3.4.8—Configuration Management - Derived
>Control Description
>Discussion
The process used to identify software programs that are not authorized to execute on systems is commonly referred to as blacklisting. The process used to identify software programs that are authorized to execute on systems is commonly referred to as whitelisting. Whitelisting is the stronger of the two policies for restricting software program execution.
In addition to whitelisting, organizations consider verifying the integrity of whitelisted software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of whitelisted software can occur either prior to execution or at system startup. [SP 800-167] provides guidance on application whitelisting.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern application execution control?
- •What procedures define approved application execution locations?
- •How do you determine which applications can execute from where?
- •Who approves application execution policies?
- •What governance prevents execution from unauthorized locations?
Technical Implementation:
- •What application whitelisting controls execution by location?
- •How do you prevent execution from temp folders or user directories?
- •What path-based execution controls are enforced?
- •What mechanisms block execution from removable media?
- •How do you implement code signing and verification?
Evidence & Documentation:
- •Can you show application execution policies by path?
- •What configurations restrict execution to approved locations?
- •Can you demonstrate blocked execution attempts from unauthorized paths?
- •What logs track application execution attempts and blocks?
- •What audit evidence verifies execution control enforcement?
Ask AI
Configure your API key to use AI features.