The ISO27001:2013 standard (and ISO27002:2013 guidance) requires that use of \"u

Question

The ISO27001:2013 standard (and ISO27002:2013 guidance) requires that use of "utility programs" that might be capable of overriding system and application controls should be restricted and controlled (A.9.4.4).

I've looked, for example, at http://en.wikipedia.org/wiki/Utility_program for inspiration and am finding it difficult to decide what might be considered a "privileged utility program", as most could be "dual use", i.e. if used without privileges they would be safe (and useful!), but with elevated user privileges they could introduce risk.

- Is this intended to be a policy around setting access permissions for utilities?
- What policies do other organisations have in this area?

Explanation / Answer

Privileged utility programs are applications that require some level of system or administrative privilege to do their jobs.

A good example is an anti-virus application since this requires very low-level access to the system in order to detect certain types of virus.

As you say, not all of the functions of these applications may need privileged access but they will require it for some aspect of their operation.

In general, it is important that users should not have access to privileged functions from their normal user accounts. As soon as they do, it becomes much easier for malware to gain a foothold in a system. It is for this reason that you should not allow administrator accounts to have access to general office software such as email because it becomes trivial to gain access (as a recent audit I am aware of shows all too clearly!).

Related Questions

Navigate

• Browse (All)
• Browse T
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.