What users can install is governed and monitored.
What it actually means
Govern what users can install themselves — through policy plus technical controls (removing local admin, an approved-software process, monitoring for unauthorized installs). It pairs with application control above.
Pass or fail — an assessor needs a "yes" to each
- A policy governs user-installed software.
- Technical controls limit installs (e.g., no local admin / managed app catalog).
- Installs are monitored.
What to have ready
- User-software policy
- Local-admin removal / managed install configuration
- Software inventory / monitoring
Where teams trip up
- Everyone is a local admin installing freely
- No visibility into what got installed
- Policy with no monitoring
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →