Security Policies

CIS

Commencez. C'est gratuit
ou s'inscrire avec votre adresse courriel
Security Policies par Mind Map: Security Policies

1. Asset Type

1.1. Data

1.2. Network

1.3. Users

1.4. Devices

1.5. Applications

2. Security Function

2.1. Identify

2.2. Respond

2.3. Protect

2.4. Detect

3. CIS Requirements

3.1. 1 Inventory of Authorized & Unauthorized Hardware

3.1.1. 1.1 Utilize an Active Discovery Tool

3.1.1.1. Policy Defined

3.1.1.2. Control Implemention

3.1.1.2.1. Determine requirements for active discovery tool

3.1.1.2.2. <Spike> What/Where is our asset inventory system?

3.1.1.3. Control Automation

3.1.1.4. Control Documented

3.1.2. 1.2 Use a Passive Asset Discovery Tool

3.1.2.1. Policy Defined

3.1.2.2. Control Implemention

3.1.2.2.1. Determine requirements for passive discovery tool

3.1.2.2.2. Investigate any configurations in the environment that lead to incorrect data for the objects found

3.1.2.2.3. Test Validity of Data

3.1.2.2.4. Confirm results

3.1.2.3. Control Automation

3.1.2.4. Control Documented

3.1.3. 1.3 Use DHCP Logging to Update Asset Inventory

3.1.3.1. Policy Defined

3.1.3.1.1. <Spike>Determine asset update process

3.1.3.2. Control Implemention

3.1.3.2.1. Enable DHCP logging on DHCP servers

3.1.3.2.2. Enable DHCP log discovery from asset discovery tool

3.1.3.2.3. Test data validity

3.1.3.2.4. Confirm results

3.1.3.3. Control Automation

3.1.3.4. Control Documented

3.1.4. 1.4 Maintain Detailed Asset Inventory

3.1.4.1. Gather previous inventory list

3.1.4.2. Policy Defined

3.1.4.2.1. A write-up of the procedure for manually adding or removing assets to or from the inventory

3.1.4.2.2. Determine, document, and publish a policy for the time allowable between when a device is acquired and when it must be entered into inventory

3.1.4.2.3. Determine, document, and publish a policy the time allowable between when a device is removed from inventory and when it must be disposed of.

3.1.4.2.4. The new list replaces the old list until an inventory audit is completed again.

3.1.4.3. Control Implemention

3.1.4.3.1. Create a new "ground truth" list that is an aggregation of the devices detected.

3.1.4.4. Control Automation

3.1.4.5. Control Documented

3.1.4.5.1. Document entire repeatable inventory procedure

3.1.5. 1.5 Maintain Asset Inventory Information

3.1.5.1. Policy Defined

3.1.5.2. Control Implemention

3.1.5.2.1. For each endpoint, identify detailed information

3.1.5.2.2. Identify endpoints with all detailed information identified

3.1.5.2.3. For each endpoint, identify network connection approval

3.1.5.2.4. The procedure should include documenting the length of time between when a device has been removed from inventory and when it was disposed of for each device

3.1.5.2.5. The procedure should include documenting the length of time between when a device is acquired and when it was entered into inventory for each device

3.1.5.3. Control Automation

3.1.5.4. Control Documented

3.1.6. 1.6 Address Unauthorized Assets

3.1.6.1. Policy Defined

3.1.6.1.1. <SPIKE> Define organizationally what qualifies as "timely" (auditors prefer < 24 hours)

3.1.6.1.2. All devices that cannot be traced back to the organization are considered unauthorized devices

3.1.6.2. Control Implemention

3.1.6.2.1. Within a timely manner, for each device not identified in the inventory list, investigate and remove devices from the network.

