CIS Controls: Software Asset List
/The CIS Controls (cisecurity.org/controls)are a great guide for everyone within an organization. The top 2 items are an inventory and control of hardware assets and an inventory and control of software assets (1 and 2 respectively). I will cover the reasons why a hardware asset list is important in another discussion, but we will focus on software in this discussion.
#2 on the CIS security controls top 20 list is an “inventory and control of software assets”. Will refer to it as a software asset list for this post. While there are several reasons why a software asset list is important and useful to personnel at all levels of an organization, most organizations do not have one in place. Here are a few of the main reasons I feel a software asset list is important for every organization to have. This isn’t an all-inclusive list as we are focusing on several of the key points which may help security/compliance professionals provide the justification they need to get a software asset list on the roadmap to complete.
Here are the key points we will cover in this discussion:
Provides security, compliance and infrastructure teams with a list of software used in the environment
Provides a guide and justification for the Service Desk on what software has been approved (by security, compliance, procurement, etc.) for installation and support
Can save organizations from penalties and lawsuits
Can help uncover duplicated software, which could lead to cost savings
Can help uncover unused licenses, which can be reallocated leading to cost savings
Allows personnel in the organization to know what software is available for use
Why users having admin rights isn’t a reason to avoid creating a software asset list
The security, compliance and infrastructure teams will benefit quite a bit from a software asset list for a variety of reasons. For compliance teams, having a list of approved software in the environment helps with audits (internal and external) as well as strengthening policies and procedures. It’s one thing to say in a policy, “It’s prohibited to install unapproved software”, but it takes on a whole new meaning when the policy can say, “Do not install any application not listed on the software asset list”. This removes all doubt and provides HR and Legal teams with a more solid guidance in the event disciplinary action needed to take place. A software asset list also provides security and compliance teams with a quick way to determine if something is used in their environment. If a vulnerability is announced in a piece of software, the compliance and security teams can look at the software asset list to see if that software is used within the environment and quickly alert the required teams to patch the vulnerability or remove the software if needed. Security, compliance and infrastructure teams benefit by having a source of record about what is permitted and used in the environment, which will help during incident response, planning, patching, testing and troubleshooting efforts.
One of the biggest advantages that is often overlooked but can provide a great justification for establishing a software asset list, is the impact it can have on the IT Service Desk. Service Desk teams spend a lot of time troubleshooting software problems, which ultimately impacts resources (personnel, time, budgets). One way to help alleviate this burden is to have and use a software asset list. If someone asks for a piece of software to be installed, the Service Desk can see if it is on the software asset list. If it isn’t, they can point the customer to the correct compliance/security process to request the software. If the Service Desk is asked to troubleshoot a piece of software not on the software asset list, they can remove the software and point the customer to the appropriate security/compliance process to have the software approved. Not only would a software asset list save the Service Desk resources from troubleshooting unapproved software, but will also protect the Service Desk, because they can point to the software asset list if they are asked to install unapproved or risky software. Quite often, Service Desk personnel are put in a tough situation when asked to install potentially harmful software without a process or software asset list in place. The software asset list will also provide a process safeguard to ensure software/applications are correctly presented to security and compliance teams for a proper risk review.
One of the issues I’ve seen a lot in my career is personnel installing software that puts the organization in a bind legally. It’s very easy for someone not to understand the legal ramifications of license agreements or EULAs (End User License Agreements) if they have never spent time on a compliance team, doesn’t have legal experience or training or hasn’t been on the wrong side of a EULA violation claim. A software asset list can help protect everyone within the organization, because it provides a quick glance at what software is not only safe to use from a security and compliance perspective, but from a legal perspective as well.
One of the problems most organizations face is the use of duplicated software. Not only does using duplicated software invite more unneeded risks to an organization, but it can seriously impact budgets. Several teams would be able to use a software asset list to uncover duplicated software. For example, security, compliance and procurement teams could all potentially spot duplicated software as part of their risk review or approval processes if they scanned a software asset list as a first step.
If licenses are required for software usage, a software asset list can also track who the licenses are assigned to. If the list is audited regularly, there is a possibility to discover unused licenses. The unused licenses can be reallocated, thus saving an organization from having to buy additional licenses when they are not needed.
Another great benefit of software asset lists is the ability for everyone within the organization to see what software is available for use. Quite often I’ve seen people struggle daily with a process not knowing there is an application already available for use within their organization that could quickly improve the process they are struggling with. This may not be one of the daily use benefits of having a software asset list, but it can quickly become one of the best.
If you have ever tried to create a software asset list, I know what you may be thinking or saying….these are all great reasons, but every time I try to have one created I’m told it is a waste of time and isn’t something we could keep updated due to people having admin rights on their machine(s). While this will impact the ability to keep the list of software used in the environment accurate and up-to-date, it isn’t a valid reason to abandon the list altogether. As we discussed in the first bullet point, having a software asset list will strengthen policies and procedures. It removes doubt for personnel on what is permitted in the environment while providing HR and Legal with strong guidance in the event disciplinary action needed to be pursued. It also provides the IT Service Desk, security and compliance teams with a way to enforce policies around installing unapproved software. An organization will never begin to get a handle on the software used within their environment without strong policies and procedures and a software asset list will only strengthen those policies and procedures. Even if personnel can install software due to having admin rights on their machine(s), it doesn’t remove all of the benefits we discussed previously.
It will take time and effort to create a software asset list, but it is worth it. And once it is established, maintaining it is much easier.