2.1: Maintain Inventory of Authorized Software

Sub-control 2.1 states that an up-to-date list of all authorized software required in the enterprise for any business purpose on any business system must be maintained.

Asset Type Security Function Implementation Groups
Applications Identify 1, 2, 3

Dependencies

  • None

Inputs

  1. Authorized Software List: The authorized software list that contains a timestamp indicating both the last updated and last verified values. The organization should have a list of all approved applications. Reviewers should identify organizational artifacts such as a “Gold” image that is used to provision servers and/or desktops/laptops, purchase orders, and license agreements to create a master list of approved software.

  2. Definition of “Up-to-Date”: An organizationally defined time frame for the term “up-to-date". This time frame includes remediating issues, such as removing unapproved software or patching unsupported/out-of-date software. The CIS recommends this be at least monthly.

Operations

  1. Test for the presence of the list. This is a TRUE/FALSE value (M1).

  2. (Optional) If specific attributes of the software are deemed required, test for those (vendor, product name, version, business case, etc.)

    1. We highly recommended that software versions be checked when evaluating installed software. Reviewing software versions information ensures all software components are patched and up to date. Patching remains a critical concern for organizations to protect themselves.

  3. Compare the timestamp of I1 against the current date to determine if the most recent update/verification is within the timeframe specified by I2. This is a TRUE/FALSE value (M2).

Measures

  • M1:
    • TRUE if the authorized software list is present and in the proper format.
    • FALSE if the authorized software list is not present or is in the incorrect format.

  • M2:

    • TRUE if the most recent update/verification is within the “up-to-date” threshold
    • FALSE if the most recent update/verification is not within the “up-to-date” threshold

Metrics

Update Quality

Metric Calculation
Is the authorized software list present and up-to-date? M1 AND M2