3.1.6.3. Control Automation

3.1.6.4. Control Documented

3.1.7. 1.7 Deploy Port Level Access Control

3.1.7.1. Policy Defined

3.1.7.2. Control Implemention

3.1.7.2.1. Design

3.1.7.2.2. Deploy required infrastructure

3.1.7.2.3. Configure MAC address authentication bypass for authorized devices that do not support 802.1x

3.1.7.3. Control Automation

3.1.7.4. Control Documented

3.1.7.4.1. As-Built Documentation

3.1.8. 1.8 Utilize Client Certificates to Authenticate Hardware Assets

3.1.8.1. Policy Defined

3.1.8.2. Control Implemention

3.1.8.2.1. Deploy device certificates

3.1.8.2.2. Configure 802.1x supplicants for authentication

3.1.8.3. Control Automation

3.1.8.4. Control Documented

3.2. 2 Inventory of Authorized & Unauthorized Software

3.2.1. 2.1 Maintain Inventory of Authorized Software

3.2.1.1. Policy Defined

3.2.1.1.1. Define organizationally acceptable timeframe for “up-to-date” in regards to software

3.2.1.2. Control Implemention

3.2.1.2.1. Create list of all sanctioned SaaS services

3.2.1.2.2. Create list from purchase records of all known licensed software

3.2.1.3. Control Automation

3.2.1.4. Control Documented

3.2.2. 2.2 Ensure Software is Supported by Vendor

3.2.2.1. Policy Defined

3.2.2.2. Control Implemention

3.2.2.3. Control Automation

3.2.2.4. Control Documented

3.2.3. 2.3 Utilize Software Inventory Tools

3.2.3.1. Policy Defined

3.2.3.2. Control Implemention

3.2.3.3. Control Automation

3.2.3.4. Control Documented

3.2.4. 2.4 Track Software Inventory Information

3.2.4.1. Policy Defined

3.2.4.2. Control Implemention

3.2.4.3. Control Automation

3.2.4.4. Control Documented

3.2.5. 2.5 Integrate Software and Hardware Asset Inventories

3.2.5.1. Policy Defined

3.2.5.2. Control Implemention

3.2.5.3. Control Automation

3.2.5.4. Control Documented

3.2.6. 2.6 Address unapproved software

3.2.6.1. Policy Defined

3.2.6.2. Control Implemention

3.2.6.3. Control Automation

3.2.6.4. Control Documented

3.2.7. 2.7 Utilize Application Whitelisting

3.2.7.1. Policy Defined

3.2.7.2. Control Implemention

3.2.7.3. Control Automation

3.2.7.4. Control Documented

3.2.8. 2.8 Implement Application Whitelisting of Libraries

3.2.8.1. Policy Defined

3.2.8.2. Control Implemention

3.2.8.3. Control Automation

3.2.8.4. Control Documented

3.2.9. 2.9 Implement Application Whitelisting of Scripts

3.2.9.1. Policy Defined

3.2.9.2. Control Implemention

3.2.9.3. Control Automation

3.2.9.4. Control Documented

3.2.10. 2.10 Physically or Logically Segregate High Risk Applications

3.2.10.1. Policy Defined

3.2.10.2. Control Implemention

3.2.10.3. Control Automation

3.2.10.4. Control Documented

3.3. 3 Continuous Vulnerability Assessment & Remediation

3.3.1. 3.1 Run Automated Vulnerability Scanning Tools

3.3.1.1. Policy Defined

3.3.1.2. Control Implemention

3.3.1.3. Control Automation

3.3.1.4. Control Documented

3.3.2. 3.2 Perform Authenticated Vulnerability Scanning

3.3.2.1. Policy Defined

3.3.2.2. Control Implemention

3.3.2.3. Control Automation

3.3.2.4. Control Documented

3.3.3. 3.3 Protect Dedicated Assessment Accounts

3.3.3.1. Policy Defined

3.3.3.2. Control Implemention

3.3.3.3. Control Automation

3.3.3.4. Control Documented

3.3.4. 3.4 Deploy Automated Operating System Patch Management Tools

3.3.4.1. Policy Defined

3.3.4.2. Control Implemention

3.3.4.3. Control Automation

3.3.4.4. Control Documented

3.3.5. 3.5 Deploy Automated Software Patch Management Tools

3.3.5.1. Policy Defined

3.3.5.2. Control Implemention

3.3.5.3. Control Automation

3.3.5.4. Control Documented

3.3.6. 3.6 Compare Back-to-Back Vulnerability Scans

3.3.6.1. Policy Defined

3.3.6.2. Control Implemention

3.3.6.3. Control Automation

3.3.6.4. Control Documented

3.3.7. 3.7 Utilize a Risk-Rating Process

3.3.7.1. Policy Defined

3.3.7.2. Control Implemention

3.3.7.3. Control Automation

3.3.7.4. Control Documented

3.4. 4 Controlled Use of Administrative Privileges

3.4.1. 4.1 Maintain Inventory of Administrative Accounts

3.4.1.1. Policy Defined

3.4.1.2. Control Implemention

3.4.1.3. Control Automation

3.4.1.4. Control Documented

3.4.2. 4.2 Change Default Passwords

3.4.2.1. Policy Defined

3.4.2.2. Control Implemention

3.4.2.3. Control Automation

3.4.2.4. Control Documented

3.4.3. 4.3 Ensure the Use of Dedicated Administrative Accounts

3.4.3.1. Policy Defined

3.4.3.2. Control Implemention

3.4.3.3. Control Automation

3.4.3.4. Control Documented

3.4.4. 4.4 Ensure Unique Passwords

3.4.4.1. Policy Defined

3.4.4.2. Control Implemention

3.4.4.3. Control Automation

3.4.4.4. Control Documented

3.4.5. 4.5 Use Multi-Factor Authentication for All Administrative Access

3.4.5.1. Policy Defined

3.4.5.2. Control Implemention

3.4.5.3. Control Automation

3.4.5.4. Control Documented

3.4.6. 4.6 Use Dedicated Workstations For All Administrative Tasks

3.4.6.1. Policy Defined

3.4.6.2. Control Implemention

3.4.6.3. Control Automation

