CIS 18 IG1: Control 2

Welcome to my second post in this series! This post will focus on the second control of the CIS 18, which is the Inventory and Control of Software Assets. This often goes hand in hand with the first control, as you'll often list Hardware and software in the same list to make it easier to control and track. In fact, I'll be updating the first control's spreadsheet to make it into a hardware/software list!

If you haven't read the previous posts in the series, you can read the first one at the following link:

2.1 Establish and Maintain a Software Inventory

The software inventory can be maintained very similarly to how we maintain the enterprise asset list (the hardware list) for control 1. In fact, these two sheets are often combined into a Hardware/Software list, which we will do too! So as a reminder, I'd recommend using Excel for this portion of the task, or if you don't have it, LibreOffice is a good alternative. When we get to IG2, we'll talk about automating this task (to meet subcontrol 2.4) which will make this easier in the future!

Hardware/Software List

The software list must be updated/verified at least twice per year, but more often is preferred.

2.2 Ensure Authorized Software is Currently Supported

This control is looking to make sure that you have the latest (or a long-term support) version of each software available, and that it is still updated/supported by the vendor. The first step is to verify that the software is still supported at all. In most cases, this is as simple as going to the vendor's website and seeing if they still list it for sale. If they do not list it, in most cases, it is no longer supported software.

If you have confirmed it is still supported, you then need to make sure that it is the latest version. If the software has a built-in update feature, you can simply run the update feature to make sure the latest version is installed. If it is not, most applications will update themselves, or you'll need to manually click an update button to do so.

If the software does not have an update feature built in, then you'll need to visit the vendor's download portal for this site and confirm that the version they list as most recent is what you have installed. If it is not, you'll need to update it.

Any time an application is updated, you must update the Software list to track the new version(s) installed.

This check must be completed at least monthly for all installed software in your network.

My software is no longer supported, but it is critical to my business!

That's okay! It's generally understood that this is a scenario that can happen. If this happens to you, you must document an exception that details what mitigations you have in place that help lower the risk of having this unsupported software, and then have the residual risk accepted by whoever is authorized in your organization to do so. If you are the owner of the company, it's almost certainly you, unless you delegated that task to someone else (be careful with this!)

2.3 Address Unauthorized Software

If you come across software that is not authorized according to your software list on one of your monthly audits, it needs to be addressed. Now what does addressed mean? First, you must remove it from use on any assets that it is installed on. Basically, uninstall the software. Ensure that the violation is documented that states where it was found and what your action was. If it is determined that this software is needed to complete the task, document the exception and begin the process of authorizing it for your system (add it to your software list and begin tracking its support and updates status).

And that concludes CIS Control 2 for IG1. Next week we'll check out CIS Control 3, which is Data protection. We'll cover what a data management process is and what you need to plan for when writing one. We'll also look at how to establish a data inventory, what data access control lists are and how we can accomplish it, data retention policies, how to securely dispose of data, and how to encrypt data on endpoint devices.

Cody Dostal

Cody Dostal