ISO27001 requires you to manage not only what people can access, but also how privileged utility programs can be used. But what exactly is meant by utility programs?
What does the standard require?
The standard states that “The use of utility programs that can be capable of overriding system and application controls shall be restricted and tightly controlled.” (A8.18 – Use of privileged utility programs)
For this ISO27001 control, keep in mind that utility programs can include any software tools which perform maintenance or management of your systems.
These can include.
Antivirus and malware protection software.
Disk de-fragmentation tools.
System diagnostics tools.
Backup and restore software.
Debuggers (used for troubleshooting software code).
Network management and monitoring tools (e.g. Intrusion Detection and Prevention Tools).
Why is this required?
This ISO27001 control aims to ensure that you control utility programs to prevent them from causing harm to the systems and applications used in your business.
These utility programs require low-level access to the infrastructure they are in place to manage. Therefore, they have the potential to cause significant damage to the infrastructure, which could lead to data breaches or outages.
They have privileged access because they carry out actions and activities which have the potential to change how your operation operates, and therefore could affect how your business operates. Accidental damage or deliberate actions, when using these tools, can have a significant and far-reaching impact on your business, making recovery difficult. That's why it is important to have tight control over their use.
What the auditor is looking for
For this ISO27001 control, the auditor will expect to see a variety of security measures that might include;
Segregation of Duties (A5.3 - Segregation of duties).
Access Control Policies and procedures (A5.15 – Access Control).
Access Rights allocated appropriately (A5.18 – Access Rights).
Privileged Access rights allocated (A8.2 - Privileged access rights).
Segregation of networks (A8.22 - Segregation of networks).
Security Incident and Event Management (SIEM) technology.
Patch management tools.
Risk Register.
Audit results.
What do you need to do?
Consult your IT team to understand the types of utility programs used in your business. Refer to the list provided above as a starting point, and determine what other kinds of utility programs are used.
The purpose of this ISO27001 control is to ensure that you control the use of these tools, so you must review the access rights for the tools and restrict their use to a 'needs only' basis. This principle is known as 'least privilege' access. For example, if you develop code, not everyone will need access to debugging software. Not everyone will need access to your system monitoring tools and applications, so restrict this to the people who need access.
If you find that there are no controls in place, and people can make changes as they see fit, then this needs to be addressed through your risk management process and discussed with your Management Review Team (MRT).
Difficulty rating
We rate this a 1.5 out of 5 difficulty rating. There's not much to this control except for you to identify and appropriately control the utility programmes in use.
Q&A
Do I need a policy?
No, you don’t need a topic-specific policy, but you might look to include reference to utility programs in your access control policy, or acceptable use policy. What you need to do is evidence that you have identified utility programs used in your business, and that you have considered who has permission to use them. Reviewing access rights and access allocation can provide evidence for this. role-based access control) processes.
More questions?
You’ve probably noticed by now that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.
Comments