3.4.6.4. Control Documented

3.4.7. 4.7 Limit Access to Script Tools

3.4.7.1. Policy Defined

3.4.7.2. Control Implemention

3.4.7.3. Control Automation

3.4.7.4. Control Documented

3.4.8. 4.8 Log and Alert on Changes to Administrative Group Membership

3.4.8.1. Policy Defined

3.4.8.2. Control Implemention

3.4.8.3. Control Automation

3.4.8.4. Control Documented

3.4.9. 4.9 Log and Alert on Unsuccessful Administrative Account Login

3.4.9.1. Policy Defined

3.4.9.2. Control Implemention

3.4.9.3. Control Automation

3.4.9.4. Control Documented

3.5. 5 Secure Configurations for Hardware and Software

3.5.1. 5.1 Establish Secure Configurations

3.5.1.1. Policy Defined

3.5.1.2. Control Implemention

3.5.1.3. Control Automation

3.5.1.4. Control Documented

3.5.2. 5.2 Maintain Secure Images

3.5.2.1. Policy Defined

3.5.2.2. Control Implemention

3.5.2.3. Control Automation

3.5.2.4. Control Documented

3.5.3. 5.3 Securely Store Master Images

3.5.3.1. Policy Defined

3.5.3.2. Control Implemention

3.5.3.3. Control Automation

3.5.3.4. Control Documented

3.5.4. 5.4 Deploy System Configuration Management Tools

3.5.4.1. Policy Defined

3.5.4.2. Control Implemention

3.5.4.3. Control Automation

3.5.4.4. Control Documented

3.5.5. 5.5 Implement Automated Configuration Monitoring Systems

3.5.5.1. Policy Defined

3.5.5.2. Control Implemention

3.5.5.3. Control Automation

3.5.5.4. Control Documented

3.6. 6 Maintenance, Monitoring, & Analysis of Audit Logs

3.6.1. 6.1 Utilize Three Synchronized Time Sources

3.6.1.1. Policy Defined

3.6.1.2. Control Implemention

3.6.1.3. Control Automation

3.6.1.4. Control Documented

3.6.2. 6.2 Activate Audit Logging

3.6.2.1. Policy Defined

3.6.2.2. Control Implemention

3.6.2.3. Control Automation

3.6.2.4. Control Documented

3.6.3. 6.3 Enable Detailed Logging

3.6.3.1. Policy Defined

3.6.3.2. Control Implemention

3.6.3.3. Control Automation

3.6.3.4. Control Documented

3.6.4. 6.4 Ensure Adequate Storage for Logs

3.6.4.1. Policy Defined

3.6.4.2. Control Implemention

3.6.4.3. Control Automation

3.6.4.4. Control Documented

3.6.5. 6.5 Central Log Management

3.6.5.1. Policy Defined

3.6.5.2. Control Implemention

3.6.5.3. Control Automation

3.6.5.4. Control Documented

3.6.6. 6.6 Deploy SIEM or Log Analytic Tools

3.6.6.1. Policy Defined

3.6.6.2. Control Implemention

3.6.6.3. Control Automation

3.6.6.4. Control Documented

3.6.7. 6.7 Regularly Review Logs

3.6.7.1. Policy Defined

3.6.7.2. Control Implemention

3.6.7.3. Control Automation

3.6.7.4. Control Documented

3.6.8. 6.8 Regularly Tune SIEM

3.6.8.1. Policy Defined

3.6.8.2. Control Implemention

3.6.8.3. Control Automation

3.6.8.4. Control Documented

3.7. 7 Email & Web Browser Protections

3.7.1. 7.1 Ensure Use of Only Fully Supported Browsers and Email Clients

3.7.1.1. Policy Defined

3.7.1.2. Control Implemention

3.7.1.3. Control Automation

3.7.1.4. Control Documented

3.7.2. 7.2 Disable Unnecessary or Unauthorized Browser or Email Client Plugins

3.7.2.1. Policy Defined

3.7.2.2. Control Implemention

3.7.2.3. Control Automation

3.7.2.4. Control Documented

3.7.3. 7.3 Limit Use of Scripting Languages in Web Browsers and Email Clients

3.7.3.1. Policy Defined

3.7.3.2. Control Implemention

3.7.3.3. Control Automation

3.7.3.4. Control Documented

3.7.4. 7.4 Maintain and Enforce Network-Based URL Filters

3.7.4.1. Policy Defined

3.7.4.2. Control Implemention

3.7.4.3. Control Automation

3.7.4.4. Control Documented

3.7.5. 7.5 Subscribe to URL-Categorization Service

3.7.5.1. Policy Defined

3.7.5.2. Control Implemention

3.7.5.3. Control Automation

3.7.5.4. Control Documented

3.7.6. 7.6 Log All URL requester

3.7.6.1. Policy Defined

3.7.6.2. Control Implemention

3.7.6.3. Control Automation

3.7.6.4. Control Documented

3.7.7. 7.7 Use of DNS Filtering Services

3.7.7.1. Policy Defined

3.7.7.2. Control Implemention

3.7.7.3. Control Automation

3.7.7.4. Control Documented

3.7.8. 7.8 Implement DMARC and Enable Receiver-Side Verification

3.7.8.1. Policy Defined

3.7.8.2. Control Implemention

3.7.8.3. Control Automation

3.7.8.4. Control Documented

3.7.9. 7.9 Block Unnecessary File Types

3.7.9.1. Policy Defined

3.7.9.2. Control Implemention

3.7.9.3. Control Automation

3.7.9.4. Control Documented

3.7.10. 7.10 Sandbox All Email Attachments

3.7.10.1. Policy Defined

3.7.10.2. Control Implemention

3.7.10.3. Control Automation

3.7.10.4. Control Documented

3.8. 8 Malware Defenses

3.8.1. 8.1 Utilize Centrally Managed Anti-malware Software

3.8.1.1. Policy Defined

3.8.1.2. Control Implemention

3.8.1.3. Control Automation

3.8.1.4. Control Documented

3.8.2. 8.2 Ensure Anti-Malware Software and Signatures Are Updated

3.8.2.1. Policy Defined

3.8.2.2. Control Implemention

3.8.2.3. Control Automation

3.8.2.4. Control Documented

3.8.3. 8.3 Enable Operating System Anti-Exploitation Features/Deploy Anti-Exploit Technologies

