Skip to content
Cyber Replay logo CYBERREPLAY.COM
Book a Call
Back to all articles
Security Operations 14 min read Published Apr 3, 2026 Updated Apr 3, 2026

Asset Inventory and Risk Prioritization: Audit Worksheet for Security Teams

Practical audit worksheet and steps to inventory assets, prioritize risk, and reduce breach exposure for nursing homes and small healthcare providers.

By CyberReplay Security Team

TL;DR: Use this audit worksheet to map every device, application, and data store, then apply a simple risk-priority score so you fix the top 10% of exposures that cause 70% of near-term breach risk. Practical templates, commands, and nursing-home examples included.

Table of contents

Problem: cost of missing asset inventory

Missing or stale asset inventories are behind most costly breaches in small healthcare settings - nursing homes included. Without a reliable list of devices, applications, and data stores you cannot prioritize patches, isolate exposed services, or measure SLA impact for incident response.

Concrete stakes for a typical 50-bed nursing home:

  • Average ransomware pause to operations: 24-72 hours - revenue and care disruption costs can exceed $50k - $150k per incident when transferring residents and emergency staffing are included.
  • Time-to-detection gap: teams with poor visibility take 3x longer to detect and contain incidents, increasing response costs and regulatory exposure.
  • Remediation waste: teams often spend 60-80% of their time on low-value fixes when they lack prioritized inventory.

This audit worksheet reduces those risks by giving you a repeatable, measurable way to identify the top assets that matter to safety, compliance, and continuity.

Who this is for and what you will get

  • For security leads, IT managers, and external MSSP/MDR teams supporting nursing homes and small health providers.
  • You will get a practical audit process, a copyable worksheet template, sample commands and export snippets, prioritization scoring, and nursing-home-specific examples.
  • Not for advanced red-team playbooks. This is an operational control focused on discovery, accuracy, and prioritized remediation.

Quick answer - one-line approach

Inventory everything that touches resident data or clinical operations, verify ownership and patchability, then score each asset by exposure, criticality, and compensating controls. Remediate assets in the highest risk bucket first and measure time-to-remediate against an internal SLA - aim to cut your high-risk exposure by 70% in 30 days.

Key definitions

Asset

Any device, virtual machine, SaaS instance, application, OT/medical device, user account, or data store that has value to your operations or holds sensitive data.

Inventory source of truth (SoT)

A single, auditable dataset - spreadsheet, database, or CMDB - containing canonical records for each asset and the fields in the worksheet.

Exposure score

A numeric score that combines external-facing exposure, known vulnerabilities, and exposure to sensitive data.

Criticality

Business impact if the asset is unavailable or corrupted - use categories like High (clinical systems), Medium (staff workstations), Low (guest Wi-Fi devices).

How to use the audit worksheet - process overview

  1. Collect data from every source you have - DHCP, MDM, AD, EDR, SIEM, firewall, switch port mapping, clinical device lists, SaaS admin consoles.
  2. Normalize records and dedupe by MAC/IP/hostname/asset tag.
  3. Enrich records with vulnerability scan results, patch status, owner, and business criticality.
  4. Score each asset using the prioritization framework below.
  5. Bucket remediation into 24-72 hour, 7-day, and 30-day SLAs.
  6. Track time-to-remediate and reduction in high-risk exposure weekly.

Expected outcomes when you follow this process for a small nursing home network:

  • Time to identify high-risk assets reduced from weeks to under 48 hours.
  • Fixes focused on top 10% of assets that reduce immediate attack surface by an estimated 60-80%.
  • Clear SLA reporting for leadership and regulators.

Step-by-step: run the audit in 7 workstreams

These run in parallel where possible. Assign owners and set a 30-60 day goal to complete first pass inventory.

1 - Network discovery and device census

  • Collect DHCP lease logs and switch port mappings.
  • Export firewall NAT table and public IP mappings.
  • Run lightweight discovery from a management network segment.

