Information Systems Security Controls Guidance: Application Systems

Application Systems Security Controls – Section 11(c)(9)(iii)

Countermeasures taken regarding application security ensure security of software, hardware, and procedural methods to protect systems from external threats. For example, the most basic software countermeasure is a firewall that limits the execution of files by specific installed programs. Similarly, the router is a hardware countermeasure that can prevent the IP address of an individual computer from being visible on the internet. Other countermeasures include encryption, antivirus programs, spyware detection, and biometric authentication systems.

Section 11(c)(9)(iii) requires the entity to “ensure that controls are in place that are designed to prevent malicious code (such as, but not limited to, computer virus, worms, spyware) from compromising the confidentiality, integrity, or availability of information systems which manage access to spaces registered under this part or records in §73.17.”


Antivirus software detects and removes computer viruses and other types of malware including:

  • Browser hijackers
  • Ransomware
  • Key loggers
  • Backdoors
  • Rootkits
  • Trojan horses
  • Worms
  • Adware
  • Spyware

Commonly available antivirus software like McAfee, Semantic, and Avira are typically sufficient for most registered entities, though more robust systems may be required. Consult the IT department to ensure a robust antivirus system has been installed and implemented throughout the network.


The most common way to meet this requirement is to set up a firewall at some level of the network (computer, department, institution, etc.). Typically, Microsoft’s firewall is enough to meet the SAR requirements. There are several types of firewalls that can meet this requirement. Work with the IT department to determine the best solution for the entity’s specific network conditions. Some examples include:

  • Packet Filtering Firewalls – monitor outgoing and incoming information based on the source and destination.
  • Stateful Inspection Firewalls> – monitor active network connections to determine what network packets are allowed through.
  • Application-Proxy Gateway Firewalls> – run a firewall system between network and proxy that acts as a gateway for packets to get through to the network.
Page last reviewed: September 9, 2020