Back

Establish and maintain an unauthorized software list.


CONTROL ID
10601
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an Asset Management program., CC ID: 06630

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The FI should establish measures to control and monitor the use of shadow IT in its environment. (§ 6.5.2, Technology Risk Management Guidelines, January 2021)
  • Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently. (CIS Control 2: Safeguard 2.3 Address Unauthorized Software, CIS Controls, V8)
  • Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise's mission, document an exception detailing mitigating controls and residual risk acceptance. For … (CIS Control 2: Safeguard 2.2 Ensure Authorized Software is Currently Supported, CIS Controls, V8)
  • The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives. (CC6.8 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives. (CC6.8, Trust Services Criteria)
  • The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives. (CC6.8 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • Determining clients or processes supported by shadow IT. (App A Objective 4:5e Bullet 3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Review and update the list of unauthorized software programs [Assignment: organization-defined frequency]. (CM-7(4)(c), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Review and update the list of unauthorized software programs [Assignment: organization-defined frequency]. (CM-7(4)(c), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The organization reviews and updates the list of unauthorized software programs {organizationally documented frequency}. (CM-7(4)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the list of authorized software programs {organizationally documented frequency}. (CM-7(5)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the list of unauthorized software programs {organizationally documented frequency}. (CM-7(4)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the list of authorized software programs {organizationally documented frequency}. (CM-7(5)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the list of unauthorized software programs {organizationally documented frequency}. (CM-7(4)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Reviews and updates the list of unauthorized software programs [Assignment: organization-defined frequency]. (CM-7(4)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Reviews and updates the list of unauthorized software programs [Assignment: organization-defined frequency]. (CM-7(4)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Review and update the list of unauthorized software programs [Assignment: organization-defined frequency]. (CM-7(4)(c), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Review and update the list of unauthorized software programs [Assignment: organization-defined frequency]. (CM-7(4)(c), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Reviews and updates the list of unauthorized software programs [Assignment: organization-defined frequency]. (CM-7(4) ¶ 1(c), Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)