3.14.2 has a weight of -5 points

(System and Information Integrity Family) 2/7

Provide protection from malicious code at designated locations within organizational systems.

Video

Example of Sysytem Security Plan (SSP):

    Organizational System Security Plan (SSP) – Protecting Against Malicious Code

    1. Introduction:
    The main objective of this document is to lay out a clear plan ensuring that the organization remains shielded from malicious code at critical and designated locations within our systems. We integrate several Microsoft Azure products and services into our strategy to provide comprehensive protection against potential threats.

    a. Primary Measures:
    – Managed Endpoint Solution for real-time scanning. ( name  of solution here )
    – Firewalls to filter and block potential threats. ( name  of solution here )
    – Advanced Email Protection Solutions for safeguarding against malicious emails. ( name  of solution here )

    b. Definitions:
    – Managed Endpoint Solution: Integrated system for managing security across devices, inclusive of antivirus capabilities.
    – Firewalls: Systems to regulate network traffic.
    – Advanced Email Protection Solution: Detect and deter malicious email content.

    4. Continuous Monitoring and Incident Prevention:
    Constant surveillance of all designated protection locations to detect potential threats. Monitoring is enhanced by threat intelligence and guidelines from [SP 800-83].

    5. Threat Intelligence Integration:
    Utilizing our security measures and continuous monitoring, our threat intelligence is incorporated into security operations. This aims to broaden our understanding of potential threats, enabling us to refine our response strategies.

    6. Regular Review and Updates:
    In light of the ever-evolving cyber threats, our defense mechanisms and tools are consistently assessed and updated. This proactive approach ensures we remain ahead of potential threats.

    7. Continuous Improvement:
    Driven by feedback from reviews, monitoring, and threat intelligence, we are dedicated to constantly improving our strategies and technologies to effectively combat the changing landscape of malicious code threats.

    Example of Plan of Action and Milestones ( POA & M):

    Plan of Action and Milestones (POA&M) – Malicious Code Protection Strategy

    Objective: Implement the strategies and measures from the Organizational System Security Plan (SSP) to ensure the organization remains protected from malicious code threats.


    1. Azure Active Directory (Azure AD) Integration

    • Milestone 1:

      • Objective: Set up and configure Azure AD.
      • Timeline: 2 weeks.
      • Responsible Party: IT Department.
    • Milestone 2:

      • Objective: Implement Multi-Factor Authentication for all users.
      • Timeline: 1 week.
      • Responsible Party: IT Security Team.

    2. Azure Virtual Machines (VMs) Integration

    • Milestone 3:

      • Objective: Set up Azure VMs based on organizational needs.
      • Timeline: 3 weeks.
      • Responsible Party: IT Infrastructure Team.
    • Milestone 4:

      • Objective: Enable Disk Encryption and schedule regular backups.
      • Timeline: 1 week.
      • Responsible Party: IT Security Team.

    3. Azure Networking

    • Milestone 5:

      • Objective: Deploy Azure Networking solutions.
      • Timeline: 3 weeks.
      • Responsible Party: Networking Team.
    • Milestone 6:

      • Objective: Implement DDoS Protection and set up VPN Gateway.
      • Timeline: 2 weeks.
      • Responsible Party: IT Security Team.

    4. Microsoft 365 Suite

    • Milestone 7:

      • Objective: Deploy and configure Microsoft 365 Suite for the organization.
      • Timeline: 2 weeks.
      • Responsible Party: IT Department.
    • Milestone 8:

      • Objective: Activate Defender for Endpoint and Cloud App Security.
      • Timeline: 1 week.
      • Responsible Party: IT Security Team.

    5. Azure Security Center

    • Milestone 9:
      • Objective: Integrate Azure Security Center for centralized management.
      • Timeline: 2 weeks.
      • Responsible Party: IT Security Team.

    6. Azure Monitoring and Analysis

    • Milestone 10:
      • Objective: Implement Azure Monitor and Azure Log Analytics.
      • Timeline: 2 weeks.
      • Responsible Party: IT Analytics Team.

    7. Data Protection and Recovery

    • Milestone 11:

      • Objective: Implement Azure Backup and Azure Site Recovery solutions.
      • Timeline: 3 weeks.
      • Responsible Party: Data Management Team.
    • Milestone 12:

      • Objective: Set up Azure Key Vault for secure key and secret management.
      • Timeline: 1 week.
      • Responsible Party: IT Security Team.

    8. General Security Measures

    • Milestone 13:

      • Objective: Deploy Managed Endpoint Solution across all devices.
      • Timeline: 3 weeks.
      • Responsible Party: Endpoint Management Team.
    • Milestone 14:

      • Objective: Set up firewalls based on organizational requirements.
      • Timeline: 2 weeks.
      • Responsible Party: Networking Team.
    • Milestone 15:

      • Objective: Activate Advanced Email Protection Solutions.
      • Timeline: 1 week.
      • Responsible Party: IT Security Team.

    9. Continuous Monitoring and Reviews

    • Milestone 16:

      • Objective: Establish continuous monitoring protocols and integrate threat intelligence.
      • Timeline: Ongoing.
      • Responsible Party: IT Monitoring Team.
    • Milestone 17:

      • Objective: Schedule regular security reviews and updates.
      • Timeline: Every 6 months.
      • Responsible Party: IT Review Committee.

    10. Continuous Improvement Initiatives

    • Milestone 18:
      • Objective: Set up feedback loops and implement lessons learned for improvements.
      • Timeline: Ongoing.
      • Responsible Party: Continuous Improvement Team.
    RELEVANT INFORMATION:

    Designated locations include system entry and exit points which may include firewalls, remote-access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code protection mechanisms include anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. [SP 800-83] provides guidance on malware incident prevention.

     

    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.