3.8.3.1. Policy Defined

3.8.3.2. Control Implemention

3.8.3.3. Control Automation

3.8.3.4. Control Documented

3.8.4. 8.4 Configure Anti-Malware Scanning of Removable Devices

3.8.4.1. Policy Defined

3.8.4.2. Control Implemention

3.8.4.3. Control Automation

3.8.4.4. Control Documented

3.8.5. 8.5 Configure Devices to Not Auto-Run Content

3.8.5.1. Policy Defined

3.8.5.2. Control Implemention

3.8.5.3. Control Automation

3.8.5.4. Control Documented

3.8.6. 8.6 Centralize Anti-Malware Logging

3.8.6.1. Policy Defined

3.8.6.2. Control Implemention

3.8.6.3. Control Automation

3.8.6.4. Control Documented

3.8.7. 8.7 Enable DNS Query Logging

3.8.7.1. Policy Defined

3.8.7.2. Control Implemention

3.8.7.3. Control Automation

3.8.7.4. Control Documented

3.8.8. 8.8 Enable Command-Line Audit Logging

3.8.8.1. Policy Defined

3.8.8.2. Control Implemention

3.8.8.3. Control Automation

3.8.8.4. Control Documented

3.9. 9 Limitation and Control of Network Ports

3.9.1. 9.1 Associate Active Ports, Services, and Protocols to Asset Inventory

3.9.1.1. Policy Defined

3.9.1.2. Control Implemention

3.9.1.3. Control Automation

3.9.1.4. Control Documented

3.9.2. 9.2 Ensure Only Approved Ports, Protocols, and Services Are Running

3.9.2.1. Policy Defined

3.9.2.2. Control Implemention

3.9.2.3. Control Automation

3.9.2.4. Control Documented

3.9.3. 9.3 Perform Regular Automated Port Scans

3.9.3.1. Policy Defined

3.9.3.2. Control Implemention

3.9.3.3. Control Automation

3.9.3.4. Control Documented

3.9.4. 9.4 Apply Host-Based Firewalls or Port-Filtering

3.9.4.1. Policy Defined

3.9.4.2. Control Implemention

3.9.4.3. Control Automation

3.9.4.4. Control Documented

3.9.5. 9.5 Implement Application Firewalls

3.9.5.1. Policy Defined

3.9.5.2. Control Implemention

3.9.5.3. Control Automation

3.9.5.4. Control Documented

3.10. 10 Data Recovery Capability

3.10.1. 10.1 Ensure Regular Automated BackUps

3.10.1.1. Policy Defined

3.10.1.2. Control Implemention

3.10.1.3. Control Automation

3.10.1.4. Control Documented

3.10.2. 10.2 Perform Complete System Backups

3.10.2.1. Policy Defined

3.10.2.2. Control Implemention

3.10.2.3. Control Automation

3.10.2.4. Control Documented

3.10.3. 10.3 Test Data on Backup Media

3.10.3.1. Policy Defined

3.10.3.2. Control Implemention

3.10.3.3. Control Automation

3.10.3.4. Control Documented

3.10.4. 10.4 Protect Backups

3.10.4.1. Policy Defined

3.10.4.2. Control Implemention

3.10.4.3. Control Automation

3.10.4.4. Control Documented

3.10.5. 10.5 Ensure All Backups Have at Least One Offline Backup Destination

3.10.5.1. Policy Defined

3.10.5.2. Control Implemention

3.10.5.3. Control Automation

3.10.5.4. Control Documented

3.11. 11 Secure Configurations for Network Devices

3.11.1. 11.1 Maintain Standard Security Configurations for Network Devices

3.11.1.1. Policy Defined

3.11.1.2. Control Implemention

3.11.1.3. Control Automation

3.11.1.4. Control Documented

3.11.2. 11.2 Document Traffic Configuration Rules

3.11.2.1. Policy Defined

3.11.2.2. Control Implemention

3.11.2.3. Control Automation

3.11.2.4. Control Documented

3.11.3. 11.3 Use Automated Tools to Verify Standard Device Configurations and Detect Changes

3.11.3.1. Policy Defined

3.11.3.2. Control Implemention

3.11.3.3. Control Automation

3.11.3.4. Control Documented

3.11.4. 11.4 Install the Latest Stable Version of Any Security-Related Updates on All Network Devices

3.11.4.1. Policy Defined

3.11.4.2. Control Implemention

3.11.4.3. Control Automation

3.11.4.4. Control Documented

3.11.5. 11.5 Manage Network Devices Using Multi-Factor Authentication and Encrypted Sessions

