ISO 27001:2022 A 8.18 Use of privileged utility programs

Uncategorized 5 Minutes

This control establishes guidelines that govern the use of any utility program that has the potential to override business critical system and application controls. The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled. None out of the organization shall be sharing any sort of confidential details. Use of utility programs (an application that performs computer management tasks such as virus protection, password management, file compression, etc.),or other software that might be capable of overriding system and application controls or altering system configurations must be restricted. Management approval is required prior to the installation or use of any ad hoc or third-party system utilities. A utility program is any piece of software that is designed to analyse or maintain a computer system or network. Examples of utility programs include:

  • Diagnostic tools
  • Patching assistants
  • Antivirus programs
  • Disk defragmenters
  • Backup software
  • Networking tools

Utility programs are essential to the smooth running of any given LAN or WAN, and help network administrators to improve up time and increase resilience across a broad range of commercial functions. Given their intrusive nature, utility programs also have the potential to cause a significant amount of damage on a given network, unless their use is properly monitored.The Internet is bombarded with different utility programs, all seeking to help you stay organised. Yet many of these software programs are viruses and malware that hacker’s prey on to get into your system and even target your antivirus software and before you know it, they have access to confidential files. ISO 27001 warns against downloading random utility programs to your system. Those you used must be verified by competent staff and checked for any possible spyware, malware or insecure code. If the program is required, then only a small group of personnel should have privileged access rights to the software and its use monitored.

Control

The use of utility programs that can be capable of overriding system and application controls should be restricted and tightly controlled.

Purpose

To ensure the use of utility programs does not harm system and application controls for information security.

ISO 27002 Implementation Guidance

The following guidelines for the use of utility programs that can be capable of overriding system and application controls should be considered:

  1. limitation of the use of utility programs to the minimum practical number of trusted, authorized users ;
  2. use of identification, authentication and authorization procedures for utility programs, including unique identification of the person who uses the utility program;
  3. defining and documenting of authorization levels for utility programs;
  4. authorization for ad hoc use of utility programs;
  5. not making utility programs available to users who have access to applications on systems where segregation of duties is required;
  6. removing or disabling all unnecessary utility programs;
  7. at a minimum, logical segregation of utility programs from application software. Where practical, segregating network communications for such programs from application traffic;
  8. limitation of the availability of utility programs (e.g. for the duration of an authorized change);
  9. logging of all use of utility programs.

Other information

Most information systems have one or more utility programs that can be capable of overriding system and application controls, for example diagnostics, patching, antivirus, disk defragmenters, debuggers, backup and network tools.

Utility computer programmes that might be capable of overriding system and application controls need to be carefully managed.

Powerful system and network utility programs can create an attractive target for malicious attackers and access to them must be restricted to the smallest number of people. As such utility programs can be easily located and downloaded from the internet it is also important that users are restricted in their ability to install any software as much as possible weighed against business requirements and risk assessment. Use of utility programs should be logged and monitored/reviewed periodically to satisfy auditor requests. In order to maintain network integrity and bolster business continuity, organisations should:

  1. Restrict the use of utility programs to employees and IT maintenance staff who specifically require them to carry out their job role.
  2. Ensure that all utility programs are identified, authenticated and authorised in line with business requirements, and management are able to gain a top down view of their use at any given time.
  3. Identify all personnel who use utility programs, either as part of their daily duties, or on an ad-hoc basis.
  4. Implement adequate authorisation controls for any employee who needs to use utility programs, either as part of their daily duties, or on an ad-hoc basis.
  5. Prevent the use of utility programs on any system where the organisation has deemed it necessary to segregate duties.
  6. Periodically review the use of utility programs, and either remove or disable any programs as the organisation requires.
  7. Partition utility programs are distinct from standard applications that the business uses on a regular basis, including network traffic.
  8. Restrict the availability of utility programs, and only use them for express purposes

A utility program is usually smaller than a standard application and refers to a program that is responsible for managing system resources and adding functionality to your computer. This can include screen savers, icon tools and other desktop enhancement features. A privileges utility program is an application that requires elevated (administrative) privileges to perform the specific task. This can include endpoint security tools, such as anti-virus software, software updates, device/process managers, disk encryption and software firewalls. Allowing employees access to privileged utilities from their standard user account introduces security risks into the network. This allows malware to cause much more damage as it can run with the privileges of the utility program. Therefore, it is advised to ensure that administrative accounts are not utilized to conduct daily business functions such as sending e-mails and browsing the web. These accounts must only be utilized when conducting tasks that require admin privileges. Equally, standard users should not be given administrative rights over specific utilities/programs. If a standard user account is used and a privileged utility program is executed, it will prompt the User Access Control (UAC) and administrative credentials will need to be entered. Access to privileged utility programs should be heavily restricted to employees except those who require it to perform their daily tasks. If the user requests access to a privileged utility, justification should be provided, and it should be reviewed by a person with authority within the organisation. Additionally, it is advised to identify and disable all unnecessary utility programs on the machines as well as monitor and review the event logs on a regular basis in order to identify any suspicious behavior or mis-assignment of correct account privileges within the organisation.

The organization must restrict access to privileged utility programs and control utility program access to systems and applications, by controlling access to the privileged account credentials stored securely in the digital vault. Access can be restricted to a certain time period and can be disabled when not in use. “Dual Control” can specify that access to highly sensitive credentials requires confirmation by one or more authorized users. As well, administrators can be granted authorized access to resources but never see the privileged account password in clear text. Many utility programs involve the use of service accounts; services such as back-up or vulnerability scanning require privileged access to systems. To perform their designated tasks such as retrieve, process, transmit and store sensitive data, these programs require high levels of access to running processes. Service accounts are difficult to secure since the credentials are typically hard-coded and in clear text within the programs. The solution must eliminate hard-coded passwords from utility programs and uses an advanced means to authenticate the programs that are requesting credentials. Access to be granted only to trusted programs, with no impact to performance or downtime. The solution must provide a tamper-proof audit record to track all privileged account access to utility programs and all utility program service account access to systems.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply