Inventory and Control of Software Assets v2
“Security is not a product, but a process. It’s about understanding your systems, knowing where they are vulnerable, and configuring them so that they are harder to attack.”
Introduction
This guide outlines the implementation of a critical InfoSec control: actively managing all software on the network to ensure only authorized software is installed and can execute, while preventing unauthorized and unmanaged software from installation or execution.
Why This Control Matters
This section highlights the multifaceted benefits of implementing software asset control, emphasizing its impact beyond just security.
Security: Reduces attack surface by limiting software to known, approved applications.
Compliance: Helps meet regulatory requirements and industry standards.
Efficiency: Streamlines IT operations and reduces support costs.
License Management: Ensures software licensing compliance and optimizes costs.
These steps are a basic steps for remediation for Windows, OSX, Linux, AWS, GCP, and Azure. As tool change, remediation advice changes. This entry maps to the code or ID referenced in the entry. Please check back regularly for updates to this library entry.
Key Components
1. Software Inventory
Maintaining a comprehensive and up-to-date software inventory is the foundation of this control. It provides visibility into the organization's software landscape, enabling informed decision-making and risk management.
Maintain a comprehensive list of all approved software.
Include details such as version numbers, patches, and licensing information.
Regularly update the inventory to reflect changes.
2. Automated Asset Discovery
Automation is crucial for maintaining an accurate inventory in large, dynamic environments. Regular scans help identify discrepancies quickly, reducing the window of vulnerability for unauthorized software.
Implement tools to scan the network and detect installed software.
Schedule regular scans to identify any discrepancies with the approved inventory.
3. Whitelisting and Blacklisting
This approach provides a proactive defense against unauthorized software. Whitelisting offers stronger protection but requires more management, while blacklisting can be easier to implement but less comprehensive.
Create and maintain a whitelist of approved software.
Implement application control solutions to enforce the whitelist.
Maintain a blacklist of prohibited software.
4. Software Installation Process
A formal process for software requests and installations helps maintain control and ensures that all new software is properly vetted and approved before deployment.
Develop a formal process for requesting and approving new software.
Implement technical controls to restrict software installation to authorized personnel only.
5. Patch Management
Effective patch management is critical for maintaining the security of approved software. It helps address vulnerabilities promptly, reducing the risk of exploitation.
Establish a systematic approach to applying software updates and security patches.
Prioritize critical security updates.
6. License Management
Proper license management ensures legal compliance and optimal resource allocation. It can lead to significant cost savings by identifying unused or over-licensed software.
Track software licenses to ensure compliance and optimize costs.
Implement tools to monitor usage and alert on potential violations.
7. Removal of Unauthorized Software
Having a process for removing unauthorized software is crucial for maintaining the integrity of the software environment. Automation can help ensure consistency and reduce the workload on IT staff.
Develop and enforce policies for removing unauthorized software.
Implement automated removal where possible.
Implementation Guide
For Individual Contributors
Individual contributors play a crucial role in maintaining software control by adhering to policies and being vigilant about unauthorized software.
Familiarize yourself with the approved software list.
Follow the established process for requesting new software.
Report any unauthorized software you encounter.
For Engineers
Engineers are responsible for the technical implementation of the control. Their role is critical in ensuring the effectiveness and efficiency of the software control measures.
Assist in implementing and maintaining asset discovery tools.
Develop and maintain scripts for automated software inventory and control.
Contribute to the design and implementation of whitelisting solutions.
For Analysts
Analysts provide the analytical expertise needed to interpret data, identify trends, and optimize the software control processes.
Analyze scan results to identify trends and potential security risks.
Assist in maintaining the software inventory and reconciling discrepancies.
Help optimize the whitelisting and blacklisting processes.
For Auditors
Auditors ensure the ongoing effectiveness and compliance of the software control measures. Their role is crucial in identifying gaps and driving continuous improvement.
Develop audit procedures to verify compliance with this control.
Regularly review the software inventory for accuracy and completeness.
Assess the effectiveness of the software control processes and tools.
Proposed Implementation Timeline
This timeline provides a structured approach to implementing the control over a 12-month period. It allows for proper planning, gradual implementation, and refinement of processes.
Month 1-2: Planning and Assessment
The initial phase focuses on setting the foundation for the project, ensuring that the right resources and information are in place before implementation begins.
Form a project team and define roles.
Conduct a current state assessment.
Select and procure necessary tools.
Month 3-4: Initial Inventory and Policy Development
This phase establishes the baseline inventory and the guiding policies that will govern software control in the organization.
Perform initial network-wide software discovery.
Develop software approval and installation policies.
Create initial whitelist and blacklist.
Month 5-6: Tool Implementation
The focus here is on deploying the technical solutions that will enforce and automate software control measures.
Deploy asset discovery and application control tools.
Configure automated scans and alerts.
Begin enforcing software installation restrictions.
Month 7-8: Process Refinement
This phase involves fine-tuning the processes based on initial implementation experiences and addressing any gaps identified.
Refine the software request and approval process.
Implement the patch management system.
Develop and begin executing the unauthorized software removal process.
Month 9-10: Training and Awareness
Ensuring that all staff understand and can effectively work within the new software control environment is crucial for long-term success.
Conduct training sessions for all staff.
Develop and distribute user guidelines.
Begin regular communication about software policies.
Month 11-12: Full Implementation and Audit
The final phase involves fully activating all control measures and conducting a comprehensive audit to ensure effectiveness.
Fully enforce all aspects of the control.
Conduct a comprehensive audit.
Make necessary adjustments based on audit findings.
Ongoing
Software control is not a one-time project but an ongoing process that requires continuous attention and improvement.
Regular inventory updates and reconciliation.
Continuous monitoring and improvement of processes.
Periodic audits and compliance checks.
