Manage active content — JavaScript, Office macros, Java — so only trusted code runs.
What it actually means
Mobile code — browser scripts, Office macros, Java applets — can carry malware. Define what's allowed and control it: disable Office macros sourced from the internet, restrict browser plugins, and block unsigned or untrusted active content. Modern endpoint and email protections handle most of this once configured.
Pass or fail — an assessor needs a "yes" to each
- Have you defined and restricted which mobile code is allowed (for example, macros blocked from the internet)?
- Are browser and endpoint protections configured to block untrusted active content?
What to have ready
- GPO / endpoint policy blocking internet-sourced macros
- Browser / email security configuration
Where teams trip up
- Office macros fully enabled across the org
- No stance on mobile code in policy or configuration
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →