Maintain a software inventory.

UCF ID: 00692
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

AICPA Suitable Trust Services Principles and Criteria, ¶ .17 § 3.10, ¶ .20 § 3.13, ¶ .24 § 3.14, ¶ .29 § 3.13; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg G-7; FFIEC IT Examination Handbook – Development and Acquisition, Pg 32, Exam Obj 11.1; FFIEC IT Examination Handbook – E-Banking, August 2003, Pg 28; FFIEC IT Examination Handbook – Operations, July 2004, Pg 9, Exam Tier II Obj A.1; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.3.1; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § CM-8; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, CM-2, CM-2.10; The Standard of Good Practice for Information Security, SM4.3.6, SM4.3.7, CB4.2.2, CI1.3.2 thru CI1.3.4, CI2.5.1, UE3.1.1 thru UE3.1.4; IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005, § 5.6.1(a); Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control, Pg 34; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCSW-1; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCSW-1; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCSW-1; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCSW-1; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DSHW-1; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCSW-1; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCSW-1; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCSW-1; FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4, oval:gov.nist.fdcc.ie7:def:627; FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4, oval:org.mitre.oval:def:563; FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4, oval:org.mitre.oval:def:754; FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4, oval:org.mitre.oval:def:4193; FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4, oval:org.mitre.oval:def:4870; FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4, oval:org.mitre.oval:def:4873; FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4, oval:org.mitre.oval:def:5254; FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4, oval:org.mitre.oval:def:5356; FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4, oval:org.mitre.oval:def:5594; FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4, oval:org.mitre.oval:def:5631; FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4, oval:org.mitre.oval:def:5653; FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4, oval:org.mitre.oval:def:5667; FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4, oval:org.mitre.oval:def:5950; FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4, oval:org.mitre.oval:def:5954; FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4, oval:org.mitre.oval:def:6124; FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4, oval:org.mitre.oval:def:6150; FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4, oval:org.mitre.oval:def:6165; FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4, oval:org.mitre.oval:def:6216; FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4, oval:org.mitre.oval:def:6438

Sarbanes Oxley Guidance

The organization should document all system software. This documentation should include the type, number, and location of the software and whether it was purchased or developed in-house. [Pg 34, Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

The organization should maintain comprehensive inventories of all assets. [Pg G-7, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

The organization should maintain an up-to-date software inventory as part of the change management process. [Pg 32, Exam Obj 11.1, FFIEC IT Examination Handbook – Development and Acquisition]

An up-to-date software inventory should be maintained by the organization. The inventory can aid in speeding up the organization's response to new vulnerabilities and identifying unauthorized software. [Pg 28, FFIEC IT Examination Handbook – E-Banking, August 2003]

The organization should maintain a software inventory. The inventory should include application software, operating system software, and back-office software. Include the application name; the manufacturer; the serial number; the version number; how many copies are installed; and the number and type of licenses owned in the software inventory. [Pg 9, Exam Tier II Obj A.1, FFIEC IT Examination Handbook – Operations, July 2004]

US Federal Security Guidance

Have you examined the Software inventory to ensure that it exists? [DCSW-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

Have you examined the Software inventory to ensure that it contains the software manufacturer? [DCSW-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

Have you examined the Software inventory to ensure that it contains the type of software? [DCSW-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

Have you examined the Software inventory to ensure that it contains the version number of the software? [DCSW-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

Have you examined the software inventory to ensure that it exists? [DSHW-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

Have you examined the Software inventory to ensure that it contains the name of the software? [DCSW-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

Have you examined the Software inventory to ensure that it contains the installation manuals for the software? [DCSW-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

Have you examined the Software inventory to ensure that it contains the run documentation (procedures) for the software? [DCSW-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

NIST Guidance

[§ 3.3.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

The organization must establish and maintain continuous monitoring policies and procedures that develop, document, and maintains a current inventory of the components of the information system; is consistent with the authorization boundary of the system; is at the level of granularity deemed appropriate for tracking and reporting; includes any information determined to be necessary by the organization to achieve effective property accountability; and is available for review and audit by designated management. [App F § CM-8, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Organizational records and documents should be examined to ensure a hardware, software, and firmware inventory has been developed and is being maintained, the inventory includes the manufacturer, type, serial number, version number, location, and components required for contingency operations, and specific responsibilities and actions are defined for the implementation of the system component inventory control. Any problems discovered during the implementation of the system component inventory control should be documented and used to improve the controls.
Test the system to ensure it is configured to automatically update the software inventory on a scheduled basis. [CM-2, CM-2.10, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