Sample read-only discovery commands to capture endpoints quickly:

# Basic nmap for network discovery (use from management network; get consent)
nmap -sn 192.168.1.0/24 -oG - | awk '/Up$/{print $2}' > endpoint_ips.txt

# PowerShell for Windows AD environment - list computers
Get-ADComputer -Filter * -Properties Name,OperatingSystem,LastLogonDate | Select Name,OperatingSystem,LastLogonDate | Export-Csv -Path ad_computers.csv -NoTypeInformation

2 - Auth and identity inventory

  • Pull AD/O365 user lists, service accounts, and privileged groups.
  • Record accounts with stale owners, shared credentials, or no MFA.

3 - SaaS and cloud inventory

  • Export admin lists from EHR vendors, care coordination SaaS, and billing systems.
  • Map where resident PHI is stored and who has admin rights.

4 - Clinical and OT device inventory

  • Get vendor asset lists for infusion pumps, monitors, and other connected medical devices.
  • Note unsupported OS, end-of-life firmware, and network segmentation state.

5 - Vulnerability and patch snapshot

  • Run credentialed scans where possible; otherwise, use EDR/agent telemetry to estimate patch status.
  • Capture CVE counts and critical severity counts per asset.

6 - Ownership, business context, and compensating controls

  • Assign an owner and uptime requirement to each asset.
  • Document isolation controls: VLAN, NAC, firewall rules, MFA.

7 - Final normalization and dedupe

  • Use MAC addresses and asset tags as the canonical dedupe keys.
  • Flag orphaned assets - devices with no owner or no management agent.

Audit worksheet template - copyable CSV and fields

Use this CSV as your initial source-of-truth schema. Import into Excel, Google Sheets, or a simple CMDB.

asset_id,hostname,ip_address,mac_address,asset_type,owner,department,criticality,environment,public_exposure,os,fw_version,edr_installed,last_patch_date,cve_high_count,compensating_controls,notes
A-001,workstation-01,192.168.1.21,00:11:22:33:44:55,workstation,it,ops,Medium,LAN,no,Windows 10,1909,yes,2024-02-01,0,VLAN:Staff,Managed by IT

Field explanations - concise:

  • asset_id: unique short ID you control.
  • asset_type: workstation, server, medical-device, router, SaaS, account.
  • public_exposure: yes/no - true if reachable from internet or via forwarded ports.
  • cve_high_count: count of CVE entries severity >= 7.0 in the last scan.
  • compensating_controls: items like segmentation, MFA, service account restrictions.

Checklist to validate worksheet completeness:

  • Does every asset have an owner? If not, tag as orphan.
  • Is contact info for owner present? If not, escalate to IT manager.
  • Is the asset included in backup or DR scope? (Yes/No)

Risk prioritization framework - score, SLA, and remediation buckets

Apply a simple weighted score using this asset inventory risk prioritization audit worksheet as your template. We recommend a 0-100 score composed of three weighted elements.

Scoring formula (example):

  • Exposure (internet-facing or forwarded) - weight 40
  • Criticality (High/Med/Low numeric: 3/2/1) - weight 35
  • Vulnerability severity (CVE count or highest CVSS) - weight 25

Normalize into a 0-100 number. Then assign buckets:

  • 80-100: Critical - remediate in 24-72 hours - outage risk high - consider isolation until patched.
  • 60-79: High - remediate in 7 days - schedule patch window and monitoring.
  • 30-59: Medium - remediate in 30 days - patch on next maintenance cycle.
  • 0-29: Low - track quarterly.

SLA and measurement guidance:

  • Measure Mean Time To Remediate (MTTR) for each bucket. Target MTTR improvements: reduce Critical MTTR from average 10 days to under 3 days within first 30 days.
  • Key metric: percent of total exposure (sum of scores) in Critical bucket. Aim to reduce this by 70% in month 1.

