Description:
Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved “app stores.” Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both.
Priority: High
Category: Identity & Access Management (IAM)
Services Associated with AWS:
- AWS Identity and Access Management (IAM), AWS Systems Manager, AWS Security Hub
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate how IT Asset Management (ITAM) is implemented
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Administrative: supporting documentation to demonstrate how Role Based Access Control (RBAC) is properly & securely implemented
- Technical: screenshot of groups and membership assignment
- Technical: screenshot of ITAM console
Possible Technology Considerations :
- Identity & Access Management (IAM)
- Secure Baseline Configurations (SBC)
- Configuration Management Database (CMDB)
- IT Asset Management (ITAM)
- Event Log Monitoring
- Privileged Access Management (PAM)
- Role Based Access Control (RBAC)
What needs to be answered :
Are user controls in place to prohibit the installation of unauthorized software? Is all other software in use authorized? Are good practices that require user-installed software to only execute in a confined physical or virtual machine environment with limited privileges in place?
- Control and Monitor User-Installed Software
Description: This check ensures that organizations have implemented controls to control and monitor user-installed software in their systems. By granting users the necessary privileges, organizations allow software installation while maintaining control over the software installed. Organizations establish policies that define permitted and prohibited actions regarding software installation, including updates and security patches from approved sources. Prohibited software installations may include software with unknown pedigrees or potential malicious software. These policies can be organization-developed or provided by external entities. To enforce these policies, organizations utilize a combination of procedural and automated methods to monitor and control user-installed software.
More Details: Users are prohibited from installing software. Must be installed by IT administrators.