Navigate

CCI-001767

CCI-001767 Definition

Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system.

Status
Type	CheckType.technical

Master Assessment Datasheet

Implementation Guidance

Determine if an allow-all, deny-by-exception policy is employed to prohibit the execution of unauthorized software programs on the system.

Validation Procedures

Examine: [SELECT FROM: Configuration management policy; procedures addressing least functionality in the system; configuration management plan; system design documentation; system configuration settings and associated documentation; list of software programs not authorized to execute on the system; system component inventory; common secure configuration checklists; review and update records associated with list of unauthorized software programs; change control records; system audit records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with responsibilities for identifying software not authorized to execute on the system; organizational personnel with information security responsibilities; system/network administrators]. Test: [SELECT FROM: Organizational process for identifying, reviewing, and updating programs not authorized to execute on the system; organizational process for implementing unauthorized software policy; mechanisms supporting and/or implementing unauthorized software policy].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001767.

Control	Description
CM-7(4)	(a): Identify [software programs not authorized to execute on the system are defined;]; (b): Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and (c): Review and update the list of unauthorized software programs [frequency at which to review and update the list of unauthorized software programs is defined;].