The organization will maintain a software inventory as a part of the asset discovery plan. [UCF ID 00692]
Supporting and supported controls
This control directly supports:
• Maintain asset discovery audit trails [UCF Control ID 00689]
This control has the following supporting controls:
There are no supporting controls.
Authority documents complied with:
Gramm-Leach-Bliley Act (GLB) 16 CFR § 314.4(b)(2); FFIEC IT Examination Handbook – Development and Acquisition Pg 32, Exam Obj 11.1; FFIEC IT Examination Handbook – Business Continuity Planning Pg G-7; FFIEC IT Examination Handbook – Operations Pg 9, Exam Tier II Obj A.1; FFIEC IT Examination Handbook – E-Banking Pg 28; The Standard of Good Practice for Information Security SM4.3.6, SM4.3.7, CB4.2.2, CI1.3.2, CI1.3.3, CI1.3.4, CI2.5.1, UE3.1.1, UE3.1.2, UE3.1.3, UE3.1.4; ISO 17799:2000, Code of Practice for Information Security Management § 5.1.1; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14 § 3.3.1; Recommended Security Controls for Federal Information Systems, NIST SP 800-53 CM-8; Guide for Assessing the Security Controls in Federal Information Systems, NIST 800-53A § CM-2, CM-2.10; AICPA Suitable Trust Services Criteria ¶ .17 § 3.10, ¶ .20 § 3.13, ¶ .24 § 3.14, ¶ .29 § 3.13; IT Service Management Standard - Code of Practice, BS 15000-2 § 5.6.1a
Sarbanes Oxley Guidance
¶ .17 § 3.10, ¶ .20 § 3.13, ¶ .24 § 3.14, ¶ .29 § 3.13 of AICPA Suitable Trust Services Criteria states that the organization should maintain an inventory of all software, including the level, version, and patches that are installed.
P. 34 of Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control states that the organization should document all system software. This documentation should include the type, number, and location of the software and whether it was purchased or developed in-house.
Banking and Finance Guidance
The FFIEC IT Examination Handbook – Development and Acquisition Pg 32, Exam Obj 11.1 states that the organization should maintain an up-to-date software inventory as part of the change management process.
The FFIEC IT Examination Handbook – E-Banking Pg 28 states that an up-to-date software inventory should be maintained by the organization. The inventory can aid in speeding up the organization's response to new vulnerabilities and identifying unauthorized software.
NIST Guidance
NIST 800-53 CM-8 calls for the organization to develop, document, and maintains a current inventory of the components of the information system and relevant ownership information. The organization must determines the appropriate level of granularity for the information system components included in the inventory that are subject to management control (i.e., tracking, and reporting). The inventory of information system components includes any information determined to be necessary by the organization to achieve effective property accountability (e.g., manufacturer, model number, serial number, software license information, system/component owner). The component inventory is consistent with the accreditation boundary of the information system.
Metrics
The metrics associated with this control are as follows:
• Metric Reporting Standard 02055.doc