Actively manage (inventory, track, and correct) all software on the network so that only authorised software is installed and can execute, and that unauthorised and unmanaged software is found and prevented from installation or execution.
CSC2: Inventory of Authorised and Unauthorised Software
Family | CSC | Control Description | Foundational | Advanced |
---|---|---|---|---|
System | 2.1 | Devise a list of authorised software and version that is required in the enterprise for each type of system, including servers, workstations, and laptops of various kinds and uses. This list should be monitored by file integrity checking tools to validate that the authorised software has not been modified. | Y | File integrity is verified as part of a continuous monitoring program. |
System | 2.2 | Deploy application whitelisting that allows systems to run software only if it is included on the whitelist and prevents execution of all other software on the system. The whitelist may be very extensive (as is available from commercial whitelist vendors), so that users are not inconvenienced when using common software. Or, for some special-purpose systems (which require only a small number of programs to achieve their needed business functionality), the whitelist may be quite narrow. | Y | Whitelist application libraries (such as DLLs) in addition to executable binaries (such as EXEs and MSIs |
System | 2.3 | Deploy software inventory tools throughout the organisation covering each of the operating system types in use, including servers, workstations, and laptops. The software inventory system should track the version of the underlying operating system as well as the applications installed on it. The software inventory systems must be tied into the hardware asset inventory so all devices and associated software are tracked from a single location | Y | Hardware and software inventory management are closely coupled, and managed centrally |
System | 2.4 | Virtual machines and/or air-gapped systems should be used to isolate and run applications that are required for business operations but based on higher risk should not be installed within a networked environment. | Y |
NIST 800-53 rev4
These are the mapped NIST 800-53 controls linked to CSC2: Inventory of Authorised and Unauthorised Software
CA-7: Continuous Monitoring
CM-2: Baseline Configuration
CM-8: Information System Component Inventory
CM-10: Software Usage Restrictions
CM-11: User-Installed Software
SA-4: Acquisition Process
SC-18: Mobile Code
SC-34: Non-Modifiable Executable Programs
SI-4: Information System Monitoring
PM-5: Information System Inventory