Safeguard 3.2 ensures that organizations implement structured, defensible practices for retaining and disposing of data. Every enterprise accumulates vast amounts of information—some vital for business continuity, and some obsolete or redundant. Retaining data indefinitely increases both storage costs and security exposure. Attackers often exploit forgotten archives and unsecured backups because they contain sensitive information outside normal monitoring. This safeguard requires defining minimum and maximum retention periods based on business needs, legal obligations, and regulatory standards. Data that exceeds these limits must be securely destroyed or sanitized using approved methods such as cryptographic erasure or physical destruction. A consistent retention policy helps organizations comply with privacy laws, reduce litigation risks, and limit damage from potential breaches by minimizing the volume of sensitive data available to adversaries.
Implementing effective data retention and disposal begins with mapping data to its owners and understanding its purpose. Each category defined under the organization’s classification scheme should have corresponding retention rules, with automatic enforcement wherever possible. Backup systems, archives, and file repositories should be regularly reviewed to ensure that expired data is removed according to policy. Secure disposal procedures must be auditable, verifiable, and proportional to data sensitivity—for instance, overwriting disks for general data or degaussing media that once contained highly confidential information. Integration with cloud providers is also essential, as virtual storage environments often replicate or retain data beyond immediate visibility. Training staff on these policies ensures that manual actions, such as deleting project files or transferring records, are handled responsibly. Ultimately, this safeguard transforms data management from passive accumulation into active stewardship, aligning security, privacy, and operational efficiency under one disciplined framework.
Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.
Episode Transcript
Software Discovery and Catalog, where we continue our exploration of software asset management by focusing on how to detect, collect, and catalog every program and component across your environment. Discovery is the heartbeat of software control. It connects technical reality—the applications actually running on your systems—to your official inventory. Without a reliable discovery process, approved software lists become guesswork, and security updates become reactive rather than proactive. In this episode, you will learn how to gather discovery data from endpoints, servers, and cloud platforms, how to normalize it, and how to keep your catalog accurate through continuous updates.
(00:43):
Software discovery begins with identifying every location where code can reside and execute. Unlike hardware, software may exist invisibly—embedded within containers, virtual images, or browser sessions. A modern organization might run hundreds of applications, each with unique installation methods and update paths. Effective discovery ensures you capture them all, no matter how transient. It combines multiple data sources, each observing a different layer of the environment. Together, these feeds provide a full picture of your operational landscape, enabling you to manage risk, licensing, and compliance with precision.
(01:22):
Endpoint agents are often the foundation of software discovery. Many operating systems and security suites already include built-in agents capable of enumerating installed programs. These agents scan local file systems, registry entries, and installation databases, then report findings back to a central console. They can detect application versions, publishers, and installation paths. For example, a configuration management or endpoint protection agent can list all executables on a machine within minutes. The advantage of this method is completeness—every installed package is visible at the device level, and the information refreshes automatically when updates occur or new applications appear.
(02:04):
Operating system package managers provide another dependable source of truth. Querying Windows Installer, Debian’s Advanced Package Tool, Red Hat’s RPM database, or macOS system utilities can reveal software installed through standard channels. These queries also show version numbers and installation dates, making it easier to track patch levels. Because package managers record installation and removal events, they serve as historical records too. However, not all software installs through official channels, so package manager data should be combined with other sources to fill gaps. When used consistently, it becomes a key pillar of your discovery process.
(02:44):
Application management platforms—such as mobile device management systems or enterprise app stores—offer yet another layer of visibility. These platforms track what software is distributed to users, how it is installed, and whether it remains compliant with policy. They can enforce the use of approved apps and automatically remove unapproved ones. For example, an M D M solution can provide a real-time list of mobile apps installed across company-issued devices, including version and compliance status. Integrating these lists with your primary inventory prevents blind spots caused by remote or mobile endpoints.
(03:21):
Cloud templates and image catalogs expand discovery beyond physical or on-premises systems. Each virtual machine image or infrastructure template includes pre-installed software that becomes part of your operational environment the moment it is deployed. Maintaining a catalog of these templates ensures that every cloud instance starts from a verified baseline. Regularly scanning cloud images for outdated or unauthorized packages helps keep your environment secure even before systems are provisioned. Linking this information to your configuration management records also ensures consistency between cloud and on-premises deployments.
(03:58):
Container registries and build pipelines are essential sources in modern development environments. Containers encapsulate software, dependencies, and configurations in portable units that can multiply rapidly across clusters. Registries store these images, while build pipelines define how they are created. Scanning registries for image contents and comparing them to your approved software list ensures that no unauthorized components enter production. Embedding checks directly into build pipelines—such as verifying libraries or licenses—creates a proactive discovery process that prevents vulnerabilities from propagating before deployment.
(04:36):
Software as a Service, or SaaS, applications introduce unique discovery challenges because they are hosted externally. The most reliable approach is to review administrative portals, which list all active users, integrations, and modules. Some SaaS providers offer exportable reports of application configurations and plugin usage. Cross-referencing these records with your identity provider ensures that subscriptions and access rights align with business needs. Discovery at this layer captures cloud applications that never touch your internal systems but still process critical enterprise data.
(05:12):
Identity provider application assignment lists are another valuable feed. Modern identity platforms such as Azure Active Directory or Okta maintain records of all integrated applications—both on-premises and SaaS. These records reveal which users have access, what permissions are granted, and which single sign-on connections exist. By exporting and analyzing these lists, you can identify applications that bypass normal approval channels or have inactive accounts. Integrating this data with your inventory creates an authoritative catalog that ties application usage directly to user identities and governance policies.
(05:52):
Browser extension inventory and control may seem minor but can represent significant risk. Extensions often run with the same permissions as the browser itself, and malicious or outdated ones can compromise data security. Enterprise browsers and management tools can list installed extensions per user or per device, including names, publishers, and version numbers. Reviewing and maintaining this list helps enforce deny-list policies and supports compliance requirements. Browser-level visibility also reinforces user awareness, showing that software control extends beyond installed applications to all executable code environments.
(06:34):
Normalizing names, versions, and vendor information is crucial once discovery data is collected. Different tools may describe the same software differently—for example, one listing “Microsoft Edge,” another “Edge Browser,” and a third “msedge.exe.” Normalization aligns these entries to a single standardized naming convention. It also ensures version numbers use consistent formatting and that vendor names match known entities. Normalization allows automated reporting and reduces duplication. Without it, discovery data quickly becomes fragmented, obscuring trends and confusing audits.
(07:12):
Establishing unique identifiers and mapping rules ensures consistency across your catalog. Each software entry should have a unique ID, linking it to corresponding hardware, users, and controls. Mapping rules specify how data from multiple sources combine—such as matching software names across systems or reconciling version discrepancies. These rules act as the glue holding the catalog together, enabling seamless integration between vulnerability management, patching, and compliance reporting systems. Over time, they also make automation easier by defining exactly how new discoveries flow into your inventory.
(07:50):
Scheduling rescans and delta reviews keeps your catalog current and trustworthy. Delta scans identify what has changed since the last cycle—new installations, updates, or removals—and trigger alerts for anomalies. Frequency depends on environment volatility; fast-changing environments may scan daily, while stable ones may scan weekly or monthly. Regular review meetings ensure that anomalies are addressed quickly and that stale entries are pruned. This discipline transforms discovery from a project into a living process, continuously verifying that your records reflect operational truth.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.