(a) Identify [Assignment: organization-defined software programs not authorized to execute on the system];
(b) Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and
(c) Review and update the list of unauthorized software programs [Assignment: organization-defined frequency].
|
|
| Control Identifier | CM-7(4) |
| Latest Sync Date | 19/12/24 09:18:14 |
| Discussion | Unauthorized software programs can be limited to specific versions or from a specific source. The concept of prohibiting the execution of unauthorized software may also be applied to user actions, system ports and protocols, IP addresses/ranges, websites, and MAC addresses. |
| Related Controls | CM-6, CM-8, CM-10, PL-9, PM-5. |