Control and monitor user-installed software.
You should limit installed software to items that the organization approved. Users will install software that creates unnecessary risk. This risk applies both to the machine and to the larger operating environment. You should control the software users can install. You should put in place policies and technical controls that can reduce risk to the organization. Example You are the IT administrator for your company. A user calls you for help installing a software package. He keeps receiving a message asking for a password. The user receives the message because he does not have permission to install the software. You explain the organization’s policy. It prohibits users from installing software without approval. When you set up workstations for users, you do not provide administrative privileges. You make an exception only if a user needs administrative access to do his job. After the call, you redistribute the policy to all users ensuring everyone in the organization is aware of the restrictions.
Control and monitor user- installed software.
Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved “app stores.” Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both.
CIS Controls v7.1 2.1, 2.2, 2.6
NIST SP 800-53 Rev 4 CM-11
NIST SP 800-171 Rev 1 3.4.9
NIST CSF v1.1 DE.CM-3
CERT RMM v1.2 MON:SG2.SP3
CM.2.063.[a] a policy for controlling the installation of software by users is established;
CM.2.063.[b] installation of software by users is controlled based on the established policy; and
CM.2.063.[c] installation of software by users is monitored.