IG2 IG3

Allowlist Authorized Software

Control Group: 2. Inventory and Control of Software Assets

Asset Type: Applications

Security Function: Protect

Description

Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Define access control requirements based on least privilege

7

Implement role-based access control (RBAC)

8

Configure access review and recertification process

9

Monitor and audit privileged access usage

10

Establish software authorization review process

11

Deploy application allowlisting technology

12

Maintain and update authorized software list

Tool Recommendations

Microsoft Intune Gartner MQ Leader, UEM 2024

Unified endpoint management platform for device enrollment, software deployment, configuration, and compliance across Windows, macOS, iOS, and Android

Microsoft · Per-user/per-device subscription

VMware Workspace ONE Gartner MQ Leader, UEM 2024

Digital workspace platform combining UEM with virtual app delivery and zero-trust access for endpoint management

Broadcom (VMware) · Per-device subscription

Jamf Pro Gartner MQ Leader, UEM 2024

Apple device management platform for macOS and iOS endpoint configuration, security, and software deployment

Jamf · Per-device subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Execution of Weaponized Applications

Integrity

Without application allowlisting, users can execute malicious binaries delivered via phishing, watering hole attacks, or USB drops, leading to full system compromise.

Living-off-the-Land Binary (LOLBin) Abuse

Confidentiality

Attackers leverage non-allowlisted but present system utilities and tools to execute malicious payloads while evading detection by traditional antivirus solutions.

Ransomware Payload Execution

Availability

Ransomware executables delivered through email attachments or exploit kits run unrestricted on endpoints without allowlisting controls, encrypting critical business data.

Vulnerabilities (When Safeguard Absent)

No Technical Controls Preventing Unauthorized Software Execution

Without allowlisting, any executable binary can run on enterprise assets, meaning the only barrier to malicious code execution is user judgment and reactive antivirus.

Overly Permissive Application Execution Policy

A default-allow execution model permits any application to run, dramatically expanding the attack surface beyond what is necessary for business operations.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Record	Access review/recertification records with sign-off	Quarterly
Technical	Access control configuration evidence (RBAC settings, group memberships)	Reviewed quarterly
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Software Asset Management Policy

Control 2

Related Safeguards in Control 2

2.1 Establish and Maintain a Software Inventory

2.2 Ensure Authorized Software is Currently Supported

2.3 Address Unauthorized Software

2.4 Utilize Automated Software Inventory Tools

2.6 Allowlist Authorized Libraries

2.7 Allowlist Authorized Scripts