Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination of which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling. 

Priority: High   

Category: Baseline Security Configurations 

Services Associated with AWS:   

  • AWS Identity and Access Management (IAM), AWS Security Groups, AWS Systems Manager
  • AWS Security Groups, AWS Network Firewall 

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how IT Asset Management (ITAM) is implemented
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screenshot of Configuration Management Database (CMDB) console
  • Technical: screenshot of configuration settings
  • Technical: screenshot of firewall configurations 

Possible Technology Considerations : 

  • Secure Baseline Configurations (SBC)
  • Configuration Management Database (CMDB)
  • IT Asset Management (ITAM)
  • Identity & Access Management (IAM)
  • Privileged Access Management (PAM) 

What needs to be answered :  

Are only those applications, ports, and protocols necessary to provide the service of the information system configured for that system? Are systems services reviewed to determine if everything remains essential for the function of that system? 

  • Restrict Use of Nonessential Programs
    Description: This check ensures that organizations restrict the use of nonessential programs within their systems. Nonessential programs are those that are not necessary for essential organizational functions or operations. Organizations implement measures such as role-based access control, approval processes for program execution, prohibition of auto-execution, program blacklisting or whitelisting, and limiting the number of program instances executed simultaneously to restrict the use of nonessential programs.
  • Disable Unnecessary Ports, Protocols, and Services
    Description: This check verifies that organizations disable or prevent the use of unnecessary ports, protocols, and services within their systems. Unnecessary ports, protocols, and services increase the attack surface and potential vulnerabilities of the system. Organizations identify and restrict or disable protocols such as Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking that are deemed nonessential or pose security risks.

More Details:   

Nonessential programs and functions restricted by IT controls and reviewed by support staff.