Now that we can measure what's connected to our organization, let's see what's running (installed). As with the previous posts, we're going to initially focus on our local systems.
Consider what is running in your environment. The obvious things are productivity applications such as MS Office, collaboration software, and web browsers. Speaking of web browsers, what about plug-ins and extensions? Also consider any hardware enabling drivers, their supporting apps, and of course all of your security software. You're probably thinking that this list is getting big.
But wait, there's more! The two most important bits of software have yet to be mentioned: the computers' operating systems (OS) and firmware (BIOS). The OS probably just slipped your mind but you probably didn't consider the BIOS. Without a working BIOS, your computer is just a mess of metal and electronic circuits. It is the firmware which turns that pile of stuff into a computer, and enables the OS to load and run. And yes, you really need to manage the firmware along with everything else. Don't worry though, there is an app for that!
Let's recap the various bits of software that we should be measuring:
- BIOS/firmware
- Operating Systems
- Drivers and hardware enablers
- Applications
- Application add-ons e.g. Browser Helper Objects
The more versions and variations of these, the greater the risk from misconfigurations, vulnerabilities and exploitation, and the greater the effort and time required to manage. Therefore we want to have a few of these as possible in order for the business to function i.e. establish a common operating environment (COE).
A common operating environment's benefits include but are not limited to:
- Increased efficiency and productivity
- Reduced costs
- Improved collaboration and communication
- Enhanced security and compliance
In terms of metrics, here are some to get you started. For simplicity with this list, we'll refer to all items in the previous list as apps. Minimize these for best results and there are bonus points for having these broken down by business unit.
- # of different app versions
- # of end-of-life/end-of-support apps
- # of unauthorized / non-COE apps
- # of authorized / COE apps not used in the last n-months
- # system deviations from COE standard
- # of systems with COE exceptions or extensions
Image Source: Adobe Firefly Generative AI