Back

Record software license information for each asset in the asset inventory.


CONTROL ID
11736
CONTROL TYPE
Data and Information Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an asset inventory., CC ID: 06631

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The asset register should be checked regularly to identify any discrepancy with software licenses. (CF.03.04.05-2, The Standard of Good Practice for Information Security)
  • Asset registers should specify important information about each asset, including licensing details (e.g., license keys and proof of ownership). (CF.03.04.04d, The Standard of Good Practice for Information Security)
  • The asset register should be checked regularly to identify any discrepancy with software licenses. (CF.03.04.05-2, The Standard of Good Practice for Information Security, 2013)
  • Asset registers should specify important information about each asset, including licensing details (e.g., license keys and proof of ownership). (CF.03.04.04e, The Standard of Good Practice for Information Security, 2013)
  • Deploy software inventory tools throughout the organization covering each of the operating system types in use, including servers, workstations, and laptops. The software inventory system should track the version of the underlying operating system as well as the applications installed on it. The sof… (Control 2.3, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The software inventory system should track the name, version, publisher, and install date for all software, including operating systems authorized by the organization. (CIS Control 2: Sub-Control 2.4 Track Software Inventory Information, CIS Controls, 7.1)
  • The software inventory system should track the name, version, publisher, and install date for all software, including operating systems authorized by the organization. (CIS Control 2: Sub-Control 2.4 Track Software Inventory Information, CIS Controls, V7)
  • Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), … (CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory, CIS Controls, V8)
  • The organization shall ensure that required data and information about licenses, related entitlements, and usage against entitlements, for all IT assets in scope, is accurately recorded throughout the life cycle; that reconciliations are conducted and assessed periodically between requirements, usag… (Section 8.4 ¶ 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Is there a detailed description of software licenses (number of seats, concurrent users, etc.)? (§ D.1.2, Shared Assessments Standardized Information Gathering Questionnaire - D. Asset Management, 7.0)
  • Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b., FedRAMP Security Controls High Baseline, Version 5)
  • Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b., FedRAMP Security Controls Low Baseline, Version 5)
  • Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization must use tracking systems for software and documentation to control copying and distribution in order to protect the quantity licenses. (App F § SA-6.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution. (CM-10b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution. (CM-10b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution. (CM-10b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution. (CM-10b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b., TX-RAMP Security Controls Baseline Level 1)
  • Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and (CM-10b., TX-RAMP Security Controls Baseline Level 2)