Example prioritization output row:

asset_id,score,bucket,mttr_target
A-001,84,Critical,72_hours

Practical examples - nursing home scenarios

Example 1 - Medication pump with remote management

  • Asset: vendor-managed infusion pump with web admin reachable via vendor tunnel.
  • Risk: pump is critical (High), vendor tunnel uses outdated TLS, no local MFA - exposure score 88.
  • Action: isolate device to clinical VLAN, require vendor to update tunnel within 72 hours, add compensating monitoring. Record in worksheet and set Critical SLA.
  • Outcome: isolating pump reduces attack surface for resident care systems by 60% immediately.

Example 2 - Staff workstation used for EHR and personal browsing

  • Asset: workstation on staff VLAN with outdated browser and no EDR.
  • Risk: medium-criticality with public exposure via forwarded remote support tool - score 72.
  • Action: require EDR agent, enforce browser policy, patch within 7 days, revoke unnecessary remote access.
  • Outcome: reduces phishing lateral movement risk and protects resident PHI.

Example 3 - Shared vendor admin account for billing SaaS

  • Asset: privileged SaaS account with no MFA, owner unknown.
  • Risk: account-level compromise risk high - score 90.
  • Action: reset credentials, enforce unique admin accounts, require MFA and logging, remediate within 24 hours.
  • Outcome: eliminates an immediate cloud-facility vector for data exfiltration.

Tools, automation, and data quality tips

Recommended tool classes:

  • Passive discovery: DHCP, DNS, and switch logs for quick census.
  • Active discovery: credentialed vulnerability scans for accurate CVE counts.
  • Endpoint telemetry: EDR for asset health and process telemetry.
  • SaaS inventory: API pulls from O365, Google Workspace, EHR vendor portals.
  • CMDB or spreadsheet: start in a spreadsheet and migrate to CMDB as budget allows.

Data quality rules to enforce:

  • Single source of truth: nightly sync job that prefers authoritative sources - AD for Windows hosts, MDM for mobile, vendor lists for medical devices.
  • Timestamp every record and require owners to verify monthly.
  • Reject records with missing MAC and owner - flag for immediate investigation.

Automation snippet - cron job idea to pull AD inventory daily (PowerShell scheduled task):

# Export AD computer list daily
$today = Get-Date -Format yyyy-MM-dd
Get-ADComputer -Filter * -Properties Name,OperatingSystem,LastLogonDate |
 Select-Object Name,OperatingSystem,LastLogonDate |
 Export-Csv -Path C:\inventory\ad_computers_$today.csv -NoTypeInformation

Proof elements and objection handling

Common objections and direct answers:

Objection: “We do not have the staff or budget to run a full discovery.” Answer: Start with an 80/20 pass - gather DHCP, AD exports, and SaaS admin lists. That typically covers 70-80% of assets and surfaces the critical 10% you must fix first. Use external MSSP support for the first full pass to reduce internal time cost.

Objection: “Our medical devices are vendor-managed; we cannot change them.” Answer: Even if vendors manage patching, you must map device network location, isolate it on a clinical VLAN, and require vendor logging. These compensating controls reduce exposure without firmware changes.

Objection: “We cannot scan production devices due to safety risk.” Answer: Use passive methods and vendor-provided inventories. If active scanning is needed, coordinate maintenance windows and perform credentialed scans at low intensity to avoid service disruption.

Claim mapping to authoritative guidance:

Get your free security assessment

If you want practical outcomes without trial-and-error, schedule your assessment and we will map your top risks, quickest wins, and a 30-day execution plan. Prefer a quick automated check first? Try our scorecard to get an immediate visibility snapshot. For guided help and on-demand remediation, see our managed security offerings.

Conclusion - immediate next steps

  1. Export these three datasets today: DHCP leases, AD computer list, SaaS admin user list. Import into the worksheet template. This will give you a 70% coverage baseline in 24 hours.
  2. Score assets and isolate the top Critical bucket assets within 72 hours.
  3. If you prefer external help, schedule a short assessment with a managed provider to run the first discovery and verify configurations. For longer engagements, review CyberReplay’s managed security service options and our cybersecurity services page.

References

What should we do next?

