1. No category

best practices

BEST PRACTICES
GUIDANCE FOR ENHANCING YOUR
ORGANIZATION’S CYBER SECURITY POSTURE
Confidential and Proprietary under NDA. Not for external distribution. © 2017 Cytellix
CONTENTS
Access Control ......................................................................................................................................................................... 3
Administrative Controls ...................................................................................................................................................... 3
Physical Controls ................................................................................................................................................................. 3
Technical or Logical Controls .............................................................................................................................................. 4
Audit and Accountability:........................................................................................................................................................ 6
Awareness and Training: ......................................................................................................................................................... 8
Configuration Management.................................................................................................................................................... 9
Identification and Authentication: ........................................................................................................................................ 11
Incident Response: ................................................................................................................................................................ 13
Maintenance: ........................................................................................................................................................................ 14
Media Protection: ................................................................................................................................................................. 15
Personnel Security: ............................................................................................................................................................... 16
Physical Protection:............................................................................................................................................................... 17
Risk Assessment: ................................................................................................................................................................... 18
Security Assessment: ............................................................................................................................................................ 19
System and communications protection: ............................................................................................................................. 20
System and Information Integrity ......................................................................................................................................... 22
Confidential and Proprietary under NDA. Not for external distribution. © 2017 Cytellix
ACCESS CONTROL
Cytellix analyzes and implements Access Control for any organization in three categories, with each
having different access control mechanisms that can be carried out manually or automatically.

Administrative Controls

Physical Controls

Technical or Logical Controls.
Each category of access control has several components that fall within it.
ADMINISTRATIVE CONTROLS

Security policy - Cytellix will review the security policy of an organization and ensure it
addresses the laws, regulations, and business objectives that shape and restrict the company.

Monitoring and supervising - An organization must construct a supervisory structure which
enforces management members to be responsible for employees and take a vested interest in
their activities.

Separation of duties - The separation of duties should be enforced so that no one individual
can carry out a critical task alone that could prove to be detrimental to the company. Cytellix
will review the current work flow to identify the critical tasks and will guide the organization to
establish the procedure to reduce the probability of security breaches and fraud.
PHYSICAL CONTROLS

Locks

Fences

Badge system

Security guards

Biometric system

Mantrap doors

Lighting

Motion detectors
Confidential and Proprietary under NDA. Not for external distribution. © 2017 Cytellix

Closed-circuit TVs

Alarms
Based on the organization and physical structure, Cytellix recommends adopting a badge system with
a log system to monitor in a safe environment. All the critical area of the organization should have
doors equipped with a badge system and should be monitored by CCTV with recording capability.
The CCTV system should be clearly visible and should be operational in typical lighting and also dim
or no lighting (makes use of infrared illumination).
TECHNICAL OR LOGICAL CONTROLS
Technical controls, also called logical controls, are the software tools used to restrict individuals’
access to objects. They can apply to core OS components, add-on security packages, applications,
network hardware devices, protocols, encryption mechanisms, and access control metrics. These
controls protect the integrity and availability of resources by limiting the number of individuals that can
access them and protect the confidentiality of resources by preventing disclosure to unauthorized
individuals.
The following best practice and practical guide to remediation for “access control” applies to
organizations that run operating systems such as Microsoft Windows, Unix and Linux with industry
standard network gear.

Verify that servers hosting other operating systems and applications are located in a controlled
access area or areas. Server accessibility should only be granted to authorized personnel and
their access should be logged both electronically and with physical documentation.

A standard corporate legal notice should be configured to display before or at user login. This
login banner or legal disclaimer should be displayed prior to any and all logon attempts.

Caching logon credentials should be disabled. If single-sign-on is preferred, a secure SSO
solution should be deployed.

The number of failed logon attempts allowed should be set at three (3) or less, and accounts
should be locked automatically if this number is exceeded. Account resets should only be done
by authorized administrators after a user’s need is validated and documented.

Systems should audit logon attempts through policy. Alerts should be automated to be sent to
at least two admins if any account gets locked after excessive failed logon attempts.

Systems must not boot into multiple operating systems (dual-boot/multi-boot).

