CIS Control 2: Inventory and Control of Software Assets

Home  »  Blog  »  Cyber Security  »  CIS Control...

By Bill Minahan   |   January 25, 2021   |   0 Comments

CIS Control 6

CIS Control 2: Inventory and Control of Software Assets

What is CIS Control 2?

CIS Control 2 is the second control within a framework of 20 critical controls. The CIS Controls are a set of actions that protect your organization from the most pervasive cyber attacks. There are 20 total critical controls that prioritize the most essential actions your organization can take in order to gain the highest pay-off results.

CIS Control 2 focuses on actively managing (inventory, track, correct) all software on the network so that only authorized software is installed and able to execute. Likewise, all unauthorized and unmanaged software is found and prevented from installation and execution.

Essentially, CIS Control 2 calls for you to be aware of what software is on your system, who installed it, and what it does. The control focuses on the need for awareness of what is running on your systems and network, as well as the need for internal inventory management. That way, if anything were to ever happen, your team would be able to easily identify and remove software that is not on your inventory list.

When done right, it reduces insider threat and loss risks, cleans up your IT environment, and provides greater visibility and organization to your network.

Why is this CIS Control critical?

The CIS Controls are based on actionable guidance from today’s biggest threats, formed by the consensus of the world’s leading experts across a variety of sectors.

Attackers continuously target organizations that are running vulnerable versions of software that they can exploit remotely.

Furthermore, some attackers also distribute documents, media files, hostile web pages, and other malicious content via their own web pages or otherwise trustworthy third-party sites. If unsuspecting users access this content with a vulnerable browser then attacks can compromise their machines. Then, attackers often install backdoor programs and bots that give them long-term, undetected control of the system.

Once an attacker exploits a single machine, they often use it to gather sensitive information about the corporation, the compromised system, as well as any other systems connected to it.

Therefore, without complete knowledge or control of the software deployed in an organization, defenders can not properly secure their assets or identify software that should not be there. Or worse, might be malicious.

Managed control of all software also plays a critical role in planning and executing system back up, incident response, and recovery. As a result, it strengthens multiple aspects of your cyber security posture and is worthwhile for your team to implement.

The following is a complete list of all the sub-controls for CIS Control 2:

How to Implement CIS Control 2


Asset Type

Security Function

Control Title

Control Descriptions


Applications Identify Maintain Inventory of Authorized Software Maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose on any business system.



Applications Identify Ensure Software Is Supported by Vendor  

Ensure that only software applications or operating systems currently supported/ receiving vendor updates are added to the organization’s authorized software inventory. Unsupported software should be tagged in the inventory system.


Applications Identify Utilize Software Inventory Tools  

Utilize software inventory tools throughout the organization to automate the documentation of all software.


Applications Identify Track Software Inventory Information  

The software inventory system should track the name, version, publisher, and install date for all software, including operating systems authorized by the organization.


Applications Identify Integrate Software and Hardware Asset Inventories  

The software inventory system should be tied into the hardware asset inventory so all devices and associated software are tracked from a single location.


Applications Respond Address Unapproved Software  

Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.


Applications Protect Utilize Application Whitelisting  

Utilize application whitelisting technology to ensure that only authorized software executes, and all unauthorized software is blocked from executing on assets.


Applications Protect Implement Application Whitelisting of Libraries  

The organization’s application whitelisting software must ensure that only authorized software libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.


Applications Protect Implement Application Whitelisting of Scripts  

The organization’s application whitelisting software must ensure that only authorized, digitally signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.


Applications Protect Physically or Logically Segregate High Risk Applications  

Physically or logically segregated systems should be used to isolate and run software that is required for business operations but incurs higher risk for the organization.


Implementing CIS Controls

If your team is struggling to implement CIS Control 2 and could use the assistance of a third-party security provider, then aNetworks is here to help. Our team of experts can assist with whatever level of service you require from consulting to complete implementation. We will help you understand the CIS Controls as well as help with any of the heavy lifting you may be looking to outsource.

If you are interested, then please contact us below.

Contact Us

Furthermore, if you are looking for more information, check out our resource center here.

Finally, you can always find us on TwitterLinkedIn, and Facebook.

Category: Cyber Security