3.11.5.1. Policy Defined

3.11.5.2. Control Implemention

3.11.5.3. Control Automation

3.11.5.4. Control Documented

3.11.6. 11.6 Use Dedicated Machines For All Network Administrative Tasks

3.11.6.1. Policy Defined

3.11.6.2. Control Implemention

3.11.6.3. Control Automation

3.11.6.4. Control Documented

3.11.7. 11.7 Manage Network Infrastructure Through a Dedicated Network

3.11.7.1. Policy Defined

3.11.7.2. Control Implemention

3.11.7.3. Control Automation

3.11.7.4. Control Documented

3.12. 12 Boundary Defense

3.12.1. 12.1 Maintain an Inventory of Network Boundaries

3.12.1.1. Policy Defined

3.12.1.2. Control Implemention

3.12.1.3. Control Automation

3.12.1.4. Control Documented

3.12.2. 12.2 Scan for Unauthorized Connections Across Trusted Network Boundaries

3.12.2.1. Policy Defined

3.12.2.2. Control Implemention

3.12.2.3. Control Automation

3.12.2.4. Control Documented

3.12.3. 12.3 Deny Communications With Known Malicious IP Addresses

3.12.3.1. Policy Defined

3.12.3.2. Control Implemention

3.12.3.3. Control Automation

3.12.3.4. Control Documented

3.12.4. 12.4 Deny Communication Over Unauthorized Ports

3.12.4.1. Policy Defined

3.12.4.2. Control Implemention

3.12.4.3. Control Automation

3.12.4.4. Control Documented

3.12.5. 12.5 Configure Monitoring Systems to Record Network Packets

3.12.5.1. Policy Defined

3.12.5.2. Control Implemention

3.12.5.3. Control Automation

3.12.5.4. Control Documented

3.12.6. 12.6 Deploy Network-Based IDS Sensors

3.12.6.1. Policy Defined

3.12.6.2. Control Implemention

3.12.6.3. Control Automation

3.12.6.4. Control Documented

3.12.7. 12.7 Deploy Network-Based Intrusion Prevention Systems

3.12.7.1. Policy Defined

3.12.7.2. Control Implemention

3.12.7.3. Control Automation

3.12.7.4. Control Documented

3.12.8. 12.8 Deploy NetFlow Collection on Networking Boundary Devices

3.12.8.1. Policy Defined

3.12.8.2. Control Implemention

3.12.8.3. Control Automation

3.12.8.4. Control Documented

3.12.9. 12.9 Deploy Application Layer Filtering Proxy Server

3.12.9.1. Policy Defined

3.12.9.2. Control Implemention

3.12.9.3. Control Automation

3.12.9.4. Control Documented

3.12.10. 12.10 Decrypt Network Traffic at Proxy

3.12.10.1. Policy Defined

3.12.10.2. Control Implemention

3.12.10.3. Control Automation

3.12.10.4. Control Documented

3.12.11. 12.11 Require All Remote Login to Use Multi-Factor Authentication

3.12.11.1. Policy Defined

3.12.11.2. Control Implemention

3.12.11.3. Control Automation

3.12.11.4. Control Documented

3.12.12. 12.12 Manage All Devices Remotely Logging into Internal Network

3.12.12.1. Policy Defined

3.12.12.2. Control Implemention

3.12.12.3. Control Automation

3.12.12.4. Control Documented

3.13. 13 Data Protection

3.13.1. 13.1 Maintain an Inventory of Sensitive Information

3.13.1.1. Policy Defined

3.13.1.2. Control Implemention

3.13.1.3. Control Automation

3.13.1.4. Control Documented

3.13.2. 13.2 Remove Sensitive Data or Systems Not Regularly Accessed by Organization

3.13.2.1. Policy Defined

3.13.2.2. Control Implemention

3.13.2.3. Control Automation

3.13.2.4. Control Documented

3.13.3. 13.3 Monitor and Block Unauthorized Network Traffic

3.13.3.1. Policy Defined

3.13.3.2. Control Implemention

3.13.3.3. Control Automation

3.13.3.4. Control Documented

3.13.4. 13.4 Only Allow Access to Authorized Cloud Storage or Email Providers

3.13.4.1. Policy Defined

3.13.4.2. Control Implemention

3.13.4.3. Control Automation

3.13.4.4. Control Documented

3.13.5. 13.5 Monitor and Detect Any Unauthorized Use of Encryption

3.13.5.1. Policy Defined

3.13.5.2. Control Implemention

3.13.5.3. Control Automation

3.13.5.4. Control Documented

3.13.6. 13.6 Encrypt Mobile Device Data

3.13.6.1. Policy Defined

3.13.6.2. Control Implemention

3.13.6.3. Control Automation

3.13.6.4. Control Documented

3.13.7. 13.7 Manage USB Devices

3.13.7.1. Policy Defined

3.13.7.2. Control Implemention

3.13.7.3. Control Automation

3.13.7.4. Control Documented

3.13.8. 13.8 Manage System's External Removable Media's Read/Write Configurations