System should not allow unencrypted (plain text) password authentication. Check the vendor
of systems or application servers for encrypted password authentication feature support.
Confidential and Proprietary under NDA. Not for external distribution. © 2017 Cytellix

Automatic logon should be disabled. Allowing a system to automatically log on when the
machine is booted could give access to any unauthorized individual who restarts the computer;
automatic logon with administrator privileges would effectively give full system access to an
unauthorized individual.

Maximum password age should be set at 60 days. Password reset policy should be enforced
dynamically.

Duplicate passwords should never be used for any purposes. Password history should be
configured to record the previous 24 passwords used per user.

Password length should be set to a minimum of 14 characters and should consist of at least
two character classes, i.e. upper case, lower case, numbers, and special characters.

Users must be warned in advance of their passwords expiring. No grace period should be
allowed after expiration. An authorized administrator must authenticate users prior to account
resets due to expiration.

The length of idle or inactive time before suspending a session should be properly set by
policy. The idle time required before suspending session should be set at a maximum of fifteen
minutes or less.

Anonymous access of network shares should not be allowed.

System should be configured to force logoff of users when their allowed logon hours expire. If
no policy is enforced for logons accessing corporate resources, logs must be created and
audited for resource usage.

Passwords for built-in qdministrator/root accounts must be changed at least quarterly or when
any members of the administrative team leaves the organization.

Two-factor or multi-factor authentication should be implemented to protect access. Multiple
options exist and a balance of user experience and security should be considered carefully
before deployment.

If smart cards are used for authentication, the smart card removal option must be configured to
force logoff or lock the system/workstation.

On all access switches, port security should be configured by MAC addresses of authorized
and connected machines to restrict other devices from using the same port.

Access control lists (ACLs) – ACLs should be used to control who can access resources
operating systems, applications, and networks.
Confidential and Proprietary under NDA. Not for external distribution. © 2017 Cytellix

Routers – A sandard router should be installed as the first line of defense, controlling ACLs
and routing.

Encryption – Ensure that any data encryption uses an algorithm such as AES-128 bit or higher,
data authentication such as SHA-2 (256 bits or higher), and handshake encryption such as
Diffie-Hellman keys with an RSA certificate (2048 bit or higher) to establish connections.

Audit logs – Ensure the security and integrity of system logs by sending various systems logs
to a centralized log management system for safe keeping. Also, logs should be encrypted in
transit to the log management system and should also be encrypted at rest.

Intrusion Detection System (IDS) – An IDS system should be installed to protect the all the
critical segments of the network. This system should use both anomaly checks and signature
based techniques to detect any malicious behavior.

Anti-virus Software – All devices should have up-to-date antivirus software running, which
should be controlled by a centralized management system. System administrators should get
alerts in case the anti-virus agent is removed from a device or if the agent fails to update to the
latest version of the software and signatures.

Firewall – A next-generation firewall should be installed to inspect network traffic at both the
packet and application level. All traffic should be blocked by default, and only specific traffic to
known services should be allowed explicitly.
AUDIT AND ACCOUNTABILITY:

Information system audit records should be created, protected, and retained to the extent
needed to enable the monitoring, analysis, investigation, and reporting of unlawful,
unauthorized, or inappropriate information system activity.

Time source utilizing the Network Time Protocol (NTP) should be implemented throughout
the organization in order to have logs sync with the same time source.

Make sure information systems are configured by system administrators to capture at
minimum: user logins, IP address, machine address, system name, and date and time.

System owner should have the capability to capture the following:
a. Implement and maintain audit trails for his/her resources and ensure auditable events
are sufficient to protect the information system.
Confidential and Proprietary under NDA. Not for external distribution. © 2017 Cytellix
b. Capture sufficient information in audit records to establish the occurrence of
events, the sources of events, and the outcome of events.
c. Allocate sufficient audit record storage capacity to prevent such capacity
from being exceeded.
d. Ensure that the information system automatically alerts appropriate officials
when there is an audit failure or storage capacity is close to being reached.
e. Review and analyze logs and records.
f. Investigate any suspicious activity or suspected violations and take any necessary
remediation actions.
g. Employ automated tools to review audit records.
h. Train all staff involved with log management responsibilities on how to review and
analyze audit logs, report incidents, when applicable, ensure that the system time is
periodically updated from an authoritative resource.
i.

