CIS Controls v8 Overview-Control 02

This week we will cover the 2nd control in the CIS Controls Version 8.

Control 02: Inventory and Control of Software Assets- actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

How is this different than Control 01?

Control 01 was focused on Enterprise Assets or ‘systems’ that store or process data. Control 02 is focused on software including apps and OS.

Why is this Control important?

Attackers continuously scan organizations looking for vulnerable versions of software that can be exploited. A key defense is updating and patching software; however, this requires a complete inventory of software assets. In addition, organizations may prevent licensing violations while also identifying software not needed for business purposes.

And its Safeguards?

The control has five (5) Safeguards that cover Software Inventory, Authorized Software, Unauthorized Software, Software Inventory Tools, as well as Allowlist Authorized Software/Libraries/Scripts. Allowlisting identifies known files, applications, or processes and allows them to run during specified times of the day.

How is this Control implemented?

Steps to compile the inventory often depend on the complexity of the organization. Large organizations use specialized inventory products to maintain asset inventories for both software and enterprise assets (covered in Control 01). Many of these tools also check the patch level of the software to ensure that the latest version is installed. Small to medium organizations often leverage security tools already installed, such as a vulnerability scanner or dedicated IT asset management tool.

Key Reminder(s)

As with Control 01, organizations must remember this inventory is NOT a one-time occurrence, it is an ONGOING process that is a key input to the other controls. It is important to identify changes in the software inventory to ensure security measures are fully in place.

In the next post, we will look at Control 03: Data Protection.

Feeling at Risk? Contact Temples Consulting Group for a no-cost consultation to schedule a Risk Assessment and Risk Remediation based on the CIS Controls.

If you enjoyed this article, please heart and follow!

#cybersecurity #security #infosec #informationsecurity #riskmanagement #ciscontrols #cissecuresuite #safeguards #ciscontrolsv8 #templesconsultinggroup #security #clarity #delivery #riskassessment #riskremediation #risk2remediation #software #cyber #governance #GRC #implementations #dataprotection #datasecurity