Long Arrow Right External Link angle-right Search Times Spinner angle-left

ThreatLocker as an ISO 27001 Annex A Control

View in Browser

Annex A.6 - Organization of Information Security

  • 6.1.2 Segregation of Duties  
    • ThreatLocker can help create a least-privileged environment using Application Control by restricting what applications can run, who can use them, and when. 
    • Ringfencing can restrict the function of applications down to only what is necessary for business.
    • Storage Control can allow you to block access to folders and files and only permit access to specific applications that need to access those areas.
    • Using ThreatLocker Elevation Control you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if that is all that is needed. 
  • 6.2.1 Mobile Device Policy
    • ThreatLocker can assist in meeting this objective. Utilizing Storage Control and setting up Remote Presence, you can prevent any device that is not running ThreatLocker from accessing data locations that you specify.  
    • ThreatLocker Storage Control can also prevent removable storage devices from accessing data.
    • Application Control limits what applications can be installed on mobile devices that are running ThreatLocker.
  • 6.2.2 Teleworking
    • ThreatLocker can assist in meeting this objective. Utilizing Storage Control and setting up Remote Presence, you can prevent any device that is not running ThreatLocker from accessing data locations that you specify.  
    • ThreatLocker Storage Control can also prevent removable storage devices from accessing data.
    • Application Control limits what applications can be installed on mobile devices that are running ThreatLocker.

Annex A.8 - Asset Management

  • 8.1.1 Inventory Of Assets
    • ThreatLocker can help with keeping an up-to-date inventory of your PCs. The Computers Page in the ThreatLocker portal will provide a list of all endpoints that have ThreatLocker installed. This will include a record of the OS version and build, the last time the device was online, and what IP address it checked in from.
  • 8.2.3 Handling of Assets
    •  ThreatLocker Storage Control enables you to limit access to CUI on system media to only authorized users.  
  • 8.3.1 Management of Removable Media
    • ThreatLocker can be used to meet this objective. Utilizing Storage Control, you can control the use of removable media on system components, and prohibit the use of portable storage devices to only the exact devices you have specified.

Annex A.9 - Access Control

  • 9.1.2 Access to Networks and Network Services
    • Storage Control can be configured to only allow access to the specific files or folders needed for each application and/or user.
  • 9.2.1 User Registration and Deregistration
    • Storage Control can be configured to remove access to specific files or folders for any user.
    • The Unified Audit provides a near real-time log of all activity by all users. You can choose to filter by a specific username to ensure a decommissioned employee's credentials are not being used.
  • 9.2.2 User Access Provisioning
    • Utilizing Storage Control you can allow and revoke access to specific files or folders by specific users.
    • Application Control provides the ability to allow applications only to specified groups and/or users so you can permit only what is necessary for an employee's job.
  • 9.2.3 Management of Privileged Access Rights
    •  Elevation Control enables you to limit or eliminate local administrator accounts and only allow elevated privileges for what is necessary, even down to a single file if that is all that needs elevated privileges.
    • Using Ringfencing you can put boundaries on the applications you have allowed with Elevation to only do what is needed and prohibit application hopping.  
  • 9.2.5 Review of User Access Rights
    • The Unified Audit will log any actions performed using elevated privileges, along with which user performed the action, providing a near real-time record of events in a central location for review.
  • 9.2.6 Removal or Adjustment of Access Rights
    • Utilizing Storage Control you can allow and revoke access to specific files or folders by specific users.
    • Application Control provides the ability to allow or applications only to specified groups and/or users so you can permit only what is necessary for an employee's job.
    • Adjustments to Storage Control or Application Control can only be performed by an administrator on your ThreatLocker account that has privileges to make those changes.  
  • 9.3.1 Use of Secret Authentication Information
    • ThreatLocker has strong password requirements for logging into the portal, and you will receive an error if you attempt to use a weak password for your ThreatLocker account.  
    • ThreatLocker also provides visibility of the last date a ThreatLocker portal password has been changed, with color-coding to quickly identify administrators that need to change their password.
  • 9.4.1 Information Access Restriction
    • Application Control allows you to specify which users can use which applications, limiting file execution permissions.
    • With Storage Control you can limit file access to only specific programs or users or file types and can specify if file access is read-only or read and write.
  • 9.4.4 Use of Privileged Utility Programs
    • Application Control can block specific tools that aren't wanted in your environment, including PowerShell or Command Prompt commands, and limit which users can use those tools. No utility program will be able to execute unless you have created a policy to allow it.
  • 9.4.5 Access Control to Program Source Code
    • Utilizing Storage Control you can prohibit access to the location of your source code and permit only the necessary users to access it.
    • The Unified Audit will record all the users who access and attempted access to the location of your source code specified in your Storage Control Policy.

Annex A.11 - Physical & Environmental Security

  • 11.2.4 Equipment Maintenance
    • ThreatLocker can assist in meeting this objective. Any software-related maintenance will be recorded in the Unified Audit.  
    • Application Control enables you to block any maintenance tools you don't want running in your environment such as PowerShell or Command Prompt.
    • Elevation Control allows you to remove local admin rights so that TCP/IP changes can't be made unless you have created a policy to elevate those specific files.
  • 11.2.5 Removal of Assets
    • All devices with ThreatLocker running will show the IP address of where they check in from, providing visibility of an asset being removed once it comes back online.   
    • Application Control gives you the ability to block Windows core files, creating a kill switch to render a computer useless in the event that it is not returned.
  • 11.2.6 Security of Equipment & Assets Off-Premises
    •  Storage Control can be used to limit access to data locations. 
    • Remote Presence will prevent a device without TL from accessing chosen data locations. 
  • 11.2.9 Clear Desk & Screen Policy
    • Storage Control can be utilized to prevent users from saving any documents on the PC's desktop.

Annex A.12 - Operational Procedures and Responsibilities

  • 12.2.1 Controls Against Malware
    • Application Control will block any executable that isn't expressly permitted with the ThreatLocker default-deny policy, providing protection against malicious code being run in your environment.
    • Ringfencing provides boundaries for your permitted applications preventing them from accessing Window's powerful built-in tools.
    • Storage Control can prevent the use of removable media, or allow only specific serial numbered devices.
  • 12.4.1 Event Logging
    • The Unified Audit provides a central location to view all actions made on the endpoints in your environment. The user and computer the action took place on or attempted to take place on will be recorded in near real-time in the Unified Audit. These audits are stored for 30 days, but that time can be extended if needed.
  • 12.4.2 Protection of Log Information
    •  ThreatLocker protects the audit information from unauthorized access, modification, or deletion. Only administrators on your ThreatLocker account can access the audit. You have the ability to lock out ThreatLocker staff. Anything logged in the audit can not be deleted by anyone unless those logs go past the specified retention time period. 
  • 12.4.3 Administrator & Operator Logs
    • The Unified Audit will log all activity performed by any user and will label all actions performed with local admin privileges as such. All actions performed by the SYSTEM account will also be logged and labeled.
  • 12.4.4 Clock Synchronization
    •  ThreatLocker can assist in synchronizing the timestamps of logs. All audit logs will include a date/time stamp down to the second and will be set to the timezone of the organization. 
  • 12.5.1 Installation of Software on Operational Systems 
    • ThreatLocker can achieve this objective. Application Control provides the ability to control and monitor all software installed in your environment. No user can install software unless you have permitted it.
    • The Unified Audit will provide a log of all software that is installed or attempted to be installed.
  • 12.6.1 Management of Technical Vulnerabilities 
    • ThreatLocker can assist in remediating technical vulnerabilities. Application Control prohibits anything you haven't specifically permitted from running in your environment.
    • Ringfencing can be configured to eliminate the ability of applications to access the powerful built-in Windows tools that are commonly exploited.
    • Elevation Control enables you to eliminate local admin accounts, reducing the risk of abusing these privileged accounts.
    • Storage Control provides the capability to control access to your protected shares.
    • Remote Presence will ensure that no device without ThreatLocker can access your valuable shares
  • 12.6.2 Restrictions on Software Installation
    • ThreatLocker can achieve this objective. Application Control provides the ability to control all software installed in your environment. No user can install software unless you have permitted it. Not even a web extension will be permitted unless you have set a policy to allow it.

Annex A.13 - Communications Security

  • 13.1.1 Network Controls
    •  Through Ringfencing you can restrict all network access to any application and only allow on an exception basis as you deem necessary.  
    •  Using Storage Control you can prevent unauthorized access to shared system resources by creating policies to only allow specific applications and or users to access specific files, folders, or file types.  
    • Remote Presence will ensure that no device without ThreatLocker can access any data locations that you have specified.
  • 13.1.3 Segregation in Networks
    • Using Storage Control you can prevent unauthorized access to shared system resources by creating policies to only allow specific applications and or users to access specific files, folders, or file types. 
  • 13.2.1 Information Transfer Policies & Procedures
    • Using Storage Control you can prevent unauthorized information transfer via shared system resources by creating policies to only allow specific applications and or users to access specific files, folders, or file types. 
    • The Unified Audit will log all activity that has an associated Storage Control policy, providing timestamped visibility of file access, moves, and deletes along with the user that performed the activity. You will see the location of the file, the name of the file, and who manipulated it. In the case of a move, you will see where it has been moved to.

Annex A.14 - System Acquisition, Development & Maintenance

  • 14.1.2 Securing Application Services on Public Networks
    •  The Unified Audit will log only the file names and directory where they are located; there is no visibility of the file contents, protecting the confidentiality of the data at rest.  
    • Application Control prevents anything from running that you haven't permitted, and if a single part of a file has changed, it will be denied unless you have created a rule to allow for changes. Most application policies are permitted by hash, which ensures the integrity of the files.  
  • 14.1.3 Protecting Application Services Transactions
    • The Unified Audit provides ongoing monitoring of all actions on your endpoints in near real-time.
    • ThreatLocker utilizes HTTPS for secure internet communication.
  • 14.2.2 System Change Control Procedures
    • Application Control will give you the ability to prevent any new software from being installed until you have created a policy to allow it, thereby giving an administrator the final decision on when any changes are made.
  • 14.2.4 Restrictions on Changes to Software Packages
    •  Application Control provides the ability to control and monitor all software installed in your environment. No user can modify software unless you have permitted the modification.  

Annex A.16 - Information Security Incident Management

  • 16.1.2 Reporting Information Security Events
    •  ThreatLocker's Unified Audit will provide detailed logs of every action that takes place in your environment, providing you with information you can use when reporting any potential security incidents.
  • 16.1.3 Reporting Information Security Weaknesses
    •  ThreatLocker's Unified Audit will provide detailed logs of every action that takes place in your environment, providing you with information you can use when reporting any potential security weakness, and giving visiblity of any user activity associated with it.
  • 16.1.4 Assessment of & Decision on Information Security Events
    • The Unified Audit keeps a near real-time log of events in your environment which can be used when assessing any potential security event.
  • 16.1.7 Collection of Evidence
    • The Unified Audit keeps a near real-time log of events in your environment which can be used when collecting evidence. These logs are kept for 30 days, but this time can be extended.    

Annex A.18 - Compliance

  • 18.1.3 Protection of Records
    • ThreatLocker protects the audit information from unauthorized access, modification, or deletion. Only administrators on your ThreatLocker account can access the audit. You have the ability to lock out ThreatLocker staff. Anything logged in the audit can not be deleted by anyone unless those logs go past the specified retention time period.