Ensure that audit information and audit tools are protected.
Configure information systems to audit for the following events:
a. Server startup and shutdown
b. Loading and unloading of services
c. Installation and removal of software
d. System alerts and error messages
e. User logon and logoff
f. System administration activities
g. Accesses to sensitive information, files, and systems
h. Account creation, modification, or deletion
i.

Modifications of privileges and access controls
Configure the following events to be identifiable within application and database audit logs:
a. Modifications to the application
b. Application alerts and error messages
c. User logon and logoff
d. System administration activities
Confidential and Proprietary under NDA. Not for external distribution. © 2017 Cytellix
e. Accesses to information and files
f. Account creation, modification, or deletion
g. Modifications of privileges and access controls

Configure the following events to be identifiable within network devices (router, firewall,
switch, wireless controller and access point) audit logs:
a. Device startup and shutdown
b. Administrator logon and logoff
c. Configuration changes
d. Account creation, modification, or deletion
e. Modifications of privileges and access controls
f. System alerts and error messages

Verify that the information systems back up audit records weekly onto a different system or
media than the system being audited.
AWARENESS AND TRAINING:

Provide basic security awareness training to information system users (including managers,
senior executives, and contractors), as part of initial training for new users, and when required
by information system changes.

Determine the appropriate content of security awareness training and security awareness
techniques based on your specific organizational/industry requirements and the information
systems to which personnel have authorized access to.

The content of security awareness training should include a basic understanding of the need
for information security, as well as user actions to maintain security and to respond to
suspected security incidents. The content also addresses awareness of the need for
operations security. Security awareness techniques can include, for example, displaying
posters, offering supplies inscribed with security reminders, generating email
advisories/notices from senior organizational officials, displaying logon screen messages, and
conducting information security awareness events.

Provide security awareness training on recognizing and reporting potential indicators of insider
threat. The possible precursors of insider threat can include:
o behaviors such as inordinate
Confidential and Proprietary under NDA. Not for external distribution. © 2017 Cytellix
o long-term job dissatisfaction
o attempts to gain access to information not required for job performance
o unexplained access to financial resources
o bullying or sexual harassment of fellow employees
o workplace violence
o other serious violations of organizational policies, procedures, directives, rules, or
practices.

Provide role-based security training to personnel with assigned security roles and
responsibilities, before authorizing access to the information system or performing assigned
duties.

Provide training to personnel to recognize suspicious communications and anomalous
behavior in organizational information systems. Personnel should be trained to look for
indications of potentially suspicious email (e.g., receiving an unexpected email, receiving an
email containing strange or poor grammar, or receiving an email from an unfamiliar sender but
who appears to be from a known sponsor or contractor). Personnel should also be trained on
how to respond to such suspicious email or web communications (i.e. not opening
attachments, not clicking on embedded web links, and checking the source of email
addresses.

Individual information system security training activities should be documented and monitored,
including basic security awareness training and specific information system security training;
individual training records should be retained.
CONFIGURATION MANAGEMENT

Build a comprehensive description of the roles, responsibilities, policies, and procedures that
apply when managing the configuration of the system.

Implement the Ports, Protocols, and Service Management (PPSM) instructions compiled by
DISA that enable support for end-to-end configuration, continuous monitoring (including
discovery and analysis), vulnerability management, baseline configuration compliance
verification, and risk scoring for communication protocols in the Internet Protocol suite, data
services, and associated ports.

Establish an a well-defined configuration management organization, responsible for:
Confidential and Proprietary under NDA. Not for external distribution. © 2017 Cytellix
a. Defining who will be responsible for and have authority over configuration
management.
b. Setting standards, procedures, and guidelines for your organization’s project or IT
teams to follow.
c. Defining tools, resources, and facilities to be used for configuration management.
d. Ensuring that the change is implemented in an orderly manner through formalized
testing.
e. Ensuring that the user base is informed of changes to be implemented.
f. Analyzing the effect of changes on systems after implementation.

Establish a steering committee for configuration management that will consist of stake
holder(s)/owner(s), system admins, developers/analysts (if any), and operational staff.

