Back

Establish, implement, and maintain a software accountability policy.


CONTROL ID
00868
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an Asset Management program., CC ID: 06630

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain software asset management procedures., CC ID: 00895
  • Establish, implement, and maintain software archives procedures., CC ID: 00866
  • Establish, implement, and maintain software distribution procedures., CC ID: 00894
  • Establish, implement, and maintain software documentation management procedures., CC ID: 06395
  • Establish, implement, and maintain software license management procedures., CC ID: 06639


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Software control rules for handling and managing software must be developed and complied with by the development, operation, and maintenance departments. This is a control item that constitutes a greater risk to financial information. (App 2-1 Item Number IV.6(1), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • The organization shall establish and maintain procedures for controlling program files. (O28, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The organization should limit the disclosure of the installed software. (Control: 0381, Australian Government Information Security Manual: Controls)
  • Sound practice is to establish a formal policy to govern end-user developed/configured software. The policy would clearly articulate under what circumstances end-user developed/configured software is appropriate, as well as expectations regarding life-cycle management controls including information … (59., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • The suitable granularity for the considered applications must be selected individually in each organisation. Here, the objective should be to achieve optimal transparency and efficiency of structure analysis and defining of protection needs. Also the modules of the application layer as considered in… (§ 8.1.3 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • In order to define the protection needs of an IT system, the applications that directly relate to the IT system must be considered first. A summary of the applications that are relevant for the various IT systems have been determined within the scope of the structure analysis (see Section 8.1). The … (§ 8.2.4 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Rules shall be defined on the identification of all applications developed or run by the organisational unit's end users, on documentation, on the coding guidelines and on the testing methodology, on the protection requirements analysis and on the recertification process for authorisations (e.g. in … (II.6.44, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Company directors, senior managers, and others, are liable to face imprisonment and fines if illegal software is found to be in use within their enterprise. Configuration Management enables an enterprise to monitor and control software licenses, from purchase to disposal. Software license structures… (§ 7.3.10, OGC ITIL: Service Support)
  • Standards should be adopted for systems software configuration. These standards are starting to gain acceptance by many leading organizations and technology providers. The way operating systems, database management systems, and networking software are configured can enhance security or create weakne… (§ 5.3.2 ¶ 3, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • There should be documented standards / procedures related to malware protection software, which specify the processes required to review the effectiveness of malware protection software. (CF.10.03.01c, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures related to malware protection software, which specify the processes required to review the effectiveness of malware protection software. (CF.10.03.01c, The Standard of Good Practice for Information Security, 2013)
  • Operational Issues. An organization should implement safeguards which assure that all procedures maintain the secure, correct and reliable functioning of the IT equipment and related system(s) used. This should be achieved by implementing organizational procedures. Operational safeguards are necessa… (¶ 8.1.5(11), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • The organization shall establish procedures for validating computer software, and changes to the software, that affects the ability of the product to conform to specified requirements before initial use. (§ 7.5.2.1 ¶ 4, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and softwa… (CC6.1 ¶ 3 Bullet 9 Manages Credentials for Infrastructure and Software, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and (CM-7(5)(b), StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and (CM-7(5)(b), StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Environmental protections, software, data backup processes, and recovery infrastructure are authorized, designed, developed, implemented, operated, approved, maintained, and monitored to meet the entity’s availability commitments and system requirements. (A1.2, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • This part does not require installing specific accessibility-related software or attaching assistive technology devices at workstations of federal employees who do not have disabilities, except as required to comply with the requirements of this part. (§ 1194.3(c), 36 CFR Part 1194 Electronic and Information Technology Accessibility Standards)
  • The organization must only grant access to system security functions deployed in software, firmware, and hardware to authorized information security personnel. (CSR 2.10.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Utilize an exception process for non-whitelisted software that includes mitigation techniques. (RM.5.152, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and (CM-7(5)(b) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and (CM-7(5)(b) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and (CM-7(5)(b), FedRAMP Security Controls High Baseline, Version 5)
  • Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and (CM-7(5)(b), FedRAMP Security Controls Moderate Baseline, Version 5)
  • Illegal and non-approved software may not be used or installed at alternate work sites. (§ 4.7.3, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and (CM-7(5)(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and (CM-7(5)(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and (CM-7(5)(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and (CM-7(5) ¶ 1(b) Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and (CM-7(5) ¶ 1(b) High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system. (CM-7(4)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system. (CM-7(5)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization enforces software installation policies through {organizationally documented methods}. (CM-11b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires that {organizationally documented user-installed software} execute in a confined physical or virtual machine environment with limited privileges. (SI-7(11), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires that the integrity of {organizationally documented user-installed software} be verified prior to execution. (SI-7(12), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system. (CM-7(4)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system. (CM-7(5)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization enforces software installation policies through {organizationally documented methods}. (CM-11b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization enforces software installation policies through {organizationally documented methods}. (CM-11b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system. (CM-7(4)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization enforces software installation policies through {organizationally documented methods}. (CM-11b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and (CM-7(5)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and (CM-7(5)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and (CM-7(5)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and (CM-7(5)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and (CM-7(5) ¶ 1(b), Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and (CM-7(5)(b), TX-RAMP Security Controls Baseline Level 2)