Purpose:

Protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy.  Establish and maintain information security roles and access privileges and perform security monitoring.

Objective:

Minimize the business impact of operational information security vulnerabilities and incidents.

Description:

<?>

Inputs:

• Data classification guidelines
• SLAs
• Information architecture model
• OLAs
• Results of physical inventory checks
• Reports of violations
• Definition of IT-related roles and responsibilities
• Information architecture model
•  
• <?>

Outputs:

• Malicious software prevention policy
• Evaluations of potential threats
• Connectivity security policy
• Results of penetration tests
• Security policies for endpoint devices
• Approved user access rights
• Results of reviews of user accounts and privileges
• Approved access request
• Access logs
• Inventory of sensitive documents and devices
• Access privileges
• Security event logs
• Security incident characteristics
• Security incident tickets
• <?>

Controls:

<?>

Task Instructions:

Protect Against Malware

1. 1. Communicate malicious software awareness and enforce prevention procedures and responsibilities.

   2. Install and activate malicious software protection tools on all processing facilities, with malicious software definition files that are updated as required (automatically or semi-automatically).

   3. Distribute all protection software centrally (version and patch-level) using centralized configuration and change management.

   4. Regularly review and evaluate information on new potential threats (e.g., reviewing vendors’ products and services security advisories).

   5. Filter incoming traffic, such as email and downloads, to protect against unsolicited information (e.g., spyware, phishing emails).

   6. Conduct periodic training about malware in email and Internet usage. Train users to not install shared or unapproved software.

Manage Network and Connectivity Security

1. 1. Based on risk assessments and business requirements, establish and maintain a policy for security of connectivity.

   2. Allow only authorized devices to have access to corporate information and the enterprise network. Configure these devices to force password entry.
   3. Implement network filtering mechanisms, such as firewalls and intrusion detection software, with appropriate policies to control inbound and outbound traffic.
   4. Encrypt information in transit according to its classification.
   5. Apply approved security protocols to network connectivity.
   6. Configure network equipment in a secure manner.
   7. Establish trusted mechanisms to support the secure transmission and receipt of information.
   8.  Carry out periodic penetration testing to determine the adequacy of network protection.
   9. Carry out periodic testing of system security to determine the adequacy of system protection.

Manage Endpont Security

1. 1. Securely configure operating systems.

   2. Implement device lockdown mechanisms.

   3. Encrypt information in storage according to its classification.

   4. Manage remote access and control.

   5. Securely manage network configuration.

   6. Implement network traffic filtering on endpoint devices.

   7. Protect system integrity.

   8. Provide physical protection of endpoint devices.

   9. Dispose of endpoint devices securely.

Manage User Identity and Logical Access

1. 1. Maintain user access rights in accordance with the business function and process requirements. Align the management of identities and access rights to the defined roles and responsibilities, based on least-privilege, need-to-have, and need-to-know principles.
   2. Uniquely identify all information processing activities by functional roles, coordinating with business units to ensure that all roles are consistently defined, including roles that are set by the business itself within business process applications.
   3. Authenticate all access to information assets based on their security classification, coordinating with business units that manage authentication within applications used in business processes to ensure that authentication controls have been properly administered.
   4. Administer all changes to access rights (creation, modifications, and deletions) to take effect at the appropriate time based only on approved and documented transactions authorized by designated management individuals.
   5. Segregate and manage privileged user accounts.
   6. Perform regular management review of all accounts and related privileges.
   7. Ensure that all users (internal, external, and temporary) and their activity on IT systems (business application, IT infrastructure, system operations, development, and maintenance) are uniquely identifiable. Uniquely identify all information processing activities by a user.
   8. Maintain an audit trail of access to information classified as highly sensitive

Manage Physical access to IT Assets

1. 1. Manage the requesting and granting of access to the computing facilities. Formal access requests are to be completed and authorized by the management of the IT site, and the request records retained. The forms should specifically identify the areas to which the individual is granted access.

   2. Ensure that access profiles remain current. Base access to IT sites (server rooms, buildings, areas, or zones) on job functions and responsibilities.

   3. Log and monitor all entry points to IT sites. Register all visitors, including contractors and vendors, to the site.

   4. Instruct all personnel to display visible identification at all times. Prevent the issuance of identity cards or badges without proper authorization.

   5. Require visitors to be escorted at all times while on-site. If an unaccompanied, unfamiliar individual who is not wearing staff identification is identified, alert security personnel.

   6. Restrict access to sensitive IT sites by establishing perimeter restrictions, such as fences, walls, and security devices on the interior and exterior doors. Ensure that the devices record entry and trigger an alarm in the event of unauthorized access. Examples of such devices include badges or key cards, keypads, closed-circuit television, and biometric scanners.

   7. Conduct regular physical security awareness training.

Manage Sensitive Documents and Output Devices

1. 1. Establish procedures to govern the receipt, use, removal, and disposal of special forms and output devices into, within, and out of the enterprise.

   2. Assign access privileges to sensitive documents and output devices based on the least-privilege principle, balancing risk and business requirements.

   3. Establish an inventory of sensitive documents and output devices, and conduct regular reconciliations.

   4. Establish appropriate physical safeguards over special forms and sensitive devices.

   5. Destroy sensitive information and protect output devices (e.g., degaussing of electronic media, physical destruction of memory devices, making shredders or locked paper baskets available to destroy special forms and other confidential papers).

Monitor the Infrastructure for Security-Related events

1. 1. Log security-related events reported by infrastructure security monitoring tools, identifying the level of information to be recorded based on a consideration of risk. Retain them for an appropriate period to assist in future investigations.

   2. Define and communicate the nature and characteristics of potential security-related incidents so they can be easily recognized and their impacts understood to enable a commensurate response.

   3. Regularly review the event logs for potential incidents.

   4. Maintain a procedure for evidence collection in line with local forensic evidence rules and ensure that all staff is made aware of the requirements.

   5. Ensure that security incident tickets are created in a timely manner when monitoring identifies potential security incidents.