Operational software can broadly be described as any piece of software that the business actively uses to conduct its operation, as distinct from test software or development projects. It is vitally important to ensure that software is installed and managed on a given network in accordance with a strict set of rules and requirements that minimize risk, improve efficiency and maintain security within internal and external networks and services.
Control
Procedures and measures should be implemented to securely manage software installation on operational systems.
Purpose
To ensure the integrity of operational systems and prevent exploitation of technical vulnerabilities.
ISO 27002 Implementation Guidance
The following guidelines should be considered to securely manage changes and installation of software on operational systems:
a) performing updates of operational software only by trained administrators upon appropriate management authorization;
b) ensuring that only approved executable code and no development code or compilers is installed on operational systems;
c) only installing and updating software after extensive and successful testing ;
d) updating all corresponding program source libraries;
e) using a configuration control system to keep control of all operational software as well as the system documentation;
f) defining a rollback strategy before changes are implemented;
g) maintaining an audit log of all updates to operational software;
h) archiving old versions of software, together with all required information and parameters, procedures, configuration details and supporting software as a contingency measure, and for as long as the software is required to read or process archived data.
Any decision to upgrade to a new release should take into account the business requirements for the change and the security of the release (e.g. the introduction of new information security functionality or the number and severity of information security vulnerabilities affecting the current version). Software patches should be applied when they can help to remove or reduce information security vulnerabilities. Computer software can rely on externally supplied software and packages (e.g. software programs using modules which are hosted on external sites), which should be monitored and controlled to avoid unauthorized changes, because they can introduce information security vulnerabilities. Vendor supplied software used in operational systems should be maintained at a level supported by the supplier. Over time, software vendors will cease to support older versions of software. The organization should consider the risks of relying on unsupported software. Open source software used in operational systems should be maintained to the latest appropriate release of the software. Over time, open source code can cease to be maintained but is still available in an open source software repository. The organization should also consider the risks of relying on unmaintained open source software when used in operational systems. When suppliers are involved in installing or updating software, physical or logical access should only be given when necessary and with appropriate authorization. The supplier’s activities should be monitored . The organization should define and enforce strict rules on which types of software users can install. The principle of least privilege should be applied to software installation on operational systems. The organization should identify what types of software installations are permitted (e.g. updates and security patches to existing software) and what types of installations are prohibited (e.g. software that is only for personal use and software whose pedigree with regard to being potentially malicious is unknown or suspect). These privileges should be granted based on the roles of the users concerned.
In order to securely manage change and installations on their network, organisations should:
- Ensure that software updates are only carried out by trained and competent personnel.
- Only install robust executable code that’s free from any bugs and has safely exited the development stage.
- Only install and/or update software after said update or patch has been successfully tested, and the organisation is confident that no conflicts or errors will ensue.
- Maintain an up to date library system.
- Utilise a ‘configuration control system’ that manages all instances of operational software, including program documentation.
- Agree upon a ‘rollback strategy’ prior to any updates or installations, to ensure business continuity in the event of an unforeseen error or conflict.
- Keep a log of any updates performed to operational software, including a summary of the update, the personnel involved and a timestamp.
- Ensure that unused software – including all documentation, configuration files, system logs, supporting procedures – are securely stored for further use, should the need arise.
- Enforce a strict set of rules on the type of software packages that users can install, based on the principles of ‘least privileged’ and in accordance with relevant roles and responsibilities.
