7.3: Limit Use of Scripting Languages in Web Browsers and Email Clients
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
Applications |
Protect |
2, 3 |
Dependencies
Sub-control 2.5: Integration Software and Hardware Asset Inventories
Sub-control 5.1: Establish Secure Configurations
Inputs
List of web browsers and email clients installed in the organization by endpoint
Approved configuration(s) covering each web browser and email client in Input 1 to restrict the scripting languages that can run to only the authorized scripting languages
Operations
For each application instance (web browser or email client) in Input 1, check the application’s configuration against the appropriate approved configuration(s) from Input 2.
Create a list of the application instances that meet the approved configuration (M1)
Create a list of the application instances that that do not meet the approved configuration (M2) noting each deviation.
Measures
M1 = List of application instances (web browser or email client) that meet the approved configuration (compliant list)
M2 = List of application instances (web browser or email client) that do not meet the approved configuration (non-compliant list)
M3 = Count of compliant application instances (count of M1)
M4 = Count of non-compliant application instances (count of M2)
M5 = Total count of installed web browser and email client instances (count of Input 1)
Metrics
Coverage
Metric |
Ratio of compliant web browser and email client instances
|
Calculation |
|