Security Control 2:
Inventory of Authorized and Unauthorized Software

Identify vulnerable or malicious software to mitigate or root out attacks: Devise a list of authorized software for each type of system, and deploy tools to track software installed (including type, version, and patches) and monitor for unauthorized or unnecessary software.

Key: REQ = Required, REC = Recommended, OPT = Optional

IDDetailsHighMedLow

2.1

Deploy software inventory tools covering each of the operating system types in use, and including servers, workstations, and laptops.

[additional details]

The software inventory system should track the version of the underlying operating system as well as the applications installed on it. The tool should record not only the type of software installed on each system, but also its version number and patch level.

REQ REQ REQ

2.2

Devise a list of authorized software that is required for each type of system, including servers, workstations, and laptops of various kinds and uses.

REQ REC OPT

2.3

The software inventory tool should also monitor for unauthorized software installed on each machine. This unauthorized software also includes legitimate system administration software installed on inappropriate systems where there is no business need for it.

REQ REC OPT

2.4

Deploy application white listing technology that allows systems to run only approved software and prevents execution of all other software on the system, based on an automatically generated list of valid software from a representative sample machine.

[additional details]

Such white listing tools should be based on acceptable hashing algorithms for determining authorized binaries to execute on a system.

REQ REC OPT

2.5

If determined based on higher risk that an application or data should not be installed within a networked environment, virtual machines and/or air-gapped systems should be used to isolate and run them.

REQ OPT OPT

Additional Reading