Where vendor-supplied software is concerned (e.g. any software used in the operation of machinery or for a bespoke business function) such software should always be kept in good working order by referring to the vendor’s guidelines for safe and secure operation. It’s important to note that even where software or software modules are externally supplied and managed (i.e. the organisation is not responsible for any updates), steps should be taken to ensure that third party updates do not compromise on the integrity of the organisation’s network. Organisations should avoid using unsupported vendor software unless absolutely necessary, and consider the associated security risks of utilizing redundant applications as opposed to an upgrade to newer and more secure systems. If a vendor requires access to an organisation’s network to perform an installation or update, activity should be monitored and validated in line with all relevant authorization procedures
Vendor supplied software used in operational systems should be maintained at a level supported by the supplier. Over time, software vendors will cease to support older versions of the software. The organization should consider the risks of relying on unsupported software. Any decision to upgrade to a new release should take into account the business requirements for the change and the security of the release, e.g. the Introduction of new information security functionality or the number and severity of information security problems affecting this version. Software patches should be applied when they can help to remove or reduce information security weaknesses. Physical or logical access should only be given to suppliers for support purposes when necessary and with management approval. The supplier’s activities should be monitored. Computer software may rely on externally supplied software and modules, which should be monitored and controlled to avoid unauthorized changes, which could introduce security weaknesses. Make sure to establish and maintain documented procedures to manage the installation of software on operational systems. Operational system software installations should only be performed by qualified, trained administrators. Updates to operating system software should utilize only approved and tested executable code. It is ideal to utilize a configuration control system and have a rollback strategy prior to any updates. Audit logs of updates and previous versions of updated software should be maintained. Third parties that require access to perform software updates should be monitored and access removed once updates are installed and tested.
Software should be upgraded, installed and/or patched in accordance with the organisation’s published change management procedures, to ensure uniformity with other areas of the business. Whenever a patch is identified that either totally eliminates a vulnerability (or series of vulnerabilities), or helps in any way to improve the organisation’s information security operation, such changes should almost always be applied (though there is still the need to assess such changes on a case-by-case basis). Where the need arises to use open source software, this should always be of the latest publicly available version that is actively maintained. Accordingly, organisations should consider the inherent risks of using unmaintained software within all business functions.
As a basic principle– the recommendation (as a best practice) is that the software should be installed only by authorized personnel (usually IT staff). This can be applied with the help of the information security policy, or any other rules or best practices established in the organization (although this way implies that each employee applies these rules). To verify this, the organization could make periodic checks to analyze the software installed in the equipment of an employee selected at random. Another way to apply it is to limit user privileges to a minimum, although this will not always be possible, because there are profiles that need to have administrator privileges in the systems to manage them. These privileges also must be checked periodically, since an employee can change area, department, etc., which can mean that you have to enable new privileges, and/or disable others. The organizations must establish a rule that the software installed on the corporate equipment is only for professional use, because the software always consumes resources. Further more, all type of software is affected by threats, so the use of non-professional software in your organization could unnecessarily increase the risks.For the installation of new software, the following control may be established
- Employees can not download software from the Internet, or bring software from home without authorization. It is prohibited.
- When an employee detects the need for use of a particular software, a request needs to be transmitted to the IT department. The request can be stored as a record or as evidence.
- The IT department shall determine if the organization has license of the software requested.
- If there is license, the IT department notifies the employee and will proceed to install the software on the computer of the user who requested it.
- If there is no license, a responsible party must assess whether the requested software is really necessary for the performance of the duties of the employee. For the evaluation, the financial feasibility of the software purchase must also be analyzed, when the software costs money.
- If the software costs money, an analysis should be made as to whether there is another similar tool on the market that is cheaper or even free (Total Cost of Ownership must be calculated).
- Top management should participate in the decision on the acquisition of new software.
- Once the decision has been made, the IT department will proceed to include the software in their inventory and will install the software.
The IT department can defines a repository – only for internal use – to store all corporative and definitive versions of applications used by the organization. This repository should be accessed only by authorized personnel. The main idea is that this repository is accessible by authorized personnel only from the internal network of the organization, which will be easier for the installation of the software on the equipment of employees when needed.It is also important to identify all software that is installed inside the organization. For this purpose we can use (discovery) tools that analyze what software is installed on each of the computers through the internal network. These tools will allow us to check if someone has installed software in an uncontrolled way, i.e., without opening a request in accordance with the rules established.