3.13.8.1. Policy Defined

3.13.8.2. Control Implemention

3.13.8.3. Control Automation

3.13.8.4. Control Documented

3.13.9. 13.9 Encrypt Data on USB Storage Devices

3.13.9.1. Policy Defined

3.13.9.2. Control Implemention

3.13.9.3. Control Automation

3.13.9.4. Control Documented

3.14. 14 Controlled Access Based on the Need to Know

3.14.1. 14.1 Segment the Network Based on Sensitivity

3.14.1.1. Policy Defined

3.14.1.2. Control Implemention

3.14.1.3. Control Automation

3.14.1.4. Control Documented

3.14.2. 14.2 Enable Firewall Filtering Between VLANs

3.14.2.1. Policy Defined

3.14.2.2. Control Implemention

3.14.2.3. Control Automation

3.14.2.4. Control Documented

3.14.3. 14.3 Disable Workstation to Workstation Communication

3.14.3.1. Policy Defined

3.14.3.2. Control Implemention

3.14.3.3. Control Automation

3.14.3.4. Control Documented

3.14.4. 14.4 Encrypt All Sensitive Information in Transit

3.14.4.1. Policy Defined

3.14.4.2. Control Implemention

3.14.4.3. Control Automation

3.14.4.4. Control Documented

3.14.5. 14.5 Utilize an Active Discovery Tool to Identify Sensitive Data

3.14.5.1. Policy Defined

3.14.5.2. Control Implemention

3.14.5.3. Control Automation

3.14.5.4. Control Documented

3.14.6. 14.6 Protect Information Through Access Control Lists

3.14.6.1. Policy Defined

3.14.6.2. Control Implemention

3.14.6.3. Control Automation

3.14.6.4. Control Documented

3.14.7. 14.7 Enforce Access Control to Data Through Automated Tools

3.14.7.1. Policy Defined

3.14.7.2. Control Implemention

3.14.7.3. Control Automation

3.14.7.4. Control Documented

3.14.8. 14.8 Encrypt Sensitive Information at Rest

3.14.8.1. Policy Defined

3.14.8.2. Control Implemention

3.14.8.3. Control Automation

3.14.8.4. Control Documented

3.14.9. 14.9 Enforce Detail Logging for Access or Changes to Sensitive Data

3.14.9.1. Policy Defined

3.14.9.2. Control Implemention

3.14.9.3. Control Automation

3.14.9.4. Control Documented

3.15. 15 Wireless Access Control

3.15.1. 15.1 Maintain an Inventory of Authorized Wireless Access Points

3.15.1.1. Policy Defined

3.15.1.2. Control Implemention

3.15.1.3. Control Automation

3.15.1.4. Control Documented

3.15.2. 15.2 Detect Wireless Access Points Connected to the Wired Network

3.15.2.1. Policy Defined

3.15.2.2. Control Implemention

3.15.2.3. Control Automation

3.15.2.4. Control Documented

3.15.3. 15.3 Use a Wireless Intrusion Detection System

3.15.3.1. Policy Defined

3.15.3.2. Control Implemention

3.15.3.3. Control Automation

3.15.3.4. Control Documented

3.15.4. 15.4 Disable Wireless Access on Devices if Not Required

3.15.4.1. Policy Defined

3.15.4.2. Control Implemention

3.15.4.3. Control Automation

3.15.4.4. Control Documented

3.15.5. 15.5 Limit Wireless Access on Client Devices

3.15.5.1. Policy Defined

3.15.5.2. Control Implemention

3.15.5.3. Control Automation

3.15.5.4. Control Documented

3.15.6. 15.6 Disable Peer-to-Peer Wireless Network Capabilities on Wireless Clients

3.15.6.1. Policy Defined

3.15.6.2. Control Implemention

3.15.6.3. Control Automation

3.15.6.4. Control Documented

3.15.7. 15.7 Leverage the Advanced Encryption Standard (AES) to Encrypt Wireless Data

3.15.7.1. Policy Defined

3.15.7.2. Control Implemention

3.15.7.3. Control Automation

3.15.7.4. Control Documented

3.15.8. 15.8 Use Wireless Authentication Protocols That Require Mutual, Multi-Factor Authentication

3.15.8.1. Policy Defined

3.15.8.2. Control Implemention

3.15.8.3. Control Automation

3.15.8.4. Control Documented

3.15.9. 15.9 Disable Wireless Peripheral Access of Devices

3.15.9.1. Policy Defined

3.15.9.2. Control Implemention

3.15.9.3. Control Automation

3.15.9.4. Control Documented

3.15.10. 15.10 Create Separate Wireless Network for Personal and Untrusted Devices

