Overview
  1. 03.01: Access Control
  2. 03.02: Awareness and Training
  3. 03.03: Audit and Accountability
  4. 03.04: Configuration Management
  5. 03.05: Identification and Authentication
  6. 03.06: Incident Response
  7. 03.07: Maintenance
  8. 03.08: Media Protection
  9. 03.09: Personnel Security
  10. 03.10: Physical Protection
  11. 03.11: Risk Assessment
  12. 03.12: Security Assessment
  13. 03.13: System and Communications Protection
  14. 03.14: System and Information Integrity

Security Requirements for 03.04.08 Application Execution Policy

The process used to identify software programs that are not authorized to execute on systems is commonly referred to as blacklisting. The process used to identify software programs that are authorized to execute on systems is commonly referred to as whitelisting. Whitelisting is the stronger of the two policies for restricting software program execution. In addition to whitelisting, organizations consider verifying the integrity of whitelisted software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of whitelisted software can occur either prior to execution or at system startup.[SP 800-167] provides guidance on application whitelisting.

Evidence

  1. 03.04.08.a

    A policy specifying whether whitelisting or blacklisting is to be implemented is specified

  1. 03.04.08.b

    The software allowed to execute under whitelisting or denied use under blacklisting is specified

  1. 03.04.08.c

    Whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified