3.4.2 has a weight of -5 points
(Configuration Management Family) 2/9
Establish and enforce security configuration setting for information technology products employed in organizational systems.
Video:
Example of Sysytem Security Plan (SSP):
-
System Security Plan (SSP) – Control 3.4.2: Security Configuration Settings
Purpose: Ensure the establishment and enforcement of security configuration settings for all IT products used within the organization.
Scope: This SSP encompasses all IT products, both hardware and software, utilized within our organization, including servers, workstations, mobile devices, and networking equipment.
1. Definition and Documentation:
-
A documented annual baseline configuration is maintained. This baseline provides a standardized set of security configuration settings for all IT products.
-
Whenever significant changes to the system are made, this documentation will be updated to reflect the new baseline configuration.
-
Any departures from the baseline must be documented with a rationale and approved by the IT Security Manager.
2. Configuration Implementation and Enforcement:
-
Group Policy: All group policies are set as per the annual baseline configuration. Ability exists to link, unlink, enforce, and not enforce these policies as required.
-
Firewall: Firewall configurations are standardized to block all unauthorized inbound and outbound traffic and only allow necessary ports, services, and applications to function.
-
VPN: A VPN solution is in place to ensure encrypted and secure remote access to the organization’s network resources.
-
Endpoint Management Solution: Devices are managed to ensure they adhere to the required security configurations.
-
Security Information and Event Management (SIEM): SIEM solutions are in place to monitor and alert on any deviations from the baseline configuration in real-time.
3. Conditional Access and Device Configurations with InTune:
-
All devices, whether mobile or desktop/laptops, have InTune configurations implemented.
-
InTune conditional access policies serve as the baseline security configuration for all user devices.
-
Regular checks are done to ensure all devices remain compliant with these configurations.
4. Review and Update:
-
Periodic reviews of the security configuration settings will be conducted to ensure they remain effective and relevant.
-
Any updates or changes to the baseline configuration will be communicated to all relevant stakeholders.
5. Responsibilities:
-
IT Security Manager: Overall responsibility for the establishment and maintenance of the security configuration settings and the annual baseline configuration documentation.
-
System Administrators: Ensure that all systems are configured according to the established settings. Responsible for implementing, managing, and monitoring group policies, firewall configurations, VPN settings, and endpoint management solutions.
-
Device Managers: Ensure that all devices are compliant with the InTune conditional access policies and device configurations.
6. Training & Awareness:
-
All staff members will be made aware of the importance of adhering to the security configuration settings.
-
Periodic training sessions will be conducted to keep staff informed about any changes to the baseline configuration and how to maintain compliance.
7. Reporting & Auditing:
-
Regular audits will be conducted to ensure compliance with the established security configuration settings.
-
Any deviations or violations will be reported, and corrective actions will be taken.
-
Example of Plan of Action and Milestones ( POA & M):
Plan of Action & Milestones (POA&M)
Control ID: 3.4.2 – Security Configuration Settings
1. Definition and Documentation:
-
Milestone 1.1: Finalize and approve the annual baseline configuration by [Date].
- Status: In Progress
- Responsible Party: IT Security Manager
- Completion Date: [Date]
- Resources Needed: Access to current configuration settings, security tools, and relevant documentation.
-
Milestone 1.2: Develop a process to capture and document significant changes to systems.
- Status: Not Started
- Responsible Party: System Administrators
- Completion Date: [Date]
- Resources Needed: Change management tools, system logs.
2. Configuration Implementation and Enforcement:
-
Milestone 2.1: Implement and document the group policy configurations per the baseline.
- Status: In Progress
- Responsible Party: System Administrators
- Completion Date: [Date]
- Resources Needed: Group policy management tools, IT product listings.
-
Milestone 2.2: Configure firewall settings to block unauthorized traffic.
- Status: In Progress
- Responsible Party: System Administrators
- Completion Date: [Date]
- Resources Needed: Firewall management console, updated list of required ports/services.
-
Milestone 2.3: Deploy and test the VPN solution for secure remote access.
- Status: Not Started
- Responsible Party: Network Administrators
- Completion Date: [Date]
- Resources Needed: VPN licenses, remote access test scenarios.
3. Conditional Access and Device Configurations with InTune:
-
Milestone 3.1: Roll out InTune configurations to all devices.
- Status: In Progress
- Responsible Party: Device Managers
- Completion Date: [Date]
- Resources Needed: InTune licenses, device list, user list.
