Software Asset Management (SWAM) Capability Data Sheet



Similar documents
Manage Vulnerabilities (VULN) Capability Data Sheet

Software Asset Management (SWAM) Capability Description

Software Asset Management (SWAM) Illustrative Process

HWAM Capability Data Sheet

CDM Software Asset Management (SWAM) Capability

Management (CSM) Capability

CDM Vulnerability Management (VUL) Capability

Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability. 7 Jul 2014

Critical Security Controls

CDM Hardware Asset Management (HWAM) Capability

Data Management Policies. Sage ERP Online

AUTOMATING THE 20 CRITICAL SECURITY CONTROLS

Pragmatic Metrics for Building Security Dashboards

Security Standard: Servers, Server-based Applications and Databases

DATA SECURITY AGREEMENT. Addendum # to Contract #

Attachment A. Identification of Risks/Cybersecurity Governance

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

SOFTWARE ASSET MANAGEMENT Continuous Monitoring. September 16, 2013

TRIPWIRE NERC SOLUTION SUITE

VA Office of Inspector General

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

SUPPLIER SECURITY STANDARD

24/7 Visibility into Advanced Malware on Networks and Endpoints

How To Audit The Mint'S Information Technology

Host-based Intrusion Prevention System (HIPS)

NERC CIP VERSION 5 COMPLIANCE

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Computer and Network Security Policy

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Automation Support for Security Control Assessments

Defending Against Data Beaches: Internal Controls for Cybersecurity

Patch and Vulnerability Management Program

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

HIPAA Security Alert

Capital District Vulnerability Assessment

Introduction. PCI DSS Overview

Ovation Security Center Data Sheet

Security aspects of e-tailing. Chapter 7

Protecting Your Organisation from Targeted Cyber Intrusion

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Department of Information Technology Remote Access Audit Final Report. January promoting efficient & effective local government

Ovation Security Center Data Sheet

End-user Security Analytics Strengthens Protection with ArcSight

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

OCIE CYBERSECURITY INITIATIVE

Best Practices for DanPac Express Cyber Security

5 Steps to Advanced Threat Protection

CONTINUOUS MONITORING

BM482E Introduction to Computer Security

Symantec Endpoint Protection

Office of Inspector General

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

THE TOP 4 CONTROLS.

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

WHITE PAPER: Cyber Crime and the Critical Need for Endpoint Security

PATCH MANAGEMENT POLICY PATCH MANAGEMENT POLICY. Page 1 of 5

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

VA Office of Inspector General

Total Defense Endpoint Premium r12

How To Improve Nasa'S Security

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

NIST Special Publication (SP) Guide to Application Whitelisting

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

Guideline on Auditing and Log Management

SOFTWARE ASSET MANAGEMENT

Information security controls. Briefing for clients on Experian information security controls

Windows Operating Systems. Basic Security

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

Common Cyber Threats. Common cyber threats include:

GFI White Paper PCI-DSS compliance and GFI Software products

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation

External Supplier Control Requirements

System Security Policy Management: Advanced Audit Tasks

Verve Security Center

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

Cyber Essentials Scheme

AHS Flaw Remediation Standard

Implementing SANS Top 20 Critical Security Controls with ConsoleWorks

Deep Security. Προστατεύοντας Server Farm. Σωτήρης Δ. Σαράντος. Available Aug 30, Σύμβουλος Δικτυακών Λύσεων. Copyright 2011 Trend Micro Inc.

Supplier Information Security Addendum for GE Restricted Data

Transcription:

Software Asset Management (SWAM) Capability Data Sheet Desired State: - Only authorized software products and executable files are installed on in scope devices - All devices are assigned or authorized for a set of device attributes and any authorizations are revalidated on a periodic basis - All software installation and execution restriction mechanisms are deployed and configured correctly - All blacklists are up-to-date - All software not explicitly identified in a whitelist or blacklist is included in the graylist - All graylist software is investigated and determined to be authorized or unauthorized within a specific period of time, and added to the appropriate whitelist or blacklist Desired State Data Requirements: Data Item Authorized Hardware Inventory to include assigned and authorized device attributes The associated Value for attribute 1 Sets of attributes that are designated mutually exclusive per the D/A s policy Justification To identify what devices to check against what defect checks To prioritize defects associated with devices. For comparison with the set of assigned attributes for device 1 This value will initially be defined by the D/A with some guidance from the CDM PMO. Once the necessary data becomes available, it will be calculated from the value assigned by the D/A to assets. 1

