3.7.4 has a weight of -3 points

(Maintenance Family) 4/6

Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.

Example of Sysytem Security Plan (SSP):

    Policy Statement:

    1. Our organization is dedicated to ensuring the security of our organizational systems by conducting media inspection for diagnostic and test programs to detect and mitigate the presence of malicious code before their use.
    2. Scope of Media Inspection:
    3. This policy applies to all media containing maintenance diagnostic and test programs used within our organizational systems.
    4. Media encompasses physical storage devices such as USB drives, CDs, DVDs, or network shares containing these programs.
    5. Security Check Process:
    6. Prior to using any media containing diagnostic and test programs, our organization performs a comprehensive security check to identify and address any potential presence of malicious code.
    7. This process may involve the use of up-to-date antivirus or malware detection software.
    8. Incident Handling for Malicious Code Detection:
    9. Should the media inspection reveal the presence of malicious code, our organization follows the incident handling policies and procedures in place.
    10. Appropriate actions are taken to contain and mitigate the impact of the incident.
    11. Authorized Use Only:
    12. Media containing diagnostic and test programs are strictly utilized by authorized personnel who have received proper training regarding their appropriate use and security implications.
    13. Media Source Verification:
    14. To ensure the integrity and authenticity of the media, our organization verifies its source before incorporating it into our organizational systems.
    15. We prefer using media obtained from trusted and reputable sources.
    16. Secure Storage:
    17. When not in use, media containing diagnostic and test programs are securely stored to prevent unauthorized access and potential tampering.
    18. Incident Reporting and Response:
    19. In the event of any incidents related to the detection of malicious code on media, prompt reporting and response are essential, following our organization’s incident response policies and procedures.
    20. Regular Updates:
    21. Our organization diligently updates the antivirus or malware detection software used for media inspection to effectively detect emerging threats and maintain robust security measures.
    22. User Awareness:
    23. We prioritize educating and making our users aware of the significance of media inspection before using diagnostic and test programs to mitigate potential security risks.
    24. Continuous Improvement:
    25. Our organization consistently reviews and enhances its media inspection procedures to adapt to evolving threats and strengthen our security measures. 

    Example of Plan of Action and Milestones ( POA & M):

    Milestone 1: Scope Definition and Security Check Process Establishment

    • Define the scope of media inspection for diagnostic and test programs used within organizational systems. [Target Date]

    • Establish a comprehensive security check process to detect and address the presence of malicious code in media before use. [Target Date]

    Milestone 2: Incident Handling and Authorized Use

    • Develop incident handling policies and procedures for cases where malicious code is detected during media inspection. [Target Date]

    • Ensure that media containing diagnostic and test programs are strictly used only by authorized personnel with proper training. [Target Date]

    Milestone 3: Media Source Verification

    • Implement a verification process to ensure the integrity and authenticity of media before incorporating it into organizational systems. [Target Date]

    • Prioritize the use of media obtained from trusted and reputable sources. [Target Date]

    Milestone 4: Secure Storage and Incident Reporting

    • Establish secure storage procedures for media containing diagnostic and test programs to prevent unauthorized access and tampering. [Target Date]

    • Develop incident reporting and response procedures for prompt action in case of malicious code detection. [Target Date]

    Milestone 5: Regular Updates and User Awareness

    • Regularly update antivirus or malware detection software for effective detection of emerging threats. [Target Date]

    • Conduct user awareness training to educate personnel on the importance of media inspection and its role in mitigating security risks. [Target Date]

    Milestone 6: Continuous Improvement Evaluation

    • Regularly review and enhance media inspection procedures to adapt to evolving threats. [Target Date]

    • Identify areas for improvement and take corrective actions to strengthen security measures. [Target Date]

    Milestone 7: Compliance Review

    • Conduct a compliance review to ensure that media inspection aligns with established policies and guidelines. [Target Date]

    • Address any identified gaps or non-compliance issues to enhance the overall security posture. [Target Date]

     

    RELEVANT INFORMATION:

    If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with incident handling policies and procedures.




    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.