System Configuration Guidance

A version of Microsoft Internet Explorer 7 is installed. [oval:gov.nist.fdcc.ie7:def:627, FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4]

The application Microsoft Internet Explorer 6 is installed. [oval:org.mitre.oval:def:563, FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4]

A version of Microsoft Windows XP (x86) Service Pack 2 is installed. [oval:org.mitre.oval:def:754, FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4]

A version of Microsoft Windows XP Professional x64 Edition Service Pack 2 is installed. [oval:org.mitre.oval:def:4193, FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4]

The operating system installed on the system is Microsoft Windows Server 2008 (32-bit) [oval:org.mitre.oval:def:4870, FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4]

The operating system installed on the system is Microsoft Windows Vista (32-bit) Service Pack 1 [oval:org.mitre.oval:def:4873, FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4]

The operating system installed on the system is Microsoft Windows Vista x64 Edition Service Pack 1 [oval:org.mitre.oval:def:5254, FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4]

The operating system installed on the system is Microsoft Windows Server 2008 (64-bit) [oval:org.mitre.oval:def:5356, FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4]

The operating system installed on the system is Microsoft Windows Vista x64 Edition Service Pack 2 [oval:org.mitre.oval:def:5594, FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4]

A version of Microsoft Windows XP (x86) Service Pack 3 is installed. [oval:org.mitre.oval:def:5631, FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4]

The operating system installed on the system is Microsoft Windows Server 2008 (32-bit) Service Pack 2 [oval:org.mitre.oval:def:5653, FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4]

The operating system installed on the system is Microsoft Windows Server 2008 Itanium Edition [oval:org.mitre.oval:def:5667, FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4]

The operating system installed on the system is Microsoft Windows 7 x64 Edition [oval:org.mitre.oval:def:5950, FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4]

The operating system installed on the system is Microsoft Windows Server 2008 R2 Itanium Edition [oval:org.mitre.oval:def:5954, FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4]

The operating system installed on the system is Microsoft Windows Vista (32-bit) Service Pack 2 [oval:org.mitre.oval:def:6124, FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4]

The operating system installed on the system is Microsoft Windows Server 2008 Itanium Edition Service Pack 2 [oval:org.mitre.oval:def:6150, FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4]

The operating system installed on the system is Microsoft Windows 7 (32-bit) [oval:org.mitre.oval:def:6165, FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4]

The operating system installed on the system is Microsoft Windows Server 2008 x64 Edition Service Pack 2 [oval:org.mitre.oval:def:6216, FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4]

The operating system installed on the system is Microsoft Windows Server 2008 R2 x64 Edition [oval:org.mitre.oval:def:6438, FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4]

General Guidance

The organization should maintain an inventory of all software, including the level, version, and patches that are installed. [¶ .17 § 3.10, ¶ .20 § 3.13, ¶ .24 § 3.14, ¶ .29 § 3.13, AICPA Suitable Trust Services Principles and Criteria]

An inventory should be maintained of all software and critical desktop applications (typically programs developed with a spreadsheet or database program). For each application, the inventory should list the version number, location on the server, a unique description, the intended purpose of the application, who maintains and uses the application, changes made to the application, type of information processed by the application, who is responsible for the development of the application, and the level of complexity of the application. The inventory should be kept up-to-date, independently reviewed, protected so it cannot be changed without proper authorization, and reviewed regularly against actual assets. [SM4.3.6, SM4.3.7, CB4.2.2, CI1.3.2 thru CI1.3.4, CI2.5.1, UE3.1.1 thru UE3.1.4, The Standard of Good Practice for Information Security]

UK and Canadian Guidance

[§ 5.6.1(a), IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of scheduled asset inventories that occurred on time. [UCF Control ID 02055]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.