CIS Control 4.6: Securely Manage Enterprise Assets and Software
CIS Control 4.6 requires organizations to implement secure management practices for all enterprise assets and software across their infrastructure. For SMBs, this means adopting configuration management through infrastructure-as-code and enforcing secure protocols like SSH and HTTPS for all administrative access. This control directly reduces your attack surface and ensures your technical environment remains auditable and compliant.
What this means
Secure asset and software management means treating your infrastructure configuration as code, version-controlled, and centrally managed. All administrative access—whether to servers, applications, or management consoles—must occur over encrypted, authenticated channels. This approach prevents unauthorized changes, maintains audit trails, and ensures consistency across your environment.
How to comply
- 1.Implement infrastructure-as-code (IaC) tools like Terraform or CloudFormation to codify all asset configurations
- 2.Store all configuration files in a version-controlled repository (Git, GitHub, GitLab) with change tracking and approval workflows
- 3.Disable insecure administrative protocols (Telnet, HTTP, unencrypted SSH); enforce HTTPS and SSH with key-based authentication
- 4.Enforce strong SSH key management: use key pairs instead of passwords, rotate keys regularly, store private keys securely
- 5.Document and maintain an inventory of all enterprise assets, including hardware, software, and cloud resources
- 6.Implement configuration management tools (Ansible, Chef, Puppet) to automatically deploy and enforce consistent configurations
- 7.Enable audit logging on all administrative access and configuration changes; retain logs for compliance review
- 8.Regularly test your IaC and configuration management processes to ensure they deploy correctly and securely
Evidence auditors look for
- Git repository logs showing version history of infrastructure configuration files with commit messages and reviewer approvals
- IaC pipeline output demonstrating automated deployment of configurations to test and production environments
- SSH key inventory documenting key rotation dates, authorized users, and removal of deprecated keys
- Network firewall rules or security group configurations restricting administrative access to SSH (port 22) and HTTPS (port 443) only
- Configuration management tool reports (Ansible playbook runs, Chef converge logs) showing successful application of configurations
- Audit logs from servers and cloud platforms showing all SSH logins, HTTPS administrative console access, and configuration changes
- Asset inventory spreadsheet or CMDB listing all servers, applications, and their managed configuration status
- Documentation of your configuration management process, including change control, testing, and rollback procedures
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates asset inventory tracking and configuration monitoring, generating audit-ready evidence of SSH/HTTPS enforcement and IaC deployment logs to streamline CIS 4.6 compliance proof.
See how GRCWatch handles this control automatically
Start free trial