Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Information Technology Self-Assessment The goal of this document

advertisement 
Information Technology Self-Assessment
The goal of this document is to provide a systematic standardized approach to assessing security
controls and management within your information technology infrastructure. This document strives to
blend the control objectives found in the SANS “Critical Controls for Effective Cyber Defense” and the
National Security Agency (NSA) Information Assurance Directorate (IAD) “Manageable Network Plan”. To
assist the reader, a reference source is listed after each control objective question listed in the selfassessment questionnaire.
1. Are you currently documenting all changes to your systems in a timely manner?
a. For more information, NSA IAD “Manageable Network Plan”, Version 2.2, 5 April 2012,
page 4.
b. For more information, SANS “Critical Controls for Effective Cyber Defense”, Version 4.1,
March 2013, Critical Control 3, page 16.
2. Do you have a current, accurate list of ALL devices (computers, printers, routers, gateways, etc.)
on your network, including host name, role, MAC address, service tag, physical location, and
OS/firmware?
a. For more information, NSA IAD “Manageable Network Plan”, Version 2.2, 5 April 2012,
page 6.
b. For more information, SANS “Critical Controls for Effective Cyber Defense”, Version 4.1,
March 2013, Critical Control 2, page 6.
3. Have you restricted as many users as possible on your network to the least privilege that they
require to perform their duties?
a. For more information, NSA IAD “Manageable Network Plan”, Version 2.2, 5 April 2012,
page 13.
b. For more information, SANS “Critical Controls for Effective Cyber Defense”, Version 4.1,
March 2013, Critical Control 12, page 51.
4. Have you established and documented a patch management process for ALL OS and application
software on your workstations (including laptops and other mobile devices), servers, and network
infrastructure devices?
a. For more information, NSA IAD “Manageable Network Plan”, Version 2.2, 5 April 2012,
page 15
b. For more information, SANS “Critical Controls for Effective Cyber Defense”, Version 4.1,
March 2013, Critical Control 4, page 22.
5. Have you created and documented an approved application list for each class of device on your
network?
a. For more information, NSA IAD “Manageable Network Plan”, Version 2.2, 5 April 2012,
page 17.
b. For more information, SANS “Critical Controls for Effective Cyber Defense”, Version 4.1,
March 2013, Critical Control 2, page 12.
6. Have you established and documented a comprehensive backup strategy for your network,
including what gets backed up, when it gets backed up, where the backup media are stored, and
how to restore from backup media?
1
Information Technology Self-Assessment – October 2015
a. For more information, NSA IAD “Manageable Network Plan”, Version 2.2, 5 April 2012,
page 22.
b. For more information, SANS “Critical Controls for Effective Cyber Defense”, Version 4.1,
March 2013, Critical Control 8, page 39.
7. Do you have a documented incident response plan?
a. For more information, NSA IAD “Manageable Network Plan”, Version 2.2, 5 April 2012,
page 22.
b. For more information, SANS “Critical Controls for Effective Cyber Defense”, Version 4.1,
March 2013, Critical Control 18, page 74.
8. Do you have a documented information security policy, including an “Acceptable Use Policy”,
defining how the organization’s computer equipment and network resources are to be used?
a. For more information, NSA IAD “Manageable Network Plan”, Version 2.2, 5 April 2012,
page 23.
9. Is a host-based virus scanner and host-based intrusion detection system installed on every
network host, and are the host security signatures regularly updated?
a. For more information, NSA IAD “Manageable Network Plan”, Version 2.2, 5 April 2012,
page 24.
b. For more information, SANS “Critical Controls for Effective Cyber Defense”, Version 4.1,
March 2013, Critical Control 5, page 27.
10. Have you implemented network access control to prevent unauthorized devices from connecting
to your network?
a. For more information, NSA IAD “Manageable Network Plan”, Version 2.2, 5 April 2012,
page 26.