A listing of all authorized software for the D/A to include: Data necessary to accurately identify the software product and compare to actual state data collected o Vendor o Product o Version/Release level/patch level o Software identification tag (SWID) o CPE Authoritative listing of executable files associated with product Software Manager Expiration policy Software authorization status Date initially authorized Date last authorized Date revoked Management responsibility for each software management function for each authorized software product Local enhancements 2 might include: Approvers being assigned Managers being approved Managers acknowledging receipt To calculate expiration dates for authorized software To enable automated removal of differences that are not defects To be able to uniquely identify the software To be able to validate that the software on the device is truly the software authorized To know who to instruct to fix specific risk conditions found To assess each such person s performance in risk management To identify management responsibilities for ensuring that licensing, patching, and configuration standards are up-to-date If not specified explicitly, this is assumed to be the device manager To know who to instruct to fix specific risk conditions found To assess each such person s performance in risk management 2 Departments and Agencies can define data requirements and associated defects for their local environment. This is done in coordination with the CMaaS contractor and these local defects are not reported to the Federal Dashboard. 2

A set of Software Profiles for the D/A to include: Associated attributes 3 Allowed software Mandatory software Prohibited software products blacklist Known-bad blacklist 4 Update frequency for known-bad blacklist Sets of device attributes that require a unique software profile when assigned to the same device to include: Software profile(s) replaced Software profile(s) used To compare with the software present on a device to determine defects To define authorized and unauthorized software on a per device basis To determine when software no longer authorized for the environment is being used for baselines To determine if known-bad blacklists are out of date To enforce more restrictive policies on devices that are assigned sets of attributes (e.g., database server and database authentication server) Actual State: - All enumerated software installed on all devices - All known-bad blacklists deployed and date/time of last update - Collection mechanisms and/or processes to detect and record/report the actual state information Actual State Data Requirements: While not explicitly stated below, all Actual State Data elements must have a date/time associated with each collection instance of that element 5. 3 Software profiles have a one-to-many relationship with device attributes. One profile can have more than one device attribute associated with it (e.g., both Internal Web Server and External Web Server can map to the same Web Server software profile), but every device attribute is associated with exactly one software profile. 4 Known bad blacklists are quite large, very dynamic, and often maintained by an antivirus or antimalware vendor. It is not expected that the D/A will know what software is on the list, but that they will know what blacklist is to be used and how frequently it is to be updated. 5 Collection often occurs in batches, where the sensors collect from a set of devices at once. As long as a date/time can be provided for the data resulting from that collection to a reasonable precision (i.e., ± 1 hour), that is acceptable. 3

Data Item The software installed on every device. This data must be converted into a format that can be compared with the authorized software inventory. Examples include: SWID CPE Data necessary to determine how long unauthorized software has been present on a device. At a minimum: Date/time it was first discovered Date/time it was last seen Known-bad blacklist used to check device to include version number or date of last update Justification To identify when unauthorized software is installed on a device To determine how long unauthorized software has been on a device To determine if device was checked for unauthorized software To determine if the known-bad blacklist is up-todate per policy Defects: A defect is defined as a discrepancy between the authorized software inventory and what software is present on a device. It can also be an inconsistency between policies or authorizations associated with: device roles, software products, blacklists, or software profiles. The following are defects for SWAM: Defect Type Software authorization is expired Software is on graylist and is marked treated as authorized 7 Why is this considered a risk condition? The risk associated with authorization decisions increases with time. Decisions that were acceptable in the past may now be considered too risky Malicious software is allowed to be installed on devices Typical Mitigation 6 Option 1: Reauthorize the software Authorize the software Typical Mitigation Option 2: Otherwise, revoke/suspend the software s authorization Otherwise, move it to the graylist-treat as unauthorized 6 Risk acceptance is always an option. In the case of Option 1 and Option 2, the risk conditions and scores do not go away. They remain visible to ensure that the organization understands the impact of their risk acceptance decisions over time and in aggregate. 7 CDM will create a defect for any software placed on the graylist-treat as authorized. The expectation is that the D/A will decide how long organizations have to investigate and either add the software to appropriate white/blacklists. This grace period will be built into the scoring 4

Defect Type An authorized device s assigned device roles are not collected or defined (Non-reporting for device roles) The D/A s device role policy is violated (e.g., One device is assigned device roles that are deemed incompatible by policy) Known-bad blacklist is not defined for device Known-bad blacklist is not deployed or implemented for device Known-bad blacklist is out of date Why is this considered a risk condition? A device is allowed to have excessive, unauthorized, or outdated software. Device role policies are designed to prevent one device from being able to overly impact the organization due to excessive access or privilege. Compromised devices continue to operate on the network Devices that have become compromised since their last check continue to operate on the network Devices can be compromised by known attacks and continue to operate on the network until the blacklist is updated Typical Mitigation 6 Option 1: Correct the processes developed to provide necessary data If the device roles are known for the device, record them Remove device from device role considered mutually exclusive If known-bad blacklist to use for device is known, record it in the authorized software inventory Run known-bad blacklist against the device and deploy capability to perform timely automated checking Update the blacklist for the device and deploy capability to perform timely automated checking Typical Mitigation Option 2: the collection issue if the process is working appropriately Otherwise, determine the appropriate device roles and record them Otherwise, update device role policy; Otherwise, determine which known-bad blacklist to use and record it in the authorized software inventory the implementation issue with existing capability the implementation issue with existing capability function in the dashboard instead of the defect identification process meaning that this will be a defect, but not scored until the grace period is expired. 5

Defect Type Device has unauthorized, but not blacklisted or graylist-treat as unauthorized, software installed 8 Device has blacklisted or graylist-treat as unauthorized software installed Software installation restriction mechanism is not deployed or configured correctly Software execution restriction mechanism is not deployed or configured correctly An important data element of the authorized software inventory is missing Installed software has not been reported within a set timeframe for a device (Non-reporting for Software) Why is this considered a risk condition? Unauthorized software is less trustworthy, more vulnerable, or increases the attack surface for an organization as compared to authorized software. Blacklisted software (e.g., malware) is most often either an artifact of compromise or an initial precondition for compromise Unauthorized or malicious software is allowed to be installed on the device Attacks that exploit vulnerable or flawed software can successfully compromise device A key piece of information used to score or assign risk is unknown The Department or Agency s (D/A) ability to monitor vulnerable conditions is limited Typical Mitigation 6 Option 1: If the software should be on a device, authorize it and record it in the authorized software inventory Remove the software from the device Deploy the mechanism or configure it per policy Deploy the mechanism or configure it per policy If the data element is known, record the information in the authorized software inventory Work with the sensor/collection managers or process owners to troubleshoot/resolve the problem. Typical Mitigation Option 2: Otherwise, remove the software from the device If investigation shows that software should NOT be on the blacklist or graylisttreat as unauthorized, then authorize software for appropriate profiles the implementation issue with existing mechanism the implementation issue with existing mechanism Otherwise, determine or define the data element and record this in the authorized software inventory Otherwise, revoke or suspend the device s authorization 8 All software discovered on a device that is not currently on any white/gray/black list will be automatically placed on the graylist. The D/A will decide if the default is treat as authorized or treat as unauthorized. 6

Appendix A - Definitions Term Definition Authorized Hardware Inventory Blacklist Common Platform Enumeration (CPE) Device Device Attribute Device Attribute Authorization Status Device Attribute Hierarchy Name Device Attribute Hierarchy Status Executable file Expiration Policy Graylist Known Bad Blacklist Prohibited Software Products Blacklist List of authorized hardware assets for an organization or subnet. List of unauthorized software for a D/A or device. Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name. 9 IP-addressable asset on the network or a non-addressable component (e.g. removable media) able to interact with the D/A s data and resources. Device attributes are a way to describe a set of labels, values, and hierarchies associated with dimensions or characteristics of a device. The attributes assigned to a device are used to determine the applicability of a defect check, the result domain of a defect check, or create the appropriate desired state specification for a defect check associated with that device. Current state of a device role authorization. States can be pending, authorized, suspended, expired, or revoked. D/As may have multiple hierarchies; the hierarchy that the device role is associated with must be identified to understand association and inheritance. This attribute will be Boolean and indicate to the capability whether the device role is part of a hierarchy or not. The attribute will dictate to the capability if inheritance based on the device role needs to be considered. For CDM, a specific file in persistent memory that can be loaded into active memory and executed by the CPU. The policy that defines the requirements for when an asset s authorization expires. Examples include a piece of software is authorized for use in the enterprise for 2 years or device role authorizations are good for 3 years. List of software not authorized, but not explicitly prohibited. List of executables that are known to be malicious, fraudulent, or harmful. List of software products prohibited by policy. This enables a D/A to limit the versions of a software product that are authorized for use in the environment. 9 http://nvd.nist.gov/cpe.cfm 7

Term Scoring Software Software Asset Management (SWAM) capability Software identification tag (SWID) Software Authorization Status Software product Whitelist Definition The process of calculating the risk points for a defect. Identified defects will be scored based on the amount of perceived risk they create. The CDM program will be providing a scoring system that is generic across D/As. Each D/A may adapt this with additional D/A specific information to better prioritize defects for action. For CDM, software includes firmware, basic input/output systems (BIOS), operating systems, applications, services, and malware such as rootkits, trojans, viruses, and worms. The CDM capability that ensures unauthorized and/or unmanaged software is 1) identified, 2) authorized, and 3) assigned for management, or 4) removed before it can be exploited compromising confidentiality, integrity, and availability. Software ID tags provide authoritative identifying information for installed software or other licensable item. 10 Current state of a software product authorization. States can be pending, authorized, suspended, expired, or revoked. The level of abstraction by which software is typically licensed, listed in registries during installation, and executed by users. Software products are roughly equivalent to the software identified by the NIST Common Product Enumeration (CPE) codes, and also by the ISO SWIDs. List of authorized software for a D/A or device. 10 ISO/IEC 19770-2: Software identification tag 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information