Inventory and Control of Software Assets


Safeguard 2 - Inventory and Control of Software Assets


2.1 - Establish and Maintain a Software Inventory

  1. Maintain a list of applications used by your department. The application list should at least include the following details.

    • What is the purpose of the application?
    • What is the risk classification of the application (low, medium, or high)?
    • Who is responsible for maintaining the application (name, email, and phone number)?
  2. Send the IT Security Office a list of high risk applications and their URLs (if applicable).

  3. Update the application list annually.

2.2 - Ensure Authorized Software is Currently Supported

  1. If software is discovered that is unsupported yet necessary for normal operation of the enterprise

    • This software should be documented
    • The software controls and risks should be documented
  2. If software is discovered that is not supported and has not exception documented

    • Designate this software as Unauthorized
  3. Review and update your software list at least monthly, or more frequently

2.3 - Address Unauthorized Software

If unauthorized software is discovered

  • Ensure the software is removed
  • If not removed, make sure the it received the proper documented exception
  • Review monthly, or more frequently

2.4 - Utilize Automated Software Inventory Tools


Windows offers a software inventory solution via the Configuration Manager. To access this tool, do the following.

  1. Open the Configuration Manager console

  2. Select Administration -> Client Settings Default Client Settings

  3. Next, choose Software Inventory

  4. Within the Device Settings list, you can configure the following

    • Enable software inventory on clients
    • Schedule software inventory and file collection schedule

VT Enterprise Endpoint Management

VT Enterprise Endpoint Management tools such as BigFix and MDE have software inventory capabilities.

2.5 - Allowlist Authorized Software

This step is under construction.

2.6 - Allowlist Authorized Libraries

This step is under construction.


If you have questions that are not covered in these procedures, please contact the VT IT Security Office for a consultation.