Benefits of a Software Inventory
From the CISO down to the IT operations staff, all members of an organization’s security team need to understand the scope of the organization's digital footprint and have a detailed understanding of what software is authorized. The first step to identify what needs to be protected (and how) is to develop and maintain a software inventory.
Identifying the software and applications used by the business enables management to establish a criticality rating for the software based on the business application, established through the Business Impact Analysis (BIA) of the Business Continuity Plan (BCP). This information is used to determine the level of protection and breach impact for the confidentiality, integrity, and availability of the data. Management establishes policies and controls for the software that aligns with business and compliance requirements. The software inventory also enables Risk Managers and Vendor Relationship Managers to communicate compliance with internal controls and SLAs for software used in the environment. A software inventory enables the CISO to provide validation of the organization’s security program by verifying that software risk has been identified and evaluated.
Security operations perform scans to identify operating system and application versions, including unsupported software and unpatched systems. This information is used to establish a secure baseline and measure drift from that baseline. Using Tenable Vulnerability Management or Tenable Security Center, technical staff generate dashboards and reports that can be sent to upper management with a high-level summary of software that is running in the environment. This information determines if the software is authorized, appropriately licensed, supported, and has the most recent security fixes applied.