Address Unauthorized Software
Description
Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
Implementation Checklist
Tool Recommendations
Unified endpoint management platform for device enrollment, software deployment, configuration, and compliance across Windows, macOS, iOS, and Android
Microsoft · Per-user/per-device subscription
Digital workspace platform combining UEM with virtual app delivery and zero-trust access for endpoint management
Broadcom (VMware) · Per-device subscription
Unified endpoint management with AI-driven automation for discovery, deployment, patching, and compliance
Ivanti · Per-device subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Malware Masquerading as Legitimate Applications
ConfidentialityUnauthorized software including remote access trojans, cryptominers, or backdoors persists on endpoints because no process exists to identify and remove them.
Shadow SaaS Data Leakage
ConfidentialityEmployees install unauthorized cloud sync clients or SaaS tools that exfiltrate corporate data to unmanaged cloud storage outside organizational visibility.
Vulnerabilities (When Safeguard Absent)
No Remediation Process for Unauthorized Software
Without a process to remove or exception unauthorized software, non-compliant and potentially malicious applications accumulate across the enterprise unchecked.
Lack of Regular Software Compliance Reviews
Unauthorized software is never flagged because no regular review cycle compares installed applications against the approved software inventory.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Document | Response procedure/playbook documentation | Reviewed bi-annually |
| Record | Response action logs showing procedure execution | Per incident |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |