8.5: Configure Devices to Not Auto-Run Content

Sub-control 8.5 states that you must configure devices to not auto-run content from removable media.

Asset Type Security Function Implementation Groups
Devices Protect 1, 2, 3

Dependencies

  • Sub-control 1.4: Maintain Detailed Asset Inventory

  • Sub-control 5.1: Establish Secure Configurations

Inputs

  1. Endpoint Inventory: The endpoint inventory.

  2. Desired configuration(s) to disable auto-run: The desired configuration to use to disable auto-running content.There may be multiple configurations targeted at different types of endpoints (for instance, a different configuration might be provided for each type of operating system used on the endpoints in the provided inventory). If the endpoints are capable of performing multiple types of auto-run behavior (i.e., auto-run vs. auto-play), appropriate configurations should be provided for each type.

Operations

  1. For each endpoint in I1, compare the endpoint’s configuration to the appropriate configuration from I2. Generate a list of endpoints that adhere to the specified configuration (M1) and a list of the endpoints that do not adhere to the specified configuration (M2).

Assumptions

  • Endpoints that are not capable of performing any type of auto-run behavior are included in the compliant list (M1).

Measures

Measure Definition
M1 = List of endpoints adhering to the specified configuration (compliant list)

A list of all endpoints that adhere to the specified configuration.

M2 = List of endpoints not adhering to the specified configuration (non-compliant list)

A list of endpoints that do not adhere to the specified configuration.

M3 = Count of items in M1 A count of the total number of items in M1.
M4 = Count of items in M2 A count of the total number of items in M2.
M5 = Count of items in I1 A count of the total number of items in I1.

Metrics

Coverage

Metric Calculation
The ratio of endpoints properly disabling auto-run compared to the total number of endpoints. M3 / M5