Get 4 FREE months of Conformio to implement ISO 27001

Expert Advice Community

Guest

A.9.4.4 Use of Privileged Utility Programs

  Quote
Guest
Guest user Created:   Apr 21, 2020 Last commented:   Mar 15, 2023

A.9.4.4 Use of Privileged Utility Programs

A.9.4.4 Use of Privileged Utility Programs Audit Question : Have you documented how your organization restricts and monitors the use of utilities on systems that may be able to bypass system and application protection measures? Can you please explain this Point. Does it mean that the Organization needs to keep a check on the limited no of Privileged Rights?
0 1

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 21, 2020

First is important to note that control A.9.4.4 does not require documentation on how restriction and monitoring of use of privileged utility programs are performed.

However, regardless of whether you have documentation or not on how to proceed, you have to find evidence of this restriction and how the control is performed.

 Considering that, you need to keep a check on the use of these programs and some evidences you should consider are:

  • list of applications allowed to be used
  • Records of authorizations for software usage
  • logging of all use of utility programs
Quote
0 6
Guest
Yen Nguyen Nov 02, 2020

Hi Rhand, how do we retrict and monitor users from downloading or installing applications that aren't approved? We can provide users the list of applications and inform only new applications can be approved by the CTO prior to downloading.

Quote
0 1
Expert
Rhand Leal Nov 03, 2020

Some solutions to restrict software download or installation you can apply are:

  • Configure workstations so users do not have access rights to install software
  • Configure firewall rules so specific files (e.g., the name of the file related to the non allowed application), or specific types of files (e.g., executable files, zip files, etc.), cannot be downloaded

Some solutions to monitor such activities is to configure logging both on workstation and firewall and periodically review such logs to identify policy breaches.
 
Of course, each solution has its pros and cons, in terms of cost and effort, so you need to evaluate which solutions would be best for your organization.  

Quote
0 4
Guest
Kamande John Jun 02, 2022

@Rhand Leal

First is important to note that control A.9.4.4 does not require documentation on how restriction and monitoring of use of privileged utility programs are performed.

However, regardless of whether you have documentation or not on how to proceed, you have to find evidence of this restriction and how the control is performed.

 Considering that, you need to keep a check on the use of these programs and some evidences you should consider are:

  • list of applications allowed to be used
  • Records of authorizations for software usage
  • logging of all use of utility programs

 

Thanks  @Rhand Leal > For the insights on this control. This is my approach in-regard to compliance;

1. Documentation of a policy highlighting company approved privileged utility programs for the various category of staff ie Security Team, Database Admins, Network Admins e.t.c.

2. Documentation of a procedure on how to request access to run a privileged utility program, approval levels, access window [Time-period]

3. Enforcement of the control - Running an application discoverly tool on the network and un-installing all illegally installed programs, restricting running of such tools via device control modules in end-point security tools (Bit-Defender) and/or via the Active Directory. In-addition restricting this programs at network level by using SOAR tools such as DarkTrace.

Quote
0 0
Expert
Rhand Leal Jun 03, 2022

 Your approach sounds good. To ensure it is compliant with ISO 27001, besides the evidence mentioned in the previous answer, also consider:

  • evidence of approval of the policy and the procedure by the responsible person
  • evidence that the tools are implemented and working (e.g., activity logs)
Quote
0 0
Guest
Jerome Mar 10, 2023

Hi Rhand, I sometimes find it difficult to define and therefore to explain the perimeter of "Privileged Utility Programs".Can you help on this point ?("What is well understood is clearly stated, and the words to say it come easily" R.D.)

Quote
0 0
Expert
Rhand Leal Mar 15, 2023

If I understood you correctly, the perimeter of "Privileged Utility Programs" refers to where, or in which situations, you can use "Privileged Utility Programs" (programs that can change or bypass security features).

An example would be the use of Windows Update only in IT labs (where) during the hardening process (situation). This restriction will prevent that regular users install patches not homologated by the organization in their machines.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 21, 2020

Mar 15, 2023

Suggested Topics