CCI-003980

Implementation Guidance

Determine if user installation of software is allowed only with explicit privileged status.

Validation Procedures

Examine: [SELECT FROM: Configuration management policy; procedures addressing user-installed software; configuration management plan; system security plan; system design documentation; system configuration settings and associated documentation; alerts/notifications of unauthorized software installations; system audit records; continuous monitoring strategy; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with responsibilities for governing user-installed software; organizational personnel operating, using, and/or maintaining the system; organizational personnel with information security responsibilities; system/network administrators]. Test: [SELECT FROM: Organizational processes governing user-installed software on the system; mechanisms for prohibiting installation of software without privileged status (e.g., access controls)].