Control: The organisation:
C. Monitors policy compliance at `{`Assignment: organisation-defined frequency`}`.
Supplemental Guidance: If provided the necessary privileges, users have the ability to install software in organisational information systems. To maintain control over the types of software installed, organisations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organisation-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organisations consider potentially malicious. The policies organisations select governing user-installed software may be organisation-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organisational information systems), or both.
Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4.
User-Installed Software Control Enhancements:
CM-11 (1) User-Installed Software - Alerts for Unauthorised Installations
The information system alerts [Assignment: organisation-defined personnel or roles] when the unauthorised installation of software is detected.
Supplemental Guidance: Related controls: CA-7, SI-4.
CM-11 (2) User-Installed Software - Prohibit Installation without Privileged Status
The information system prohibits user installation of software without explicit privileged status.
Supplemental Guidance: Privileged status can be obtained, for example, by serving in the role of system administrator.
Related control: AC-6.