Control 2 Mapping to the NIST Cybersecurity Framework
9 hours 54 minutes
Hey, everyone, welcome back to the course. So in the last video, we took a look at our introduction to control number two, which was inventory in control of software assets And this video. We're gonna go ahead and map control number two to the next stop austerity security framework again.
So first we have our self control 2.1, which covers maintaining the inventory of the authorized software. So we want to make sure that things that are installed are actually things that we want to be installed on our end points.
And this maps to NIST cybersecurity framework. I d dot am dash to
some control to point to this is ensuring the software's actually supported by a vendor. In fact, with my background in health care, one of the major issues we kept having as many vendors would push out software and then no support, right? No maintenance, no support. In fact, a lot of those companies will go out of business. So what do you do? That's why there's a lot of outdated software
on your traditional health care organizations network.
Some control 2.3 utilizing software inventory tools so rather than us physically going to every single machine on our network, which is impractical when you've got thousands of devices
and looking at what software's on them, we can utilize the power of software tools to actually take account of that inventory for us.
Some control 2.4 That's where we're talking about tracking the software inventory information. So what is the software using? Why are we using it? Aziz. Well, as,
uh, what? What's the overall goal with it, Right? What's the overall purpose or benefit to the organization from using this particular software?
Self control 2.5 This where we're talking about the integration with the software and hardware asset inventory. So
we identify those physical systems, right, those hardware systems and then
what software systems are running on those
self control? 2.6. We're addressing unapproved software, so this is where it may not be necessarily malicious software. It might just be that someone's downloading software that they shouldn't be using. For example, let's just say somebody is downloading a YouTube app on a company mobile device, right?
Yes, they're just watching videos with it, but that is an entry point that could be used
by malicious actor, so it's not approved by the company. But it's not necessarily directly malicious. Top of software.
So control 2.7. This is where we're talking about usual izing application white listing. So if we don't trust that application or if we're not using it, let's create a white list. So that way, only those things can get in on Li. The only those applications can be used
some control. 2.8 is where we're talking about implementation of the application while listening of specific libraries. So we want to make sure that we're only using libraries approved by our organization.
Some controlled 2.9. We're talking about the white listing of specific scripts, right? So again, making sure that the scripts that are running are only the ones that we want running Is all this stuff 100%? No, of course not. Right, But these are measures that your organization can take if applicable.
Sub control 2.10. So this is where we're talking about the physical or logical segregation of high risk applications. You noticed that the mapping Tunis cybersecurity framework here that's blank, right? That's just got a nen A. Because there's not really a direct match there. There is some talk in the subcommittee framework. Brought things like physical security, right? Physical access, control.
here there's really not a direct 11 match.
So in this video, we just talked through the mapping for C s control number two, which again, is the inventory in control of software assets
in the next module? We're gonna take a look at continuous vulnerability management.