Ensure that changes made to verification systems take place in an identifiable and controlled
environment. Configuration managers take responsibility that additions, deletions, or changes
made to the verification system do not jeopardize its ability to satisfy trusted requirements.

Conduct change management meetings on a regular basis for review, track,
approve/disapprove, and audit changes to information systems.

Whenever possible, apply changes in a test environment first and analyze the security impact
of the changes prior to implementation to your production environment.

Apply changes after hours to minimize any impact to business operations.

Fully implement a procedure to verify changes and document them for change management
committee review.

Implement the Least Functionality Principle appropriately for various job roles and
responsibilities by configuring information systems to allow for only essential capabilities.

Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols,
and services.

Apply deny-by-exception (blacklist) policy to prevent the use of authorized software, or apply
permit-by-exception (whitelisting) policy to restrict the execution software to only approved
applications.

Hardware change control entries should be added and tracked in the change control system
every time new hardware and configurations are added to the network.
Confidential and Proprietary under NDA. Not for external distribution. © 2017 Cytellix

Maintain configurations of firewalls, switches, and intrusion detection systems to ensure that
they aren’t tampered with to cover up malicious actions.

Track user and administrator activity for change events with detailed information including who,
what, when, where, which system, and why, plus original and current values for all changes.

Have critical change and pattern alerts sent to email and mobile devices to prompt immediate
action, enabling faster responses even after hours or when off-site.

Capture the originating IP address/workstation name for account lockout events to simplify
troubleshooting.

Provide file integrity verification protection against unintended modifications and deletions to
the most critical system files and folders.

Enable the viewing, highlighting and filtering of change events and the relation of other events
over the course of time in chronological order across your environment for better
understanding and forensic analysis of events and trends.

Enable the capability to manage, monitor and audit all file server changes from a single
location, which streamlines management of multiple servers and locations.

Ensure access to shared files is maintained by tracking all events related to file shares in real
time.
IDENTIFICATION AND AUTHENTICATION:

Identify information system users, as well as processes acting on behalf of users or devices.

Configure information systems to uniquely identify and authenticate organizational users and
devices.

Users must be uniquely identified and authenticated for all access, other than those accesses
explicitly identified and documented as exceptions regarding permitted actions without
identification and authentication.

Unique identification of individuals in group accounts (e.g., shared privilege accounts) may
need to be considered for detailed accountability of activity.

Authentication of user identities should be accomplished through the use of passwords,
tokens, biometrics, or in the case of multifactor authentication, some combination thereof. At
minimum, all network-based access used to perform administrative functions on servers or
Confidential and Proprietary under NDA. Not for external distribution. © 2017 Cytellix
multi-user systems should employ two-factor authentication and access to these systems
should be audited.

System administrator(s) should receive authorization from department owners to assign a user
or device.

System administrator(s) should assign user identifiers to ensure that no two users have the
same identifier, maintaining user accountability.

User identifier should be disabled after 90 days of inactivity.

If a user knows or suspects that their password has been compromised, they should
immediately:
a. Notify their supervisor.
b. Request to the system administrator to reset or change their password; if self- service
password mechanisms are used, immediately change their own password.
c. The initial/temporary password must be delivered to the user in a secure and
confidential manner, if the system is sensitive (e.g., in person, secure email, etc.).

Systems should require all passwords be a minimum level of complexity and difficult for
unauthorized people to guess. Employees should create passwords that are at least eight
characters long and contain a combination of upper- and lower-case letters, numbers, and
punctuation marks or other special characters.

All system-level passwords (for example, root, enable, Windows admin, application
administration accounts, and so on) must be changed on at least a quarterly basis.

All user-level passwords (for example, email, web, desktop computer, and so on) must be
changed at least every 60 days.

Establishing minimum and maximum lifetime restrictions and reuse conditions for
authenticators
a. Passwords must have a minimum lifetime of 1 day(s) and a maximum lifetime of 90
days.
a. Unless authorized by the System Owner, passwords cannot be changed in less
than one (1) day.
b. Authenticators must be changed at least every 90 days.
b. Password reuse is prohibited for 24 generations.
a. Password history must be set with a history of at least 24 passwords, so a user
cannot quickly re-use a previous password.
Confidential and Proprietary under NDA. Not for external distribution. © 2017 Cytellix
INCIDENT RESPONSE:

Establish an operational incident handling capabilities for organizational information systems
that includes preparation, identification, detection, analysis, containment/mitigation, analysis,
recovery, follow up and user response activities.

