Which Frameworks Require Application Whitelisting
- Australian Cyber Security Centre (ACSC) Essential Eight: The Essential Eight recommends application whitelisting as one of its top strategies for mitigating cybersecurity incidents. It specifies whitelisting of applications for all servers and workstations to prevent the execution of unauthorized software, which reduces the risk of malware attacks.
- NIST Cybersecurity Framework (CSF): Promote practices like application whitelisting under its Protect function. NIST Special Publication 800-167, Guide to Application Whitelisting, offers detailed guidance on implementing whitelisting as a preventive control.
- Centre for Internet Security (CIS) Controls: Application whitelisting is highly recommended to restrict unauthorized applications from running. This helps reduce the attack surface by allowing only vetted applications to operate on the network.
- ISO/IEC 27001: While ISO 27001 emphasizes access control and malware protection as part of its Annex A controls. Whitelisting applications can be a way to fulfill these controls, especially when combined with other access restrictions and malware defences.
- Federal Information Security Modernization Act (FISMA): FISMA requires U.S. federal agencies to implement stringent cybersecurity measures. Application whitelisting is often part of the compliance requirements for federal agencies to prevent unauthorized applications and reduce malware risks.
- Payment Card Industry Data Security Standard (PCI DSS): PCI DSS requires measures to restrict access to only trusted applications.
