2.1: Maintain Inventory of Authorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose on any business system.
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
Applications |
Identify |
1, 2, 3 |
Dependencies
None
Inputs
Authorized Software List: The authorized software list (containing a timestamp indicating both last updated and last verified values).
An organizationally defined acceptable timeframe for “up-to-date” (recommend at least monthly)
Operations
Test for the presence of the list; A TRUE/FALSE value (M1)
(Optional) If specific attributes of the software are deemed required, test for those (vendor, product name, version, business case, etc.)
Compare the timestamp of Input 1 against the current date to determine if the most recent update/verification is within the timeframe specified by Input 2; A TRUE/FALSE value (M2).
Measures
M1 = TRUE if authorized software list is present and in the proper format, FALSE otherwise
M2 = TRUE if the most recent update/verification is within the “up-to-date” threshold; FALSE otherwise
Metrics
Update Quality
Metric |
Is the authorized software list present and up-to-date?
|
Calculation |
|