Define the incident response team ahead of time, describe cross-organizational goals to
ensure appropriate resources are allotted and that these goals are well-aligned.

Determine team leadership, and roles and responsibilities. The chain of command ensures
prompt action on the part of team members; delay can cause serious reputational and
regulatory consequences. Everyone knows ahead of time what should be done when.

Documenting an incident response to consider different scenarios, their implications, and the
tools needed to mitigate the damage. Plans often rely on key individuals. If these people are
not available, an undocumented plan may fail.

Incident response is living document, therefore test and revise often different scenarios
especially new threats from malware and identity theft.

There should be a checklist and procedures for shutdown, startup, restoration, and others.

Ensure to have procedures to collect of evidence.

Track, document and report incidents to department head of the organization.
Confidential and Proprietary under NDA. Not for external distribution. © 2017 Cytellix
MAINTENANCE:

Schedule, perform, document, and review records of maintenance and repairs on information
asset components in accordance with manufacturer or vendor specifications and/or
organizational requirements.

Control all maintenance activities of system and services, whether performed on site or
remotely and whether the equipment is serviced on site or removed to another location.

Requires that a designated official explicitly approve the removal of the information asset or
system components from organizational facilities for off-site maintenance or repairs.

Sanitize equipment to remove all information from associated media prior to removal from
organizational facilities for off-site maintenance or repairs.

Check all potentially impacted security controls to verify that the controls are still functioning
properly following maintenance or repair actions.

Ensure strong identification and authentication techniques in the establishment of non-local
maintenance and diagnostic sessions.

Terminate all sessions and network connections when non-local maintenance is completed.

Maintain records for non-local maintenance and diagnostic activities.

Information systems must ensure that personnel performing maintenance on the information
asset have required access authorizations or designates organizational personnel with
required access authorizations.

Authorize, monitor, and control non-local maintenance and diagnostic activities and test
program for malicious code before the media are used in the information system.

All information system must obtain maintenance support within defined service level
agreement.
Confidential and Proprietary under NDA. Not for external distribution. © 2017 Cytellix
MEDIA PROTECTION:

Restricting access to digital media (external/removable hard disk drives, flash drives, compact
disks, diskettes, magnetic tape and digital video disks) includes, for example, limiting access to
design specifications stored on compact disks in the media library to authorized users.

Restricting non-digital media (paper and microfilm) access to the authorized users.

Mark both digital and non-digital with the security markings such as for official use only, and
restricted indicating the distribution limitations.

Protects information system media includes both digital and non-digital until they are destroyed
or sanitized approved equipment, techniques, and procedures.

Physically controlling information system both digital and non-digital media, for example,
conducting inventories, ensuring procedures are in place to allow individuals to check out and
return media to the media library, and maintaining accountability for all stored media.

Maintains accountability for the information system both digital and non-digital media during
transport outside of controlled areas.

Documents and restrict the activities associated with the transport of information system both
digital and non-digital media to authorized personnel.

Employs sanitization mechanism with the strength and integrity commensurate with the
security category classification of the information.

The sanitization process require removing information from the media such that the information
cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging,
cryptographic erase, and destruction, prevent the disclosure of information to unauthorized
individuals when such media is reused or released for disposal.

Organizations determine the appropriate sanitization methods recognizing that destruction is
sometimes necessary when other methods cannot be applied to media requiring sanitization

Organization review and approve media to be sanitized to ensure records retention policies.
Tracking/documenting actions include, for example, listing personnel who reviewed and
approved sanitization and disposal actions, types of media sanitized, specific files stored on
the media, sanitization methods used, date and time of the sanitization actions, personnel who
performed the sanitization, verification action taken, personnel who performed the verification,
and disposal action taken.
Confidential and Proprietary under NDA. Not for external distribution. © 2017 Cytellix

Organization employ dual authorization to ensure that information system media sanitization
cannot occur unless two technically qualified individual conduct the task.