-
Milestone 3.2: Conduct a compliance check for InTune conditional access policies on devices.
- Status: Scheduled
- Responsible Party: Device Managers
- Completion Date: [Date]
- Resources Needed: InTune management console, compliance check tools.
4. Review and Update:
-
Milestone 4.1: Schedule the first periodic review of security configuration settings.
- Status: Not Started
- Responsible Party: IT Security Manager
- Completion Date: [Date]
- Resources Needed: Configuration documentation, change logs.
5. Training & Awareness:
-
Milestone 5.1: Develop a training module on security configuration adherence.
- Status: In Progress
- Responsible Party: HR & IT Security Manager
- Completion Date: [Date]
- Resources Needed: Training materials, online training platform.
6. Reporting & Auditing:
-
Milestone 6.1: Schedule the first internal audit to validate configuration compliance.
- Status: Not Started
- Responsible Party: Audit Team
- Completion Date: [Date]
- Resources Needed: Audit tools, configuration documentation, access to systems.
This POA&M will be reviewed on a quarterly basis to track progress and ensure milestones are met. Adjustments will be made as needed based on emerging threats, changes in organizational needs, or technology updates.
Example of Annual Baseline Configuration Document:
Annual Baseline Configuration Document
Company Name: [Your Company Name]
Date: [Current Date]
Version: 1.1
Introduction: This Annual Baseline Configuration Document embodies our steadfast commitment to upholding the highest level of security, particularly concerning Controlled Unclassified Information (CUI). Detailed herein are standardized security settings across all our IT solutions.
1. Microsoft GCC (Government Community Cloud):
-
Data Loss Prevention (DLP): Policies implemented to prevent unauthorized data sharing or transmission.
-
Shared Access Signatures (SAS): Time-limited tokens provided for accessing resources to minimize risk.
-
Secure Score: Regularly monitoring and improving upon our Microsoft Secure Score to gauge our security posture.
2. Azure:
-
Virtual Network (VNet): Isolated virtual networks established to segregate resources.
-
Azure Key Vault: Centralized management of secrets, tokens, and encryption keys.
-
Azure Policy: Policies enforced to maintain compliance with internal and external regulations.
-
Azure Blueprints: Templates used to ensure standardized, repeatable deployments.
3. InTune:
-
Endpoint Detection and Response (EDR): Advanced threat protection capabilities to identify, evaluate, and take action against threats on endpoints.
-
Mobile Threat Defense: Integration with third-party solutions for robust protection against mobile threats.
4. VPN (Virtual Private Network):
-
VPN Protocol: Usage of OpenVPN for a secure and reliable connection.
-
Traffic Segmentation: Implementation of VLANs to segment VPN traffic, ensuring sensitive data is segregated.
5. General Security Practices:
-
Zero Trust Model: Implementing a Zero Trust approach, ensuring no one has access until they’ve proven their identity and need.
-
Regular Audits: Quarterly security audits and vulnerability assessments.
-
Security Training: Monthly security awareness training for all employees.
-
Intrusion Detection System (IDS): Monitors network traffic for suspicious activities.
-
Intrusion Prevention System (IPS): Proactively blocks potential security threats.
-
End-to-End Encryption: Ensuring data is encrypted both in transit and at rest.
-
Multi-Cloud Strategy: Distributing resources across multiple cloud providers to mitigate risks.
-
Secure Code Practices: Regular code reviews and application security testing before deployment.
-
Phishing Simulation: Regular simulated phishing attacks to test and train employee resilience against such threats.
-
Physical Security: Biometric access controls, 24/7 CCTV monitoring, and on-site security personnel at data centers and offices.
-
Secure Data Disposal: Implementing policies for secure disposal of electronic devices and paper documents.
6. Compliance & Regulations:
-
Continuous Monitoring: Real-time monitoring to ensure compliance with relevant regulations, such as GDPR, CCPA, or HIPAA.
-
Regulatory Audits: Annually partnering with third-party auditors to validate our compliance status.
Review & Updates:
This document is subject to an annual review, with interim reviews as necessary to adapt to the fast-evolving cybersecurity landscape.
Approval:
Document Approved By:
[IT Security Manager Name] – [Date]
[Company Executive Name] – [Date]
RELEVANT INFORMATION:
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. [SP 800-70] and [SP 800-128] provide guidance on security configuration settings.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.