Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]
Maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving vendor updates are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all software on business systems.
The software inventory system should track the name, version, publisher, and install date for all software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner
Utilize application whitelisting technology on all assets to ensure that only authorized software executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally signed scripts (such as *.ps1, *.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required for business operations but incurs higher risk for the organization.