Managed Software Inventory Guideline

UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data. The recommendations below are provided as optional guidance to assist with achieving requirement 2.1, Managed Software Inventory.

Requirement

Resource Custodians must manage and regularly review installed software, and install only software packages required for business purposes.

Description of Risk

Attackers use and deploy malicious software to gain unauthorized access to systems and sensitive data. When software on a device is not required for business purposes, it unnecessarily introduces potential vulnerabilities and thereby increases the likelihood of compromise.

Recommendations

One of the key requirements in making covered devices less susceptible to malicious activities is to inventory and regulate which software is installed and allowed to run on covered devices. Poorly controlled machines are more likely to be running software that is unneeded for business purposes (introducing vulnerabilities) or running malware introduced by a computer attacker after a system is compromised. Without complete software inventories, resource custodians are unable to find systems running vulnerable or malicious software to mitigate problems or root out attackers.

Follow the recommendations below to implement managed software inventory properly:

Management

1. Resource Custodians should utilize a process to maintain inventories of installed software packages for all covered devices. Inventories should include, at a minimum, detailed information about the installed software, including the version number and patch level.
2. Resource Custodians should create a list of authorized software for each device type. Authorized software should include only software necessary to meet business needs. Optionally, file integrity checking software could be used to validate with additional assurance that software has not been modified.
3. Inventory should be updated continuously to reflect the latest changes in installed applications. Where continuous updates cannot be reasonably implemented, inventory must be updated at least monthly using an automated process to allow for review and approval of changes per recommendations below.
4. The inventory process should detect and alert the Resource Custodian about unauthorized software packages discovered on a device.

Review

1. A process exists for the Resource Custodian to periodically review the list of newly installed or updated software packages at least monthly and reconcile that list against the authorized list of software packages.

Approval

1. A process exists for Resource Custodian to approve new or updated software based on business needs. The business need must be construed narrowly such that software must be installed only where necessary for the business purpose or purposes for which the covered data is required.
2. Any unauthorized software must be removed, added to the authorized software list, or approved as an exception.
3. All decisions must be documented.

Software Inventory Tools

Listed below is a sample list of software tools that may help to gather software inventory data on individual covered devices:

• Secunia PSI (Microsoft Windows)
• Apple System Profiler (Mac OS X)
• cfg2html (*nix)
• Package management software (RPM, APT, pkg_*, etc.)

Where a large number of covered devices require software inventory, data custodians should also explore the centrally managed software inventory solutions. Examples of centrally managed software inventory solution include:

• Tivoli Endpoint Manager - TEM (Microsoft Windows, Mac OS X, and Linux devices)
• Casper (Mac OS X devices)
• Apple Remote Desktop (Mac OS X devices)
• Spiceworks (Microsoft Windows, Mac OS X, and Linux devices)