Back

Lock configurations to prevent circumventing security measures.


CONTROL ID
12187
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • System hardening through configuration management, CC ID: 00860

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Standard users are prevented from bypassing, disabling or modifying security functionality of operating systems. (Security Control: 1584; Revision: 0, Australian Government Information Security Manual)
  • All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control. (Security Control: 0846; Revision: 7, Australian Government Information Security Manual)
  • Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed. (Security Control: 1524; Revision: 1, Australian Government Information Security Manual)
  • Standard users are prevented from bypassing, disabling or modifying security functionality of applications. (Security Control: 1585; Revision: 0, Australian Government Information Security Manual)
  • Microsoft Office macro security settings cannot be changed by users. (Security Control: 1489; Revision: 0, Australian Government Information Security Manual)
  • Microsoft's latest recommended block rules are implemented to prevent application control bypasses. (Security Control: 1544; Revision: 1, Australian Government Information Security Manual)
  • Merchants should not circumvent any security measures on the mobile device (e.g., enabling USB debugging if already disabled or rooting the mobile device). (¶ 5.3.3, PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users, Version 1.1)
  • SL 2 – Prevent the intended circumvention of zone and conduit segmentation by entities using simple means with low resources, generic skills and low motivation. (9.1 ¶ 1 Bullet 2, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • SL 3 – Prevent the intended circumvention of zone and conduit segmentation by entities using sophisticated means with moderate resources, IACS specific skills and moderate motivation. (9.1 ¶ 1 Bullet 3, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • SL 4 – Prevent the intended circumvention of zone and conduit segmentation by entities using sophisticated means with extended resources, IACS specific skills and high motivation. (9.1 ¶ 1 Bullet 4, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • SL 1 – Prevent the casual or coincidental circumvention of zone and conduit segmentation. (9.1 ¶ 1 Bullet 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Prevent or restrict changes to the configuration of the system under the following circumstances: [Assignment: organization-defined circumstances]. (CM-3(8) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Employ automated mechanisms to detect misconfigured or unauthorized system components; after detection, [Selection (one or more): remove the components; place the components in a quarantine or remediation network] to facilitate patching, re-configuration, or other mitigations. (3.4.2e, Enhanced Security Requirements for Protecting Controlled Unclassified Information, NIST SP 800-172)
  • Prevent or restrict changes to the configuration of the system under the following circumstances: [Assignment: organization-defined circumstances]. (CM-3(8) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)