Has your organization implemented software execution controls to restrict execution to permitted applications and/or block unauthorized software?
Explanation
Software execution controls help prevent malicious or unauthorized programs from running in your environment, reducing the risk of malware infections and data breaches. These controls can include application allowlisting (permitting only approved software), application blocklisting (denying specific prohibited software), or a combination of both approaches based on your risk assessment.
Evidence of implementation could include documentation of your application control policy, screenshots of configured application control solutions (like Microsoft AppLocker, Windows Defender Application Control, or endpoint protection platforms), and logs showing blocked execution attempts of unauthorized software.
Implementation Example
When risk warrants it, restrict software execution to permitted products only or deny the execution of prohibited and unauthorized software
ID: PR.PS-05.253
Context
- Function
- PR: PROTECT
- Category
- PR.PS: Platform Security
- Sub-Category
- Installation and execution of unauthorized software are prevented
Related questions
- Has your organization established and maintained hardened baseline configurations for all systems that enforce security policies and provide only essential capabilities?
- Does your organization have a documented process for reviewing default configuration settings for security implications when installing or upgrading software?
- Does your organization have a process to monitor software for deviations from approved baselines?
- Does your organization implement and adhere to defined timeframes for routine and emergency patching as specified in your vulnerability management plan?
- Does your organization follow an immutable infrastructure approach for container deployments by replacing rather than updating existing container instances when updates are required?
- Does your organization have a process to identify and replace end-of-life software and services with supported versions?

