2.2 KiB
8.18 Use of privileged utility programs
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #System_and_network_security #Secure_configuration #Application_security | #Protection |
Control The use of utility programs that can be capable of overriding system and application controls should be restricted and tightly controlled.
Purpose To ensure the use of utility programs does not harm system and application controls for information security.
Guidance The following guidelines for the use of utility programs that can be capable of overriding system and application controls should be considered:
a) limitation of the use of utility programs to the minimum practical number of trusted, authorized users (see 8.2);
b) use of identification, authentication and authorization procedures for utility programs, including unique identification of the person who uses the utility program;
c) defining and documenting of authorization levels for utility programs;
d) authorization for ad hoc use of utility programs;
e) not making utility programs available to users who have access to applications on systems where segregation of duties is required;
f) removing or disabling all unnecessary utility programs;
g) at a minimum, logical segregation of utility programs from application software. Where practical, segregating network communications for such programs from application traffic;
h) limitation of the availability of utility programs (e.g. for the duration of an authorized change);
i) logging of all use of utility programs.
Other information
Most information systems have one or more utility programs that can be capable of overriding system and application controls, for example diagnostics, patching, antivirus, disk defragmenters, debuggers, backup and network tools.