Overview:
Control and monitor user-installed software.
Action Items:
3.4.9[a]
Determine if: a policy for controlling the installation of software by users is established.
3.4.9[b]
Determine if: installation of software by users is controlled based on the established policy.
3.4.9[c]
Determine if: installation of software by users is monitored.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: Configuration management policy; procedures addressing user installed software; configuration management plan; system security plan; system design documentation; system configuration settings and associated documentation; list of rules governing user-installed software; system monitoring records; system audit logs and records; continuous monitoring strategy; other relevant documents or records].
2
Interview: Personnel with responsibilities for governing user-installed software; personnel operating, using, or maintaining the system; personnel monitoring compliance with user-installed software policy; personnel with information security responsibilities; system or network administrators].
3
Test: Organizational processes governing user-installed software on the system; mechanisms enforcing rules or methods for governing the installation of software by users; mechanisms monitoring policy compliance].
Related Documents (document name and content will vary by organization):
1) Configuration management policy
2) procedures addressing user installed software
3) configuration management plan
4) system security plan
5) system design documentation
6) system configuration settings and associated documentation
7) list of rules governing user-installed software
8) system monitoring records
9) system audit logs and records
10) continuous monitoring strategy
11) other relevant documents or records
Additional Guidance:
If provided the necessary privileges, users can install software in organizational systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation.
Permitted software installations include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both.
Article ID: 148
Created: September 26, 2022
Last Updated: September 27, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-user-installed-software-3-4-9-148.html