Installation and Control of Operational Software

You will need to develop some procedures to cover the installation of software on all devices operated by your organisation.

Software and libraries (after sandbox testing) should only be implemented by authorised users. No development code should reside in the operational environment. Configs of software implemented and that replaced should be maintained if a rollback is required as well as old versions of replaced software. Audit logs should be maintained for updates of libraries. Post implementation testing should include network monitoring to highlight any unexpected traffic which may expose bugs or require throttling.

Third party software should be the supported version otherwise the residual risk needs to be accepted or mitigated. This software should be monitored for unauthorised changes.

Next section: 12.6 Technical Vulnerability Management