can help you with...
Watch our free on-demand webinar featuring insights that transcend healthcare and apply to any facility security program. Whether you're managing a hospital or a corporate campus, the strategies discussed can help improve your environment’s safety and operational readiness.
This webinar is available on-demand, allowing you to watch at your convenience. Don’t miss this opportunity to learn from one of the industry's leading experts and take your facility’s safety and security to the next level.
To register and access the on-demand webinar, click here >>
Security professionals are constantly looking for innovative ways to secure their facility and provide a safe environment within their budget. And, they are also constantly looking for resources to help them achieve that mission while expert advice is hard to come by.
Fortunately, we have released a considerations guide that will help security professionals perform their own in-house security risk assessment.
What's Inside?
This guide is intended to assist you with performing an in-house physical security risk assessment. In many cases, assistance from a third-party expert, like Theseus Professional Services, is required.
Identification of missing or inadequate physical security measures that safeguard assets (people, property, and information) and critical business functions is of paramount importance. The findings of a security risk assessment are used to measure and communicate the level of risk to the organization.