CM.L2-3.4.9—User-Installed Software
Level 2
800-171: 3.4.9
>Control Description
Control and monitor user-installed software.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is your policy regarding user installation of software?
- •How do you govern and approve user requests to install software?
- •What procedures are in place to detect and manage unauthorized software?
- •Who is responsible for monitoring and enforcing user-installed software policies?
Technical Implementation:
- •What technical controls prevent users from installing software?
- •How do you restrict administrative rights to prevent software installation?
- •What tools detect unauthorized software installations?
- •What mechanisms require approval before software installation?
- •What inventory tools track installed software?
Evidence & Documentation:
- •What baseline configuration documentation can you provide?
- •What configuration management plan describes your CM processes?
- •What change request records and approvals can you show?
- •What configuration scanning reports show compliance with baselines?
- •What asset inventory documentation lists all system components?
- •What security configuration benchmarks are applied to systems?
- •What evidence shows configuration changes are tracked and logged?
Ask AI
Configure your API key to use AI features.