2.7: Utilize Application Whitelisting
Utilize application whitelisting technology on all assets to ensure that only authorized software executes and all unauthorized software is blocked from executing on assets.
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
Applications |
Protect |
3 |
Dependencies
Sub-control 1.4: Maintain Detailed Asset Inventory
Sub-control 1.5: Maintain Asset Inventory Information
Sub-control 2.1: Maintain Inventory of Authorized Software
Sub-control 2.5: Integrate Software and Hardware Asset Inventories
Inputs
The list of endpoints
The list of authorized software
Operations
Enumerate endpoints capable of leveraging whitelisting technology (e.g. some network and other devices may not enable third-party software installation or otherwise have constrained environments precluding the use of whitelisting software)
For each eligible endpoint (operation 1), examine the software inventory for whitelisting applications related to that endpoint, noting endpoints with and without whitelisting capabilities
For each endpoint with whitelisting capabilities, examine the whitelisting software’s configuration to ensure only authorized software is considered executable and that attempts to execute unauthorized software is blocked, noting appropriately and inappropriately configured software
Measures
M1 = List of endpoints capable of leveraging whitelisting technology
M2 = List of endpoints with whitelisting capabilities installed
M3 = List of endpoints without whitelisting capabilities installed
M4 = List of endpoints with appropriately configured whitelisting capabilities
M5 = List of endpoints with inappropriately configured whitelisting capabilities
M6 = Count of endpoints capable of leveraging whitelisting technology (count of M1)
M7 = Count of endpoints with whitelisting capabilities installed (count of M2)
M8 = The number of endpoints without whitelisting capabilities installed (count of M3)
M9 = Count of endpoints with appropriately configured whitelisting capabilities (count of M4)
M10 = Count of endpoints with inappropriately configured whitelisting capabilities (count of M5)
Metrics
Whitelisting Installation Coverage
Metric |
The ratio of endpoints with whitelisting capabilities installed to the number of
whitelisting-eligible endpoints
|
Calculation |
|
Whitelisting Configuration Coverage
Metric |
The ratio of endpoints with appropriately configured whitelisting capabilities
to the number of endpoints with whitelisting capabilities
|
Calculation |
|