3.4.9—Configuration Management - Derived
>Control Description
>Discussion
Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved "app stores." Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious.
The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern control of user-installed software?
- •What approval process exists for user software requests?
- •How do you communicate software installation restrictions?
- •Who monitors and enforces user-installed software policies?
- •What procedures remediate unauthorized user-installed software?
Technical Implementation:
- •What technical controls prevent user software installation?
- •How do you remove local administrator rights from users?
- •What application control solutions restrict user installations?
- •How do you detect and alert on user software installation attempts?
- •What mechanisms enforce software installation through IT only?
Evidence & Documentation:
- •Can you show user accounts lack software installation privileges?
- •What evidence demonstrates users cannot install software?
- •Can you provide logs of blocked installation attempts?
- •What scan results identify user-installed unauthorized software?
- •What compliance reports verify user installation restrictions?
Ask AI
Configure your API key to use AI features.