AuditRubric
id-am-2 high Identify / Asset Management

Inventories of software assets are maintained

Unmanaged software is a primary attack vector. Outdated packages, unlicensed tools, and shadow IT all expand your attack surface silently. A software inventory lets you enforce approved applications, detect unauthorized installs, and respond quickly when a vulnerability is disclosed in a dependency you actually use.

Estimated effort: 3h
inventoryassetssoftwaresbomsaas
Complete first: id-am-1

Implementation steps

  1. 1

    Inventory installed applications on endpoints

    Use your MDM to generate a report of all applications installed across managed devices. Flag anything not on your approved software list.

    jamfkandjimicrosoft-intune
  2. 2

    Inventory SaaS tools in use

    Review SSO provider app assignments, credit card statements, and browser extension installs. Many SaaS tools are adopted without IT approval; this step surfaces shadow IT.

    oktagoogle-workspacenudge-security
  3. 3

    Inventory software dependencies in your codebase

    Run a software composition analysis tool against your repositories to generate a bill of materials (SBOM) for each service. This is what you reference when a CVE drops.

    dependabotsnykgrypetrivy
  4. 4

    Establish an approved software list

    Document which applications are approved for use by employees. Communicate it during onboarding and review it quarterly.

Evidence required

Endpoint application inventory

MDM report or export showing installed applications across managed devices.

  • · Jamf software inventory report
  • · Intune discovered apps export

SaaS application list

List of sanctioned SaaS tools with assigned owners.

  • · Okta application dashboard screenshot
  • · Spreadsheet of tools with owner and business justification

SBOM or dependency scan output

Software bill of materials or dependency scan result for each production service.

  • · Snyk project report
  • · Dependabot dependency graph export
  • · Grype scan output

Related controls

id-am-1 critical

Inventories of hardware assets are maintained

Asset Management
id-am-4 high

Inventories of services provided by suppliers are maintained

Asset Management
id-am-3 high

Authorized network communication and data flow representations are maintained

Asset Management
id-am-5 high

Assets are prioritized based on classification, criticality, and mission impact

Asset Management