Restrict Applications on Critical Systems

A system that stores or manages personally identifiable information (PII) or other confidential information should run the minimum software and be used only as necessary to carry out its required functions. Risk increases with the number and type of applications loaded on a system. Together, they must be considered when assessing whether a system can reasonably safeguard the information it contains (e.g., Web surfing should not be allowed on a system that hosts a database containing high-risk PI or confidential information). Peer-to-peer applications must not be installed on any system containing sensitive academic, financial, or health-related PII.