3.4.9 has a weight of -1 points

(Configuration Management Family) 9/9

Control and monitor user-installed software.

Video:

Example of Sysytem Security Plan (SSP):

System Security Plan (SSP) – Control 3.4.9

Control Title: Control and Monitor User-Installed Software


Objective:
To control and monitor the installation and execution of software on company machines, ensuring the safety and integrity of the IT environment.


Implementation Status: Implemented


Implementation Details:

1. No Local Administrator Accounts:
To ensure the secure management of software, the company has abolished local administrator accounts on all machines belonging to non-administrator level employees. This ensures that only a standard user access is granted, thereby preventing unauthorized software installations.

2. Software Installation Requires Admin Access:
Any software installation mandates administrator-level access, reinforcing our security posture against potential threats. This elevated access is exclusively provisioned via Active Directory and is reserved for IT administrators or those with explicit authorization.

3. Request Protocol for Software Changes:
All software alteration requests are to be channeled through the company’s IT ticketing system. This structured approach ensures a traceable record of every software change request, ensuring transparency and accountability.

4. Approval and Implementation Mechanism:
If a software request is approved, it is executed by the System Security Administrator or another designated authority in the organization. Each software request undergoes a thorough evaluation process, and an impact analysis is conducted before the actual installation.

5. Monitoring Software Execution:
Software execution within the organization is continually observed through our SEIM (Security Information and Event Management) SOC (Security Operations Center) system. Additionally, we employ an Endpoint Management System for granular monitoring. These systems are equipped to:

  • Analyze log files from critical devices, checking for any unusual or unauthorized activities.
  • Detect malicious activities, restricting their execution, and alerting the relevant authorities.

6. Endpoint Management Solution:
Beyond the SEIM SOC system, our Endpoint Management solution, comprising antivirus software and other security tools, is strategically positioned to control, detect, and mitigate risks on individual endpoints. If malicious activity is detected, the system is designed to instantly suppress it and raise an alert.

7. User Permissions and Installation Protocol:
Our policy strictly prohibits users from installing any software without the necessary administrative clearance. All software installation requests must be routed through the Change Control Board (CCB), and an impact analysis is mandatorily performed before the green light is given for the software’s installation.


Review and Audit:

Routine audits and assessments will be conducted to ensure the effectiveness of the implemented controls and monitor unauthorized software installations. These evaluations will ensure our system remains robust as the organization’s needs evolve and new software threats surface.


Review Date: [Quarterly/Bi-annually/Annually]

Reviewer: [Senior Security Officer/ CISO]

Example of Plan of Action and Milestones ( POA & M):

Plan of Action and Milestones (POA&M) – Control 3.4.9


Control: Control and Monitor User-Installed Software

Objective:
To implement, enforce, and continuously refine the control and monitoring of user-installed software in the organization’s IT environment.


1. Local Administrator Accounts

  • Milestone: Remove all existing local administrator accounts from non-administrator level employee machines.
  • Start Date: [Start Date]
  • End Date: [End Date]
  • Responsible Party: IT Administrators

2. Software Installation Admin Access

  • Milestone: Set up and implement software installation permissions through Active Directory.
  • Start Date: [Start Date]
  • End Date: [End Date]
  • Responsible Party: IT Security Team

3. Software Changes Request Protocol

  • Milestone: Deploy a centralized IT ticketing system to handle software change requests.
  • Start Date: [Start Date]
  • End Date: [End Date]
  • Responsible Party: IT Management

4. Approval and Implementation Mechanism

  • Milestone: Establish a dedicated Change Control Board (CCB) to review and approve software requests.
  • Start Date: [Start Date]
  • End Date: [End Date]
  • Responsible Party: System Security Administrator

5. Monitoring Software Execution

  • Milestone: Integrate SEIM SOC system for constant software execution monitoring.
  • Start Date: [Start Date]
  • End Date: [End Date]
  • Responsible Party: Security Operations Team

6. Endpoint Management Solution Enhancement

  • Milestone: Update the Endpoint Management System to include advanced detection and alert mechanisms.
  • Start Date: [Start Date]
  • End Date: [End Date]
  • Responsible Party: Endpoint Security Team

7. User Permissions and Installation Protocol

  • Milestone: Draft and enforce strict guidelines for user software installation permissions. Implement mandatory route through the Change Control Board (CCB) for all software requests.
  • Start Date: [Start Date]
  • End Date: [End Date]
  • Responsible Party: IT Governance Team

Continuous Monitoring and Review:

  • Milestone: Establish a bi-annual review and audit process to ensure the effectiveness and relevance of the implemented controls.
  • Start Date: [Start Date]
  • End Date: [End Date]
  • Responsible Party: [Senior Security Officer/ CISO]

 

RELEVANT INFORMATION:

Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved “app stores.” Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both.

Resources to consider:

Security Policy Document:

This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

Asset Inventory and Access Control Sheet:

Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

User Account Management Log:

Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

Password and Multi-Factor Authentication Policy:

Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

Process and Script Accountability Log:

Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

Device Access Control and VPN Policy:

Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

Access Control Review and Monitoring Schedule:

Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

User Training and Awareness Materials:

Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.