3.4.8 has a weight of -5 points
(Configuration Management Family) 8/9
Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the executive of authorized software.
Video:
Example of Sysytem Security Plan (SSP):
System Security Plan (SSP) – Control 3.4.8
Control Title: Apply Blacklist or Whitelist Policy to Prevent/Permit the Use of Software
Control Requirement: The organization must establish and rigorously enforce a policy that delineates software permissions, blocking or allowing specific software installations based on comprehensive organizational needs and meticulous security assessments.
Implementation Status: Fully Implemented
Implementation Overview:
1. Group Policy and Active Directory Configuration:
-
Software Restriction via Group Policy: Through meticulous configuration of our Group Policy, we ensure that installation of software is contingent upon express authorization from a designated IT administrator.
-
Dynamic Behavior Regulations: The Group Policy has been further fortified to encompass various behaviors, most notably the initiation of non-sanctioned software. These restrictions are modulated based on specific Organizational Unit (OU) affiliations.
-
Active Directory Organizational Units (OU) Configurations: Our Active Directory structure allows for nuanced software permissions across OUs. This granularity ensures that departments are provisioned software access pertinent to their operational necessities.
2. User Permissions & Approvals:
-
Restricted Installation Capabilities: To safeguard against potential vulnerabilities, software installations are contingent upon involvement and oversight by a certified IT administrator.
-
Senior Management Approval: Prior to the integration of new software into our operational ecosystem, it mandates approval from our senior management, ascertaining its relevance and safety for business operations.
-
Whitelisting Requests & Trouble Tickets: For access to non-preapproved software or websites, users must formally submit a comprehensive request to the IT department, ensuring centralized oversight and stringent security checks.
3. Continuous Monitoring & Policy Management:
- Regular Policy Updates: Our IT team perpetually refines and amends our software policies, ensuring alignment with evolving business requirements and emergent security threats.
4. Specific Implementations and Processes:
-
Blacklisting Policy: A meticulously curated policy is in place that proscribes specific undesired software. This list undergoes periodic reviews and updates based on the latest security intelligence.
-
Whitelisting Policy: Concurrently, a roster of sanctioned software has been delineated, underpinned by rigorous verification mechanisms such as cryptographic checksums and digital signatures.
-
Technical Controls: Advanced technological tools are deployed to assert that only whitelisted software operates within our infrastructure.
-
Periodic Audits and Assessments: Regular assessments are conducted to corroborate adherence to our blacklisting and whitelisting policies, and to promptly rectify any aberrations.
-
Documentation & Compliance: A comprehensive record detailing our software-related policies has been archived, including the rationale for each directive and the verification mechanisms employed.
Review Date: [Quarterly/Bi-annually/Annually]
Reviewer: [Senior Security Officer/ CISO]
Example of Plan of Action and Milestones ( POA & M):
Plan of Action and Milestones (POA&M) – Control 3.4.8
Control Title: Apply Blacklist or Whitelist Policy to Prevent/Permit the Use of Software
-
Objective:
- Implement and maintain an effective software whitelist/blacklist policy in alignment with Control 3.4.8.
-
Milestones:
a. Group Policy and Active Directory Configuration:
- M1: Review current Group Policy settings for software restrictions. (Due Date: [Specify Date])
- M2: Update the Group Policy to enhance software restriction based on the findings from M1. (Due Date: [Specify Date])
- M3: Audit and refine Active Directory OUs to ensure they align with departmental software needs. (Due Date: [Specify Date])
b. User Permissions & Approvals:
- M4: Implement a workflow for IT administrators to approve or deny software installation requests. (Due Date: [Specify Date])
- M5: Establish a protocol for senior management to vet and approve software requests. (Due Date: [Specify Date])
c. Continuous Monitoring & Policy Management:
- M6: Create a quarterly review schedule to evaluate and update software policies. (Due Date: [Specify Date])
- M7: Develop an alert system to notify when unauthorized software is detected. (Due Date: [Specify Date])
d. Specific Implementations and Processes:
- M8: Review and update the list of blacklisted software. (Due Date: [Specify Date])
- M9: Review and validate the integrity of whitelisted software programs. (Due Date: [Specify Date])
- M10: Schedule periodic audits to ensure compliance with software policies. (Due Date: [Specify Date])
-
Responsibilities:
- IT Department: Oversee and implement the milestones related to Group Policy, Active Directory, and continuous monitoring.
- Senior Management: Provide timely approvals and oversight on major software changes.
- [Senior Security Officer/ CISO]: Ensure alignment with security requirements and provide final sign-off upon milestone completion.
-
Resources & Budget:
- Estimated budget: [Specify Amount]
- Necessary tools: [List tools/software if any]
- Manpower: Dedicated IT team of [Specify Number] members.
-
Monitoring & Reporting:
- Monthly status updates to be provided to senior management and relevant stakeholders.
- Ad hoc updates to be provided if significant deviations or risks are identified.
-
Completion Date: [Overall expected completion date]
RELEVANT INFORMATION:
The process used to identify software programs that are not authorized to execute on systems is commonly referred to as blacklisting. The process used to identify software programs that are authorized to execute on systems is commonly referred to as whitelisting. Whitelisting is the stronger of the two policies for restricting software program execution. In addition to whitelisting, organizations consider verifying the integrity of whitelisted software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of whitelisted software can occur either prior to execution or at system startup. [SP 800-167] provides guidance on application whitelisting.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.