3.15.10.1. Policy Defined

3.15.10.2. Control Implemention

3.15.10.3. Control Automation

3.15.10.4. Control Documented

3.16. 16 Account Monitoring & Control

3.16.1. 16.1 Maintain an Inventory of Authentication Systems

3.16.1.1. Policy Defined

3.16.1.2. Control Implemention

3.16.1.3. Control Automation

3.16.1.4. Control Documented

3.16.2. 16.2 Configure Centralized Point of Authentication

3.16.2.1. Policy Defined

3.16.2.2. Control Implemention

3.16.2.3. Control Automation

3.16.2.4. Control Documented

3.16.3. 16.3 Require Multi-Factor Authentication

3.16.3.1. Policy Defined

3.16.3.2. Control Implemention

3.16.3.3. Control Automation

3.16.3.4. Control Documented

3.16.4. 16.4 Encrypt or Hash all Authentication Credentials

3.16.4.1. Policy Defined

3.16.4.2. Control Implemention

3.16.4.3. Control Automation

3.16.4.4. Control Documented

3.16.5. 16.5 Encrypt Transmittal of Username and Authentication Credentials

3.16.5.1. Policy Defined

3.16.5.2. Control Implemention

3.16.5.3. Control Automation

3.16.5.4. Control Documented

3.16.6. 16.6 Maintain an Inventory of Accounts

3.16.6.1. Policy Defined

3.16.6.2. Control Implemention

3.16.6.3. Control Automation

3.16.6.4. Control Documented

3.16.7. 16.7 Establish Process for Revoking Access

3.16.7.1. Policy Defined

3.16.7.2. Control Implemention

3.16.7.3. Control Automation

3.16.7.4. Control Documented

3.16.8. 16.8 Disable Any Unassociated Accounts

3.16.8.1. Policy Defined

3.16.8.2. Control Implemention

3.16.8.3. Control Automation

3.16.8.4. Control Documented

3.16.9. 16.9 Disable Dormant Accounts

3.16.9.1. Policy Defined

3.16.9.2. Control Implemention

3.16.9.3. Control Automation

3.16.9.4. Control Documented

3.16.10. 16.10 Ensure All Accounts Have An Expiration Date

3.16.10.1. Policy Defined

3.16.10.2. Control Implemention

3.16.10.3. Control Automation

3.16.10.4. Control Documented

3.16.11. 16.11 Lock Workstation Sessions After Inactivity

3.16.11.1. Policy Defined

3.16.11.2. Control Implemention

3.16.11.3. Control Automation

3.16.11.4. Control Documented

3.16.12. 16.12 Monitor Attempts to Access Deactivated Accounts

3.16.12.1. Policy Defined

3.16.12.2. Control Implemention

3.16.12.3. Control Automation

3.16.12.4. Control Documented

3.16.13. 16.13 Alert on Account Login Behavior Deviation

3.16.13.1. Policy Defined

3.16.13.2. Control Implemention

3.16.13.3. Control Automation

3.16.13.4. Control Documented

3.17. 17 Security Skills Assessment & Appropriate Training to Fill Gaps

3.17.1. 17.1 Perform a Skills Gap Analysis

3.17.1.1. Policy Defined

3.17.1.2. Control Implemention

3.17.1.3. Control Automation

3.17.1.4. Control Documented

3.17.2. 17.2 Deliver Training to Fill the Skills Gap

3.17.2.1. Policy Defined

3.17.2.2. Control Implemention

3.17.2.3. Control Automation

3.17.2.4. Control Documented

3.17.3. 17.3 Implement a Security Awareness Program

3.17.3.1. Policy Defined

3.17.3.2. Control Implemention

3.17.3.3. Control Automation

3.17.3.4. Control Documented

3.17.4. 17.4 Update Awareness Content Frequently

3.17.4.1. Policy Defined

3.17.4.2. Control Implemention

3.17.4.3. Control Automation

3.17.4.4. Control Documented

3.17.5. 17.5 Train Workforce on Secure Authentication

3.17.5.1. Policy Defined

3.17.5.2. Control Implemention

3.17.5.3. Control Automation

3.17.5.4. Control Documented

3.17.6. 17.6 Train Workforce on Identifying Social Engineering Attacks

3.17.6.1. Policy Defined

3.17.6.2. Control Implemention

3.17.6.3. Control Automation

3.17.6.4. Control Documented

3.17.7. 17.7 Train Workforce on Sensitive Data Handling

3.17.7.1. Policy Defined

3.17.7.2. Control Implemention

3.17.7.3. Control Automation

3.17.7.4. Control Documented

3.17.8. 17.8 Train Workforce on Causes of Unintentional Data Exposure

3.17.8.1. Policy Defined

3.17.8.2. Control Implemention

3.17.8.3. Control Automation

3.17.8.4. Control Documented

3.17.9. 17.9 Train Workforce Members on Identifying and Reporting Incidents

3.17.9.1. Policy Defined

3.17.9.2. Control Implemention

3.17.9.3. Control Automation

3.17.9.4. Control Documented

3.18. 18 Application Software Security

3.18.1. 18.1 Establish Secure Coding Practices

3.18.1.1. Policy Defined

3.18.1.2. Control Implemention

3.18.1.3. Control Automation

3.18.1.4. Control Documented

3.18.2. 18.2 Ensure That Explicit Error Checking is Performed for All In-House Developed Software

3.18.2.1. Policy Defined

3.18.2.2. Control Implemention

3.18.2.3. Control Automation

3.18.2.4. Control Documented

3.18.3. 18.3 Verify That Acquired Software is Still Supported

3.18.3.1. Policy Defined

3.18.3.2. Control Implemention

3.18.3.3. Control Automation

3.18.3.4. Control Documented

3.18.4. 18.4 Only Use Up-to-Date and Trusted Third-Party Components

3.18.4.1. Policy Defined

3.18.4.2. Control Implemention

3.18.4.3. Control Automation

3.18.4.4. Control Documented

3.18.5. 18.5 Use Only Standardized and Extensively Reviewed Encryption Algorithms