Organization should prohibits the use of portable storage devices (smart phones, tablets) in
organizational information systems when such devices have no identifiable owner.
PERSONNEL SECURITY:

Assign a risk designation to all organizational positions, establish screening criteria for
individuals filling those positions, and review and updates position risk designation.

Screen individuals prior to authorizing access to the information system, define different
rescreening conditions and frequencies for personnel accessing information systems based on
types of information processed, stored, or transmitted by the systems.

Ensure individual accessing an information system processing, storing, or transmitting
information requiring special protection, have valid access authorizations that are
demonstrated by assigned duties.

Disable Information system access upon termination of an employee, conducts exit interviews,
retrieve all security-related organizational information system-related property.

Action required for personnel transfers or reassignments to other positions within
organizations:
a. Returning old and issuing new keys, identification cards, and building passes.
b. Closing information system accounts and establishing new accounts.
c. Changing information system access authorizations.
d. Providing for access to official records to which individuals had access at previous
work locations and in previous information system accounts.
Confidential and Proprietary under NDA. Not for external distribution. © 2017 Cytellix
PHYSICAL PROTECTION:

Develops, approves, and maintains a list of individuals with authorized access to the facility
where the information system resides, issues authorization credentials for facility access also
removes individuals from the facility access list when access is no longer required.

Requires two forms of identification from for visitor access to the facility where the information
system resides. Acceptable forms of government photo identification include, for example,
passports, Personal Identity Verification (PIV) cards, and driver license.

Maintains physical access audit logs, Escorts visitors and monitors visitor activity.

The organization employs guards and/or alarms to monitor every physical access point to the
facility where the information system resides 24 hours per day, 7 days per week.

Maintain audit log of physical access for both manual and automated. Manual logs can be
procedural for example a written log of individuals accessing the facility and when such access
occurred. An automated log can be capturing ID provided by a Personal Identity Verification
(PIV) cards.

Control physical access to information system output devices to prevent unauthorized
individuals from obtaining the output for example, placing output devices in locked rooms or
other secured areas and allowing access to authorized individuals only, and placing output
devices in locations that can be monitored by organizational personnel. Monitors, printers,
copiers, scanners, facsimile machines, and audio devices are examples of information system
output devices.

Protect power equipment and power cabling for the information system from damage and
destruction. Determine the types of protection necessary for power equipment and cabling
employed at different locations both internal and external to organizational facilities and
environments of operation. This includes, for example, generators and power cabling outside
of buildings, internal cabling and uninterruptable power sources within an office or data center.

Provide the capability of shutting off power to the information system or individual system
components in emergency situations, places emergency shutoff switches or devices in safe
and easy access for personnel and protect emergency power shutoff capability from
unauthorized activation.

Provide a means for employees to communicate with information security personnel in case of
security incidents or problems. Organizations may define different sets of security controls for
specific alternate work sites or types of sites depending on the work-related activities
Confidential and Proprietary under NDA. Not for external distribution. © 2017 Cytellix
conducted at those sites. This control supports the contingency planning activities of
organizations.
RISK ASSESSMENT:

Conduct an assessment of risk, including the likelihood and magnitude of harm, from the
unauthorized access, use, disclosure, disruption, modification, or destruction of the information
system and the information it processes, stores, or transmits .

Risk assessments take into account threats, vulnerabilities, likelihood, and impact to
organizational operations, assets, individuals and use of information systems. Risk
assessments also take into account risk from external parties (e.g., service providers,
contractors operating information systems on behalf of the organization, individuals accessing
organizational information systems, outsourcing entities).

Determine the required vulnerability scanning for all information system components, ensuring
that potential sources of vulnerabilities such as networked printers, scanners, and copiers are
not overlooked.

Vulnerability scanning includes, for example:
a. scanning for patch levels
b. scanning for functions, ports, protocols, and services
c. scanning for improperly configured or incorrectly operating information flow
mechanisms

control
Deploy tools that supports vulnerabilities in the Common Vulnerabilities and Exposures (CVE)
naming convention and that use the Open Vulnerability Assessment Language (OVAL) to
determine/test for the presence of vulnerabilities. Suggested sources for vulnerability
information include the Common Weakness Enumeration (CWE) listing and the National
Vulnerability Database (NVD).
Confidential and Proprietary under NDA. Not for external distribution. © 2017 Cytellix
SECURITY ASSESSMENT:

Assessment procedures to be used to determine security control effectiveness, assessment
environment, assessment team, and assessment roles and responsibilities.