Start with a 1-day data collection sprint: export DHCP, AD, and SaaS admin lists and import into the CSV worksheet. If you prefer a guided run-through, request a rapid visibility assessment from CyberReplay to get a prioritized remediation plan in 48-72 hours. You can request guided help at CyberReplay Help or review managed options at CyberReplay Managed Security Service Provider.

How long does a complete audit take?

  • Small nursing home (single site, 1 VLAN): first-pass inventory and prioritized list in 24-72 hours; full enrichment with vulnerability data 7-14 days.
  • Multi-site organization: initial census 7-21 days; full enrichment and SLA alignment 30-60 days.
  • Measurement: after the first 30 days you should see Critical exposure drop by 50-70% if remediation SLAs are enforced.

Can we automate this with limited staff?

Yes - automation priorities:

  1. Daily exports from AD/MDM/DHCP into the SoT.
  2. EDR and SaaS API pulls for vulnerability and account data.
  3. Scheduled reports that show top 20 high-scoring assets and MTTR per bucket.

If internal staff are constrained, a short-term MSSP engagement to run discovery and hand off a validated SoT is a cost-efficient option. See CyberReplay’s rapid visibility offerings at CyberReplay Help.

Will this help with HIPAA and regulatory risk?

Yes. Verifiable asset inventories and prioritized remediation are key elements in HIPAA Security Rule assessments and breach response documentation. Having an auditable worksheet with owner, patch history, and compensating controls helps reduce both breach likelihood and regulatory penalties by showing due diligence. See HHS guidance on device and media controls: https://www.hhs.gov/hipaa/for-professionals/security/guidance/device-media-controls/index.html

Table of measurable outcomes to expect

  • Discovery coverage: 70% coverage baseline in 24-72 hours using passive exports.
  • Exposure reduction: reduce top Critical exposure by 50-70% in 30 days with focused remediation.
  • Time savings: trim investigation time for incidents by up to 60% once owners and SoT exist.

Next step recommendation

If you want a fast start, run the one-day data sprint and then consider a short assessment from an MSSP to accelerate remediation. CyberReplay provides rapid visibility assessments and managed remediation plans - view options at https://cyberreplay.com/managed-security-service-provider/ and request help at https://cyberreplay.com/help-ive-been-hacked/.

Asset Inventory and Risk Prioritization: Audit Worksheet for Security Teams

TL;DR: Use this asset inventory risk prioritization audit worksheet to map every device, application, and data store, then apply a simple risk-priority score so you fix the top 10% of exposures that cause 70% of near-term breach risk. Practical templates, commands, and nursing-home examples included.

When this matters

This audit worksheet and process matter when visibility is limited, risk is concentrated, or regulatory proof is required. Typical triggers:

  • You find unknown public-facing services or surprise remote support tools.
  • A vendor reports a vulnerability that may touch resident data.
  • Leadership asks for an auditable inventory for a HIPAA review or a regulator request.

Use the asset inventory risk prioritization audit worksheet when you need a repeatable, auditable way to show what you found, why you prioritized it, and how you remediated it.

Common mistakes

  • Not updating the SoT frequently enough. Inventory is only useful if it is recent.
  • Mixing identities and devices in a way that loses owner accountability.
  • Over-scanning production OT devices without vendor coordination.
  • Treating every asset equally instead of applying an exposure and criticality score.

Avoid these by enforcing timestamps, assigning owners, using passive discovery on fragile devices, and applying the scoring framework in this worksheet.

FAQ

How long will this take for a small nursing home?

First-pass census and prioritized list: 24-72 hours. Full enrichment with vulnerability data and SLA alignment: 7-14 days.

Can we run this with limited staff?

Yes. Start with passive exports from DHCP, AD, and SaaS admin lists, then add EDR and patch telemetry. Consider a short MSSP engagement for the first full pass.

Will this help with HIPAA compliance?

Yes. An auditable inventory with owners, patch history, and compensating controls is core evidence for HIPAA Security Rule reviews and breach response timelines.

What should I do after the first pass?

Score assets, isolate Critical bucket items, and enforce remediation SLAs. Use the scorecard or schedule an assessment if you need external help.