3.18.5.1. Policy Defined

3.18.5.2. Control Implemention

3.18.5.3. Control Automation

3.18.5.4. Control Documented

3.18.6. 18.6 Ensure Software Development Personnel are Trained in Secure Coding

3.18.6.1. Policy Defined

3.18.6.2. Control Implemention

3.18.6.3. Control Automation

3.18.6.4. Control Documented

3.18.7. 18.7 Apply Static and Dynamic Code Analysis Tools

3.18.7.1. Policy Defined

3.18.7.2. Control Implemention

3.18.7.3. Control Automation

3.18.7.4. Control Documented

3.18.8. 18.8 Establish a Process to Accept and Address Reports of Software Vulnerabilities

3.18.8.1. Policy Defined

3.18.8.2. Control Implemention

3.18.8.3. Control Automation

3.18.8.4. Control Documented

3.18.9. 18.9 Separate Production and Non-Production Systems

3.18.9.1. Policy Defined

3.18.9.2. Control Implemention

3.18.9.3. Control Automation

3.18.9.4. Control Documented

3.18.10. 18.10 Deploy Web Application Firewalls

3.18.10.1. Policy Defined

3.18.10.2. Control Implemention

3.18.10.3. Control Automation

3.18.10.4. Control Documented

3.18.11. 18.11 Use Standard Hardening Configuration Templates for Databases

3.18.11.1. Policy Defined

3.18.11.2. Control Implemention

3.18.11.3. Control Automation

3.18.11.4. Control Documented

3.19. 19 Incident Response & Management

3.19.1. 19.1 Document Incident Response Procedures

3.19.1.1. Policy Defined

3.19.1.2. Control Implemention

3.19.1.3. Control Automation

3.19.1.4. Control Documented

3.19.2. 19.2 Assign Job Titles and Duties for Incident Response

3.19.2.1. Policy Defined

3.19.2.2. Control Implemention

3.19.2.3. Control Automation

3.19.2.4. Control Documented

3.19.3. 19.3 Designate Management Personnel to Support Incident Handling

3.19.3.1. Policy Defined

3.19.3.2. Control Implemention

3.19.3.3. Control Automation

3.19.3.4. Control Documented

3.19.4. 19.4 Devise Organization-wide Standards for Reporting Incidents

3.19.4.1. Policy Defined

3.19.4.2. Control Implemention

3.19.4.3. Control Automation

3.19.4.4. Control Documented

3.19.5. 19.5 Maintain Contact Information For Reporting Security Incidents

3.19.5.1. Policy Defined

3.19.5.2. Control Implemention

3.19.5.3. Control Automation

3.19.5.4. Control Documented

3.19.6. 19.6 Publish Information Regarding Reporting Computer Anomalies and Incidents

3.19.6.1. Policy Defined

3.19.6.2. Control Implemention

3.19.6.3. Control Automation

3.19.6.4. Control Documented

3.19.7. 19.7 Conduct Periodic Incident Scenario Sessions for Personnel

3.19.7.1. Policy Defined

3.19.7.2. Control Implemention

3.19.7.3. Control Automation

3.19.7.4. Control Documented

3.19.8. 19.8 Create Incident Scoring and Prioritization Schema

3.19.8.1. Policy Defined

3.19.8.2. Control Implemention

3.19.8.3. Control Automation

3.19.8.4. Control Documented

3.20. 20 Penetration Tests & Red Team Exercises

3.20.1. 20.1 Establish a Penetration Testing Program

3.20.1.1. Policy Defined

3.20.1.2. Control Implemention

3.20.1.3. Control Automation

3.20.1.4. Control Documented

3.20.2. 20.2 Conduct Regular External and Internal Penetration Tests

3.20.2.1. Policy Defined

3.20.2.2. Control Implemention

3.20.2.3. Control Automation

3.20.2.4. Control Documented

3.20.3. 20.3 Perform Periodic Red Team Exercises

3.20.3.1. Policy Defined

3.20.3.2. Control Implemention

3.20.3.3. Control Automation

3.20.3.4. Control Documented

3.20.4. 20.4 Include Tests for Presence of Unprotected System Information and Artifacts

3.20.4.1. Policy Defined

3.20.4.2. Control Implemention

3.20.4.3. Control Automation

3.20.4.4. Control Documented

3.20.5. 20.5 Create Test Bed for Elements Not Typically Tested in Production

3.20.5.1. Policy Defined

3.20.5.2. Control Implemention

3.20.5.3. Control Automation

3.20.5.4. Control Documented

3.20.6. 20.6 Use Vulnerability Scanning and Penetration Testing Tools in Concert

3.20.6.1. Policy Defined

3.20.6.2. Control Implemention

3.20.6.3. Control Automation

3.20.6.4. Control Documented

3.20.7. 20.7 Ensure Results from Penetration Test are Documented Using Open, Machine-readable Standards

3.20.7.1. Policy Defined

3.20.7.2. Control Implemention

3.20.7.3. Control Automation

3.20.7.4. Control Documented

3.20.8. 20.8 Control and Monitor Accounts Associated with Penetration Testing

3.20.8.1. Policy Defined

3.20.8.2. Control Implemention

3.20.8.3. Control Automation

3.20.8.4. Control Documented

4. Sensitive Data Governance and Classification Policy

4.1. Classifications

4.1.1. High

4.1.2. Medium

4.1.3. Low/Public

5. Asset Inventory System

5.1. Requirements

5.1.1. Must support