Assesses the security controls in the information system and its environment of operation at
least once a year, to determine the extent to which the controls are implemented correctly,
operating as intended, and producing the desired outcome with respect to meeting established
security requirements.

Satisfy annual assessment requirements, Organizations assess security controls in
organizational information systems and the environments in which those systems operate as
part of:
a. initial and ongoing security authorizations
b. continuous monitoring
c. system development life cycle activities

Security assessments ensure that information security is built into organizational information
systems. Identify weaknesses and deficiencies early in the development process, provide
essential information needed to make risk-based decisions as part of security authorization
processes and ensure compliance to vulnerability mitigation procedures.

Organizations can constrain information system connectivity to external domains (e.g.,
websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny
by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow
by exception, also known as whitelisting (the stronger of the two policies). For either policy,
organizations determine what exceptions, if any, are acceptable.

Develops a plan of action and milestones for the information system to correct weaknesses or
deficiencies noted during the assessment of the security controls and to reduce or eliminate
known vulnerabilities in the system.

The organization conducts penetration testing at least once a year for all their information
system facing Internet. Penetration testing is a specialized type of assessment conducted on
information systems or individual system components to identify vulnerabilities that could be
exploited by adversaries.

Penetration testing can be conducted on the hardware, software, or firmware components of
an information system and can exercise both physical and technical security controls. A
standard method for penetration testing includes, for example: (i) pretest analysis based on full
Confidential and Proprietary under NDA. Not for external distribution. © 2017 Cytellix
knowledge of the target system; (ii) pretest identification of potential vulnerabilities based on
pretest analysis; and (iii) testing designed to determine exploitability of identified
vulnerabilities.
SYSTEM AND COMMUNICATIONS PROTECTION:

The information system should prevent the presentation of information system managementrelated functionality at an interface for non-privileged users.

The separation of user functionality from information system management functionality is either
physical or logical. Organizations implement separation of system management-related
functionality from user functionality by using different computers, different central processing
units, different instances of operating systems, different network addresses, virtualization
techniques, or combinations of these or other methods, as appropriate.

The information system isolates security functions from non-security functions by means of an
isolation boundary (implemented via partitions and domains). Such isolation controls access to
and protects the integrity of the hardware, software, and firmware that perform those security
functions.

Information systems restrict access to security functions through the use of access control
mechanisms and by implementing least privilege capabilities.

The information system should prevent unauthorized and unintended information transfer via
shared system resources such as memory or hard disks.

Implement VLAN, DMZ and subnetworks for publicly accessible system and should be
physically and logically separated from the internal networks.

Implement the following flow policy for publicly accessible system.
a. Implement a managed interface for each external service.
b. Establish the traffic policy for each managed interface where external service
resides.
c. Protects the confidentiality and integrity of the information being transmitted by
implementing the encryption.
d. Documents each exception to the traffic flow policy with a supporting
mission/business need and duration of that need.
Confidential and Proprietary under NDA. Not for external distribution. © 2017 Cytellix

Implement stateful inspection on the Firewall to prevent the denial of service attacks against
the information system.

A deny-all, permit by exception network communications traffic policy ensures that only those
connections which are essential and approved are allowed. This should be applied to both
inbound and outbound network communications traffic.

Apply the common safeguards to prevent denial of service attacks related to storage utilization
and capacity include, for example, instituting disk quotas, configuring information systems to
automatically alert administrators when specific storage capacity thresholds are reached, using
file compression technologies to maximize available storage space, and imposing separate
partitions for system and user data.

Deploy Host based firewalls to protect the Host based boundary for example, servers,
workstations, and mobile devices.

The use of VPNs for remote connections, may provide the organization with sufficient
assurance. Split tunneling should be allowed when deploying VPN policy, making the system
more vulnerable to attack and to exfiltration of organizational information.

The information system routes all networked, privileged accesses through a dedicated,
manages interface for purposes of access control and auditing.