11. Is all of your web and email traffic directed through a proxy or secure gateway that is capable of
filtering, virus scanning, attachment blocking, and spam blocking?
a. For more information, NSA IAD “Manageable Network Plan”, Version 2.2, 5 April 2012,
page 26.
b. For more information, SANS “Critical Controls for Effective Cyber Defense”, Version 4.1,
March 2013, Critical Control 13, page 55.
12. Is your firewall configured to block all traffic leaving the network from a workstation or server that
is not absolutely essential for that machine to fulfill its role?
a. For more information, NSA IAD “Manageable Network Plan”, Version 2.2, 5 April 2012,
page 26.
b. For more information, SANS “Critical Controls for Effective Cyber Defense”, Version 4.1,
March 2013, Critical Control 13, page 55.
13. Do you audit remote access sessions? Make sure you know who is accessing your network, what
they are doing, and when they are doing it.
a. For more information, NSA IAD “Manageable Network Plan”, Version 2.2, 5 April 2012,
page 27.
b. For more information, SANS “Critical Controls for Effective Cyber Defense”, Version 4.1,
March 2013, Critical Control 14, page 60.
2
Information Technology Self-Assessment – October 2015
14. Is all VPN traffic inspected (after it is decrypted) before it is allowed to interact with any internal
network resources?
a. For more information, NSA IAD “Manageable Network Plan”, Version 2.2, 5 April 2012,
page 27.
15. Have you implemented processes and tools to regularly review logs to look for evidence of new
problems and attacks?
a. For more information, SANS “Critical Controls for Effective Cyber Defense”, Version 4.1,
March 2013, Critical Control 14, page 60.
b. For more information, NSA IAD “Manageable Network Plan”, Version 2.2, 5 April 2012,
page 28.
16. Have you implemented processes and tools used to detect/prevent/correct security vulnerabilities
for all operating systems and application software on your workstations (including laptops and
other mobile devices), servers, and network infrastructure devices?
a. For more information, SANS “Critical Controls for Effective Cyber Defense”, Version 4.1,
March 2013, Critical Control 4, page 22.
b. For more information, NSA IAD “Manageable Network Plan”, Version 2.2, 5 April 2012,
page 29.
17. Have you implemented processes and tools used to simulate attacks against a network to
validate the overall security of an organization?
a. For more information, SANS “Critical Controls for Effective Cyber Defense”, Version 4.1,
March 2013, Critical Control 20, page 80.
18. Have you implemented processes and tools to make sure your organization understands the
technical skill gaps within its workforce, including an integrated plan to fill the gaps through policy,
training, and awareness?
a. For more information, SANS “Critical Controls for Effective Cyber Defense”, Version 4.1,
March 2013, Critical Control 9, page 41.
b. For more information, NSA IAD “Manageable Network Plan”, Version 2.2, 5 April 2012,
page 23.
19. Do you have policies pertaining to physical access and safety procedures for your server room or
other areas containing network equipment?
a. For more information, see Special Publication 800-12: An Introduction to Computer
Security - The NIST Handbook http://csrc.nist.gov/publications/nistpubs/800-12/800-12html/chapter15.html
3
Information Technology Self-Assessment – October 2015
Related documents
Notice for IC Assemble Meeting
Notice for IC Assemble Meeting
application form
application form
apdf nov 4 - 0910 sakada
apdf nov 4 - 0910 sakada
Abstract
Abstract
What is Internet?
What is Internet?
“Current Cyber Security Landscape” Dr. Josh Pauli Presentation
“Current Cyber Security Landscape” Dr. Josh Pauli Presentation
Ways to prepare for individual meetings
Ways to prepare for individual meetings
ATTENTION: PLEASE READ PRIOR TO COMPLETION OF ANY
ATTENTION: PLEASE READ PRIOR TO COMPLETION OF ANY
Information Systems and Internet Security (ISIS) Lab Some Recent
Information Systems and Internet Security (ISIS) Lab Some Recent
Download
advertisement