Posted on by Insider Threatin
Having a managed software asset inventory helps an organization ensure that its software is identified, authorized, managed, or retired before it can be exploited. In this post, I describe why your organization should establish a software inventory to manage its software.
Unsupported operating systems can expose your network to attack. This blog series outlines five actions your organization can take now, including defining risk tolerance; using software inventory management; upgrading, retiring, or replacing software; implementing whitelists; and establishing long-term software maintenance policies. These actions ensure your organization's cybersecurity.
To establish an effective software inventory, you must assign responsibility to one or more people to manage it. If your organization is medium- to large-sized, don't make the mistake of assigning your CEO to manage its software assets; a single individual typically does not have the capacity to manage all software assets in such an organization. It usually makes sense to assign multiple individuals to this management task, assigning responsibility for particular software assets to individuals.
A manager assigned to a software asset must have the appropriate knowledge, authority, availability, and resources to manage it. For example, if an organization chooses to continue to run an unsupported operating system, the assigned manager must have the appropriate knowledge and resources to maintain it. The organization should also recognize that the skills required to manage unsupported software become harder to acquire and sustain as the software becomes more outdated.
To maintain the organization's software asset inventory, its managers must contribute information about each of its software assets, not just the operating system (e.g., apps). The information they contribute should, at minimum, include the following for each software asset:
The organization should provide resourcing and funding that is in line with its risk management program so that it can assign the right number of people with the appropriate qualifications to manage its software assets.
For more information about managing your unsupported software assets, see CRR Supplemental Resource Guide, Volume 1, Guide for Security-Focused Configuration Management of Information Systems (NIST SP 800-128), or the SEI website.