I'm consulting to a company who has had a security audit done so as to meet compliance requirements for a Govt. contract. One of the mandatory requirements for security against cyber intrusion, is the use of application whitelisting 'on all systems able to receive emails or browse web content originating in a different security domain'. So, 'all systems' is not only servers, but all the desktop units (and probably iOS/Android).
I notice this company already uses an enterprise anti-virus solution, and the company which provides that does have a Whitelisting application which appears to have a good rap in the marketplace.
But the question is, how practical is application whitelisting to deploy and maintain? I suspect that IT Services are going to push back on the requirement, because from what I gather, maintaining the whitelist is a maintenance headache and a source of frustration for both users and IT support. So I'm trying to get a feeling for whether the client can get away with not observing this 'mandatory requirement'.