Software inventory

Status: Live

The organization will maintain a software inventory as a part of the asset discovery plan. [UCF ID 00692]

Supporting and supported controls

This control directly supports:

Maintain asset discovery audit trails [UCF Control ID 00689]

There are no supporting controls.

Authority documents complied with:

AICPA Suitable Trust Services Principles and Criteria, ¶ .17 § 3.10, ¶ .20 § 3.13, ¶ .24 § 3.14, ¶ .29 § 3.13; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg G-7; FFIEC IT Examination Handbook – Development and Acquisition, Pg 32, Exam Obj 11.1; FFIEC IT Examination Handbook – E-Banking, August 2003, Pg 28; FFIEC IT Examination Handbook – Operations, July 2004, Pg 9, Exam Tier II Obj A.1; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.3.1; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, CM-8; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, CM-2, CM-2.10; The Standard of Good Practice for Information Security, SM4.3.6, SM4.3.7, CB4.2.2, CI1.3.2 thru CI1.3.4, CI2.5.1, UE3.1.1 thru UE3.1.4; IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005, § 5.6.1(a); Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control, Pg 34; Archer Control Table, ATCS-020, ATCS-023

Sarbanes Oxley Guidance

The organization should maintain an inventory of all software, including the level, version, and patches that are installed. [¶ .17 § 3.10, ¶ .20 § 3.13, ¶ .24 § 3.14, ¶ .29 § 3.13, AICPA Suitable Trust Services Principles and Criteria]

The organization should document all system software. This documentation should include the type, number, and location of the software and whether it was purchased or developed in-house. [Pg 34, Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

The organization should maintain comprehensive inventories of all assets. [Pg G-7, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

The organization should maintain an up-to-date software inventory as part of the change management process. [Pg 32, Exam Obj 11.1, FFIEC IT Examination Handbook – Development and Acquisition]

An up-to-date software inventory should be maintained by the organization. The inventory can aid in speeding up the organization's response to new vulnerabilities and identifying unauthorized software. [Pg 28, FFIEC IT Examination Handbook – E-Banking, August 2003]

The organization should maintain a software inventory. The inventory should include application software, operating system software, and back-office software. Include the application name; the manufacturer; the serial number; the version number; how many copies are installed; and the number and type of licenses owned in the software inventory. [Pg 9, Exam Tier II Obj A.1, FFIEC IT Examination Handbook – Operations, July 2004]

NIST Guidance

[§ 3.3.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

The organization ought to develop, document, and maintains a current inventory of the components of the information system and relevant ownership information. The organization must determines the appropriate level of granularity for the information system components included in the inventory that are subject to management control (i.e., tracking, and reporting). The inventory of information system components includes any information determined to be necessary by the organization to achieve effective property accountability (e.g., manufacturer, model number, serial number, software license information, system/component owner). The component inventory is consistent with the accreditation boundary of the information system. [CM-8, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Organizational records and documents should be examined to ensure a hardware, software, and firmware inventory has been developed and is being maintained, the inventory includes the manufacturer, type, serial number, version number, location, and components required for contingency operations, and specific responsibilities and actions are defined for the implementation of the system component inventory control. Any problems discovered during the implementation of the system component inventory control should be documented and used to improve the controls.
Test the system to ensure it is configured to automatically update the software inventory on a scheduled basis. [CM-2, CM-2.10, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

General Guidance

An inventory should be maintained of all software and critical desktop applications (typically programs developed with a spreadsheet or database program). For each application, the inventory should list the version number, location on the server, a unique description, the intended purpose of the application, who maintains and uses the application, changes made to the application, type of information processed by the application, who is responsible for the development of the application, and the level of complexity of the application. The inventory should be kept up-to-date, independently reviewed, protected so it cannot be changed without proper authorization, and reviewed regularly against actual assets. [SM4.3.6, SM4.3.7, CB4.2.2, CI1.3.2 thru CI1.3.4, CI2.5.1, UE3.1.1 thru UE3.1.4, The Standard of Good Practice for Information Security]

UK and Canadian Guidance

[§ 5.6.1(a), IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005]

Metrics

The metrics associated with this control are as follows:

Report on the percentage of scheduled asset inventories that occurred on time [UCF Control ID 02055]