Has your organization implemented application control mechanisms that restrict software installation to only approved applications?
Explanation
Application control mechanisms prevent unauthorized software from being installed on systems, reducing the risk of malware and unauthorized applications that could compromise security. These controls can include allowlisting approved applications, implementing software restriction policies, or using mobile device management (MDM) solutions to control application installations.
Evidence of fulfillment could include screenshots of application control configurations, documentation of software approval processes, or reports from endpoint protection platforms showing application control enforcement across the organization's systems.
Implementation Example
Configure platforms to allow the installation of organization-approved software only
ID: PR.PS-05.256
Context
- Function
- PR: PROTECT
- Category
- PR.PS: Platform Security
- Sub-Category
- Installation and execution of unauthorized software are prevented
Related questions
- Has your organization established and maintained hardened baseline configurations for all systems that enforce security policies and provide only essential capabilities?
- Does your organization have a documented process for reviewing default configuration settings for security implications when installing or upgrading software?
- Does your organization have a process to monitor software for deviations from approved baselines?
- Does your organization implement and adhere to defined timeframes for routine and emergency patching as specified in your vulnerability management plan?
- Does your organization follow an immutable infrastructure approach for container deployments by replacing rather than updating existing container instances when updates are required?
- Does your organization have a process to identify and replace end-of-life software and services with supported versions?

