Today, I will be going over Control 2 from version 7 of the top 20 CIS Controls – Inventory and Control of Software Assets. I will go through the 10 requirements and offer my thoughts on what I’ve found.

Key Takeaways for Control 2

• Let Control 1 be a driver. Only attempt to scan hardware that is already in your asset database. If a system isn’t in the asset database, revisit Control 1 to figure out why.
• Reuse existing tools. Many of the tools you are going to be using for Control 1 are going to be used for Control 2. There’s no sense to not treat these two controls as one when you are looking at how to implement them.
• Start cheap. Along the same lines of re-using tools, many of the requirements can be accomplished with open source or built-in tools. That being said, as your organization grows, you will also outgrow the capabilities of these free tools.

Requirement Listing for Control 2

1. Maintain Inventory of Authorized Software

Description: Maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose on any business system.

Notes: Creating a list from scratch in a large enterprise can seem difficult to do. As I’ve mentioned in other controls, it may be easier to start with a baseline of what currently exists (requirement 3 below) and work on noting which software on the list is approved. While you also monitor for new software in your environment, of course.

2. Ensure Software is Supported by Vendor

Description: Ensure that only software applications or operating systems currently supported by the software’s vendor are added to the organizations authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.

Notes:

(Read more...)