Organizations can isolate information system components performing different missions and/or
business functions. Such isolation limits unauthorized information flows among system
components and also provides the opportunity to deploy greater levels of protection for
selected components. Separating system components with boundary protection mechanisms
provides the capability for increased protection of individual components and to more
effectively control information flows between those components. This type of enhanced
protection limits the potential harm from cyber-attacks and errors.

Implement the Network into subnets helps to provide the appropriate level of protection for
network connections to different security domains containing information with different security
categories or classification levels. The information system implements separate network
addresses (i.e., different subnets) to connect to systems in different security domains.

The information system terminates the network connection associated with a communications
session at the end of the session or after 10 minutes of inactivity.


Collaborative computing devices include, for example, networked white boards, cameras, and
microphones. Explicit indication of use includes, for example, signals to users when
collaborative computing devices are activated. It helps to prevent unauthorized individuals from
Confidential and Proprietary under NDA. Not for external distribution. © 2017 Cytellix
participating in collaborative computing sessions without the explicit knowledge of other
participants.

For all certificates, organizations manage information system trust stores to ensure only
approved trust anchors are in the trust stores. This control addresses both certificates with
visibility external to organizational information systems and certificates related to the internal
operations of systems.

The organization establishes and manages cryptographic keys for required cryptography
employed within the information system to protect the confidentiality of controlled Unclassified
Information in accordance with FIPS- validated cryptography.

Establishes usage restrictions and implementation guidance for acceptable mobile code and
mobile code technologies; and Authorizes, monitors, and controls the use of mobile code
within the information system.

Establishes usage restrictions and implementation guidance for Voice over Internet Protocol
(VoIP) technologies based on the potential to cause damage to the information system if used
maliciously; and authorizes, monitors, and controls the use of VoIP within the information
system.

Organizations employing cryptographic mechanisms to encrypt on storage devices to protect
information at rest also consider cryptographic key management solutions.
SYSTEM AND INFORMATION INTEGRITY

Tests software and firmware updates related to flaw remediation for effectiveness and potential
side effects before installation.

Installs security-relevant software and firmware updates within two days of the release of the
updates and Incorporates flaw remediation into the organizational configuration management
process.

Employs malicious code protection mechanisms at information system entry and exit points to
detect and eradicate malicious code mechanisms include, for example, anti-virus signature
definitions and reputation-based technologies.

The organization centrally manages malicious code protection mechanisms. Central
management includes planning, implementing, assessing, authorizing, and monitoring the
organization-defined, centrally managed flaw malicious code protection security controls.
Confidential and Proprietary under NDA. Not for external distribution. © 2017 Cytellix

Monitors the information system to detect: Attacks and indicators of potential attacks,
Unauthorized local, network, and remote connection.

Information system monitoring capability is achieved through a variety of tools and techniques,
for example by intrusion detection systems, intrusion prevention systems, malicious code
protection software, scanning tools, audit record monitoring software, network monitoring
software.

Implement automated tools to support near real-time analysis of events. Automated tools
include, for example, host-based, network-based, transport-based, or storage-based event
monitoring tools or Security Information and Event Management (SIEM) technologies that
provide real time analysis of alerts and/or notifications generated by organizational information
systems.

Deploy automated tools to integrate intrusion detection tools into access control and flow
control mechanisms for rapid response to attacks by enabling reconfiguration of these
mechanisms in support of attack isolation and elimination.

The information system monitors both inbound and outbound communications traffic for
unusual or unauthorized activities or conditions.

Analyze Communications Traffic Anomalies, Anomalies within organizational information
systems include, for example, large file transfers, long-time persistent connections, unusual
protocols and ports in use, and attempted communications with suspected malicious external
addresses.

The organization employs automated mechanisms to alert security personnel of the following
inappropriate or unusual activities with security implications such as suspicious activity reports,
reports on potential insider threats.

Implement a wireless intrusion detection system to identify rogue wireless devices and to
detect attack attempts and potential compromises/breaches to the information system.

The organization correlates information from monitoring physical, cyber, and supply chain
activities to achieve integrated, organization-wide situational awareness.
Confidential and Proprietary under NDA. Not for external distribution. © 2017 Cytellix

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz