Back

Establish, implement, and maintain procedures to standardize operating system software installation.


CONTROL ID
00869
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

This Control has the following implementation support Control(s):
  • Verify operating system installation plans include software security considerations., CC ID: 00870
  • Configure the "Approved Installation Sites for ActiveX Controls" security mechanism properly., CC ID: 04909


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • O18.5: The organization shall cancel the access authorizations for software purchased from vendors when the software is loaded on the system. O73.1: The operation and management organization for new software should ensure the points of contact and the maintenance organization for the software are ma… (O18.5, O73.1, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation. (Security Control: 0289; Revision: 2, Australian Government Information Security Manual, March 2021)
  • All products should be installed and configured using the evaluated configuration. (§ 3.3.19, Australian Government ICT Security Manual (ACSI 33))
  • If a model computer is set up with the appropriate security configurations, a disk image can be made of that computer. This disk image can then be used to set up other computers without having to configure each individual computer. (Pg 23, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition)
  • A fresh installation of the operating system should be used in order to start from a known state and be sure of the integrity of the system software. When installing the operating system, the computer should be physically disconnected from the network. The defaults are acceptable when installing the… (§ 2.1, The Center for Internet Security Mac OS X Tiger Level I Security Benchmark, 1)
  • A process should be created for installing operating system software and applications from tested configurations. Users should be discouraged from installing software downloaded from the Internet. (Special Action 1.4, SANS Computer Security Incident Handling, Version 2.3.1)
  • Following guidelines should be followed when installing software to prevent potential corruption to the operational system: Only trained personnel should be permitted to update software; only executable code, not compilers, should be stored; software should be implemented only after successful testi… (§ 12.4.1, ISO 27002 Code of practice for information security management, 2005)
  • Live operating system and software executable only from read-only media; (Attachment 1 Section 1. 1.3. Bullet 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability Assessments CIP-010-4, Version 4)
  • Review use of live operating system and software executable only from read-only media; (Attachment 1 Section 2. 2.2 Bullet 4, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability Assessments CIP-010-4, Version 4)
  • Live operating system and software executable only from read-only media; (Attachment 1 Section 1. 1.3. Bullet 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • Review use of live operating system and software executable only from read-only media; (Attachment 1 Section 2. 2.2 Bullet 4, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • Review use of live operating system and software executable only from read-only media; (Attachment 1 Section 5. 5.2 5.2.1 Bullet 4, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • Does the information security policy cover operating system security? (§ B.1.24, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • When desktop computers are used to transmit scoped systems and data, is a standard operating environment required? (§ G.22.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When desktop computers are used to process scoped systems and data, is a standard operating environment required? (§ G.22.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When desktop computers are used to store scoped systems and data, is a standard operating environment required? (§ G.22.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • This part does not require installing specific accessibility-related software or attaching assistive technology devices at workstations of federal employees who do not have disabilities, except as required to comply with the requirements of this part. (§ 1194.3(c), 36 CFR Part 1194 Electronic and Information Technology Accessibility Standards)
  • The organization should identify all software that has been approved for the system. (§ 2-4.d, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • The Information Assurance Manager should ensure a plan exists to migrate the operating system, either for removing or upgrading it, when a vendor decides to stop supporting the software. After the initial installation of DataBase Editor (DBE), the System Administrator should ensure the DBEGEN userid… (§ 2.5, § 5.1.1.1, § 5.1.2.1.2, Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 7 Release 2, 28 August 2006)
  • Newer Red Hat Linux versions and SuSE Linux provide products to automate the installation process. The system administrator can create a file with all the answers to the questions asked during installation. These two programs are Kickstart and Auto YaST. These programs should only be used on an isol… (§ 12.6, Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1, Version 5, Release 1)
  • § 2.2 (WIR1170) New and reissued wireless e-mail devices should have a "Device HARD Reset" performed by the wireless e-mail system administrator, have all system software reinstalled from a trusted source, and have the site security policy pushed to the device before being issued to a user and put … (§ 2.2 (WIR1170), § 2.2 (WIR1180), § 3.8, App B.2 Row "Enable Image Management", DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2)
  • § 2.2 (WIR3170) Wireless e-mail devices should have all software installed from a trusted source and have the site security policy pushed to the device before being issued. If Over-the-Air (OTA) provisioning is used, the following steps must be followed by the system administrator: Windows Mobile d… (§ 2.2 (WIR3170), § 2.2 (WIR3180), § 3.4, § 2.2 (WIR3250), App B.1 Row "List of Blocked Applications for that Handheld", App B.1 Row "Compliance Manager", DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3)
  • § 2.2 (WIR2170) Wireless e-mail devices should have all software installed from a trusted source and have the site security policy pushed to the device before being issued. If Over-the-Air (OTA) provisioning is used, the following steps must be followed by the system administrator: Windows Mobile d… (§ 2.2 (WIR2170), § 2.2 (WIR2180), § 3.5, App B.3 Row "Enable Image Management", DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4)
  • (SS-3.2, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Organizational records and documents should be examined to ensure the software downloaded and installed by users follows explicit rules; user-installed software is regularly reviewed and analyzed for suspicious activity; suspected violations or suspicious activities are investigated, their findings … (SA-7, SA-7.4, SA-7.5, SA-7.6, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Install and maintain network infrastructure device operating system software (e.g., IOS, firmware). (T0125, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization should use alternative mechanisms or procedures as compensating controls in accordance with the general tailoring guidance when the Industrial Control System cannot prevent software programs that are not signed with a recognized and approved certificate from being installed. (App I § CM-5 Control Enhancement: (3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Install and maintain network infrastructure device operating system software (e.g., IOS, firmware). (T0125, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)