BIZOPS-56 – Authorized Software List

What is this control really about?

“Authorized Software List” also known as a Software Whitelist, is a control mechanism that restricts the installation and execution of software applications to a predefined list of approved software.

Available tools in the marketplace

The following listing is “crowdsourced” from our customer base or from external research. TrustCloud does not personally recommend any of the tools below, as we haven’t used them.

Tools

Asset Panda

ManageEngine

Available templates

TrustCloud has a curated list of templates, internally or externally sourced, to help you get started. Click on the link for a downloadable version.

• N/A no templates

Control implementation

Step-by-step guide on how to implement the “Authorized Software List” control within an organization. Here are the key steps to follow:

• Identify Stakeholders: Identify the key stakeholders involved in the software authorization process. This may include representatives from IT, security, procurement, and business units. Establish clear communication channels and define their roles and responsibilities in the implementation of the control.
• Define Software Approval Criteria: Establish clear criteria and guidelines for approving software to be included in the Authorized Software List. Consider factors such as security, functionality, compatibility, vendor reputation, and licensing compliance. Ensure the criteria align with the organization’s IT strategy, security policies, and business requirements.
• Conduct Software Inventory: Perform a comprehensive inventory of the software currently in use within the organization. Identify all installed applications across the network, endpoints, and servers. This will serve as the starting point for evaluating which software should be included in the Authorized Software List.
• Assess Software Suitability: Evaluate the suitability of each software application based on the defined approval criteria. Determine if the software meets security standards, licensing requirements, and functional needs. Assess its compatibility with existing systems and potential risks associated with its use.
• Define Authorized Software List: Create a documented Authorized Software List that includes the approved software applications. This list should clearly state the name of each approved software, version numbers, vendors, and any specific usage restrictions or requirements. Ensure the list is easily accessible to relevant stakeholders.
• Establish Software Request and Approval Process: Define a process for requesting and approving new software additions or updates to the Authorized Software List. This process should include steps for submitting requests, reviewing the requests against the defined criteria, and obtaining approvals from the appropriate stakeholders. Document the process and ensure its integration with existing change management and procurement processes.
• Communicate the Authorized Software List: Communicate the existence and importance of the Authorized Software List to all employees and relevant stakeholders. Raise awareness of the control and the need to adhere to the list. Clearly communicate the consequences of using unauthorized software and the proper channels for requesting additions or changes to the list.
• Implement Software Deployment Controls: Implement controls to enforce the use of the Authorized Software List during software deployment. This may include technical measures such as endpoint protection tools, application control solutions, or Group Policy restrictions. These controls should prevent the installation or execution of software not included in the Authorized Software List.

What evidence is the auditor looking for?

Most auditors, at a minimum, are looking for the below-suggested action:

• Authorized Software List: A documented list that clearly outlines the software applications approved for installation and use within the organization. This list should include the names of authorized software, version numbers, vendors, and any specific restrictions or requirements. The list should be up to date and easily accessible to relevant stakeholders.

Evidence example

For the suggested action, an example is provided below:

• Authorized Software List