3.14.5 has a weight of -3 points
(System and Information Integrity Family) 5/7
Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.
Video
Example of Sysytem Security Plan (SSP):
- Control 3.14.5
- Organizational System Security Plan (SSP) – Active Periodic and Real-time Scanning Protocols
- 1. Introduction:This document outlines our established practices for conducting systematic scans on our organizational systems, complemented by real-time scans on external files, ensuring continuous threat detection and mitigation.2. Established Scanning Infrastructure:
a. Endpoint Protection Solution:
- Purpose: Our antivirus protection is integrated into our current endpoint protection solution.
b. Operational Corporate Firewall:
- All traffic passing through is scanned in real time, detecting and blocking potential threats promptly.
3. Routine Organizational System Scans:
Our systems are scanned daily. This established practice utilizes industry-leading tools, proficient in detecting a myriad of malicious code formats, including those in compressed, hidden, or uniquely concealed files.
4. Ongoing Real-time Scans of External Source Files:
As part of our operational protocols, every file from external sources is instantly scanned before interaction, safeguarding our systems from potential malicious codes.
5. Our Dual Scan Methodology:
Beyond our automated scanning, our seasoned security team conducts manual inspections and analysis, ensuring a deeper scrutiny of potentially suspect files or activities.
6. Logging and Immediate Response:
Upon detection of any anomalies, details are promptly logged in our ticketing system, triggering our IT department’s immediate investigation.
7. Ongoing User Training and Awareness Initiatives:
We regularly conduct training sessions. These programs underscore the significance of safely handling external files and emphasize threat recognition and adherence to best practices in file management.
Our active and comprehensive scanning approach ensures that we remain at the forefront of threat detection, maintaining the highest level of security and data integrity for our systems.
Example of Plan of Action and Milestones ( POA & M):
Plan of Action & Milestones (POA&M)
Control 3.14.5 – Active Periodic and Real-time Scanning Protocols
| Milestone | Description | Responsible Party | Start Date | End Date | Status |
|---|---|---|---|---|---|
| M1 | Implementation of Endpoint Protection Solution | IT Department | [Date] | [Date] | In Progress |
| M2 | Activation of Real-time Traffic Scanning on Corporate Firewall | Network Team | [Date] | [Date] | Not Started |
| M3 | Schedule and Automate Daily System Scans | Security Team | [Date] | [Date] | Completed |
| M4 | Implement Real-time External File Scanning Protocols | Security Team | [Date] | [Date] | In Progress |
| M5 | Update Scanners with Latest Threat Intelligence | Threat Intelligence Team | Bi-weekly | Ongoing | Ongoing |
| M6 | Develop Manual Inspection Protocols for the Security Team | Security Team | [Date] | [Date] | Not Started |
| M7 | Integration of Anomaly Detection with Ticketing System | IT Department | [Date] | [Date] | Completed |
| M8 | Launch User Training Sessions on Safe File Handling | HR & Training Department | Quarterly | Ongoing | Ongoing |
RELEVANT INFORMATION:
Periodic scans of organizational systems and real-time scans of files from external sources can detect malicious code. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.