Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

cm-11

user-installed software

assessment objective:

Determine if the organization:

cm-11(a)

cm-11(a)[1]

defines policies to govern the installation of software by users;

cm-11(a)[2]

establishes organization-defined policies governing the installation of software by users;

cm-11(b)

cm-11(b)[1]

defines methods to enforce software installation policies;

cm-11(b)[2]

enforces software installation policies through organization-defined methods;

cm-11(c)

cm-11(c)[1]

defines frequency to monitor policy compliance; and

cm-11(c)[2]

monitors policy compliance at organization-defined frequency.

potential assessment methods and objects:

Examine: [select from: Configuration management policy; procedures addressing user installed software; configuration management plan; security plan; information system design documentation; information system configuration settings and associated documentation; list of rules governing user installed software; information system monitoring records; information system audit records; other relevant documents or records; continuous monitoring strategy].

Interview: [select from: Organizational personnel with responsibilities for governing user-installed software; organizational personnel operating, using, and/or maintaining the information system; organizational personnel monitoring compliance with user-installed software policy; organizational personnel with information security responsibilities; system/network administrators].

Test: [SELECT FROM: Organizational processes governing user-installed software on the information system; automated mechanisms enforcing rules/methods for governing the installation of software by users; automated mechanisms monitoring policy compliance].