Manage Your Software Inventory (Part 3 of 7: Mitigating Risks of Unsupported Operating Systems)
Having a managed software asset inventory helps an organization ensure that its software is identified, authorized, managed, or retired before it can be exploited. In this post, I describe why your organization should establish a software inventory to manage its software.
Unsupported operating systems can expose your network to attack. This blog series outlines five actions your organization can take now, including defining risk tolerance; using software inventory management; upgrading, retiring, or replacing software; implementing whitelists; and establishing long-term software maintenance policies. These actions ensure your organization's cybersecurity.
To establish an effective software inventory, you must assign responsibility to one or more people to manage it. If your organization is medium- to large-sized, don't make the mistake of assigning your CEO to manage its software assets; a single individual typically does not have the capacity to manage all software assets in such an organization. It usually makes sense to assign multiple individuals to this management task, assigning responsibility for particular software assets to individuals.
A manager assigned to a software asset must have the appropriate knowledge, authority, availability, and resources to manage it. For example, if an organization chooses to continue to run an unsupported operating system, the assigned manager must have the appropriate knowledge and resources to maintain it. The organization should also recognize that the skills required to manage unsupported software become harder to acquire and sustain as the software becomes more outdated.
To maintain the organization's software asset inventory, its managers must contribute information about each of its software assets, not just the operating system (e.g., apps). The information they contribute should, at minimum, include the following for each software asset:
- person or persons responsible for managing it
- its common platform enumeration (CPE)
- its mapping to hardware assets
- the period of time it is authorized to be on the network
- its identifying details (e.g., version, serial number, release level)
- the part of the organization that uses it
The organization should provide resourcing and funding that is in line with its risk management program so that it can assign the right number of people with the appropriate qualifications to manage its software assets.
What You Can Do
- Establish an effective software inventory.
- Assign responsibility for managing it.
- Ensure that software asset managers have the appropriate knowledge, authority, availability, and resources to manage the software.
- Collect basic information (e.g., its CPE, status, mapping to hardware assets) about each software asset.
For more information about managing your unsupported software assets, see CRR Supplemental Resource Guide, Volume 1, Guide for Security-Focused Configuration Management of Information Systems (NIST SP 800-128), or the SEI website.