2.5: Allowlist Authorized Software
Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
Asset Type |
Security Function |
Implementation Groups |
---|---|---|
Applications |
Protect |
2, 3 |
Dependencies
Safeguard 1.1: Establish and Maintain Detailed Enterprise Asset Inventory
Safeguard 2.1: Establish and Maintain a Software Inventory
Safeguard 2.3: Address Unauthorized Software
Safeguard 4.1: Establish and Maintain a Secure Configuration Process
Inputs
GV7
: Software capable assetsGV5
: Authorized software inventoryGV3
: Approved configuration StandardsDate of last assessment of this safeguard
Operations
Using
GV7
identify and enumerate assets capable of supporting allowlisting software (some assets may not enable third-party software installation or otherwise have constrained environments precluding the use of allowlisting software) (M1).Using
GV5
identify all authorized allowlisting software within the enterprise (GV8
)- Using the output from Operation 1 and authorized allowlisting software
GV8
Identify and enumerate allowlisting capable assets with allowlisting software installed (M2)
Identify and enumerate allowlisting capable assets without allowlisting software installed (M3)
- Using the output from Operation 1 and authorized allowlisting software
Use
GV3
to identify allowlisting software configurations (GV9
)- For each asset with allowlisting software installed (M2) from Operation 2 use the output from Operation 3 to
Identify and enumerate properly configured software (M4)
Identify and enumerate improperly configured software (M5)
Compare Input 4 to current date and note timeframe in months (M6)
Measures
M1 = Count of enterprise assets capable of supporting allowlisting software
M2 = Count of enterprise assets capable of supporting allowlisting software and have the software installed
M3 = Count of enterprise assets capable of supporting allowlisting software and do not have the software installed
M4 = Count of enterprise assets with allowlisting software that is properly configured
M5 = Count of enterprise assets with allowlisting software that is properly configured
M6 = Timeframe since last assessment of this safeguard
Metrics
If M6 is greater than six months, then this safeguard is measured at a 0 and receives a failing score. The other metrics don’t apply.
Allowlisting Installation Coverage
Metric |
The percentage of enterprise assets capable of supporting allowlisting with allowlisting installed
|
Calculation |
|
Allowlisting Configuration Coverage
Metric |
The percentage of enterprise assets with properly configured allowlisting installed
|
Calculation |
|