The Center for Internet Security (CIS) Top 20 Critical Security Controls are used by companies large and small across all industries to strengthen cybersecurity. While many other frameworks go beyond these security domains, the CIS Top 20 remains an invaluable control to ensure organizations are covering essential security functions that reduce cyber risk.
CIS Control 2: Inventory & Control of Software Assets
CIS Control 2 is strictly about managing and tracking all software on the network so that only authorized software is being used. It also calls for the identification of unwanted software, and the implementation of controls to prevent unauthorized and unwanted software from being installed.
Specifically, the CIS recommends that organizations:
- Use software inventory tools to automate documentation of all software used throughout the business
- Use technology to ensure that only authorized software is running and executed on IT assets
It’s Not Easy To Restrict Software on Devices You Don’t Know About
On the surface, satisfying this control seems easy. There are many application control tools at the disposal of IT and security that only allows devices to run permitted software.
But that’s just for devices that IT and security know about. There are many devices that are harder to identify because of today’s dynamic IT environment. For example, it can be hard to track all software running on mobile and BYOD devices that connect and leave networks frequently.
With employees now working remotely, this becomes even more challenging. If company-issued devices don’t have all the necessary controls, employees may be unintentionally installing malicious software. Or they may be using personal devices for work, and accessing corporate data on a machine running unwanted software.