-
Notifications
You must be signed in to change notification settings - Fork 15
/
cm_low_impact_pri1.yaml
202 lines (158 loc) · 8.15 KB
/
cm_low_impact_pri1.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
id: cm_low_impact_pri1
name: NIST 800-53 CM Low Impact Priority 1
milestone: Configuration Management
issues:
- title: As the CIO, I want to document and communicate our configuration management policy.
body: |
*Why:*
How we configure our systems oftentimes determines how secure the system will be. Ensuring that we have a well-constructed, properly disseminated configuration management policy will help ensure that are systems are built and maintained securely.
*How:*
* Define roles in addition to ISSO or ISSM that the configuration management policy is to be disseminated to. (State if there are no additional roles)
* Define roles in addition to ISSO or ISSM that the configuration management procedures are to be disseminated to. (State if there are no additional roles)
* Ensure that the configuration management policy and procedures are disseminated
* Define frequency at which to review and update the configuration management policy and procedures (Annually).
* Maintain audit trail of reviews and updates.
*Acceptance Criteria / Evidence:*
* List of personnel to whom configuration management policy and procedures are to be disseminated
* Access control policy
* Access control policy version update page
* Access control policy audit trail of reviews and updates
*Links:*
* https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-1
labels:
- CM
- CM-1
- security
- configuration
- title: As the CISO, I want to ensure that our IT system configuration settings are the most restrictive possible that meets our functionality requirements.
body: |
*Why:*
Establishing and maintaining a standard set of locked-down configurations is the most effective way to avoid security breaches. Documenting the configuration settings is essential for personnel changes and can help us spot overlooked issues. Sharing the documentation further helps us catch security holes.
*How:*
* Develop and formally review a baseline configuration that can serve as a basis for future builds (CM-2).
* Establish and document the configuration used for all products used by the IT system. This configuration should provide only essential capabilities, and should restrict access to unused functions, ports and protocols (CM-7).
* Identify and document deviations from the established configuration settings.
* Monitor and control changes to the configuration settings.
*Acceptance Criteria / Evidence:*
* Baseline configuration
* Configuration documentation for all products used by the IT system, including:
* Standard software packages installed on workstations, notebooks, mobile devices, and servers
* Current version numbers and patch information for the OS and applications
* Configuration settings/parameters
* Network arrangement
* Deviations from the established configuration settings
* Frequency with which the configuration settings will be reviewed.
*Links:*
* https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-2
* https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-6
* https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-7
labels:
- CM
- CM-2
- CM-6
- CM-7
- security
- configuration
- baseline
- title: As the Developer, I need to ensure that I am configuring my systems in a manner that is compliant with my organization's access control policy.
body: |
*Why:*
The security of my application and related systems is paramount to my project's success.
*How:*
* Build all systems from my organization's baseline configuration (CM-2).
* Document all configuration settings and deviations from the established configuration settings. The configuration should provide only essential capabilities, and should restrict access to unused functions, ports and protocols (CM-7).
* Monitor and control changes to the configuration settings.
*Acceptance Criteria / Evidence:*
* Document the system's security configuration, including:
* Steps to install the application
* Steps to run the application
* Steps to test the application
* The use of the baseline configuration
* All deviations from the established configuration settings
*Links:*
* https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-2
* https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-6
* https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-7
labels:
- CM
- CM-2
- CM-6
- CM-7
- security
- configuration
- baseline
- developer
- title: As the CISO, I want to maintain a centralized inventory of IT system components such as hardware, software licenses, and their respective owners.
body: |
*Why:*
Maintaining an inventory helps ensure that components are up-to-date and helps in addressing security vulnerability alerts.
*How:*
* Determine the necessary information to collect.
* Collect an initial inventory of IT system components.
* Review the inventory in a predetermined frequency.
*Acceptance Criteria / Evidence:*
* Inventory specifications. Examples:
* Manufacturer
* Device type
* Model
* Serial number
* Physical location
* Personnel responsible
* Frequency that inventory will be reviewed
* Inventory of components, including:
* Hardware
* Software license information
* Software version numbers
* Machine names and network addresses for networked components or devices
*Links:*
* https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-8
labels:
- CM
- CM-8
- security
- inventory
- title: As the CISO, I need to ensure that we are not opening ourselves up to security vulnerabilities with the software individual personal install on their systems.
body: |
*Why:*
Oftentimes employees are unaware of the potential security risks of installing third party software packages, or are in such need to a specific feature that they quickly install a package without properly evaluating its security ramifications.
*How:*
* Establish permitted and prohibited actions regarding software installation. Permitted actions may include:
* Updates and security patches to existing software
* Downloading applications from organization-approved app stores
Example prohibited actions:
* Software with unknown or suspect pedigrees
* Software that organizations consider potentially malicious.
* Enforce the software installation policies.
* Frequently monitor the policies to ensure compliance.
*Acceptance Criteria / Evidence:*
* Software installation policy
* Software policy enforcement plan
* Frequency with with the software policy will be monitored
*Links:*
* https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-11
labels:
- CM
- CM-11
- security
- software
- policy
- title: As an employee, I need to ensure that my personal devices are secure.
body: |
*Why:*
I need to ensure that it is impossible for outsiders to gain access to sensitive or confidential information on my personal computer or mobile devices, especially in the case that one of these devices is lost.
*How:*
* Follow the organization's guidelines on permitted and prohibited actions regarding software installation.
* Frequently monitor all local devices using organization-approved guidelines and scanners.
*Acceptance Criteria / Evidence:*
* Properly configure all computers and devices
* Log of security scanners running on all devices
*Links:*
* https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-11
labels:
- CM
- CM-11
- security
- software
- policy
- developer
questions: []