Controls in logical order

Configuration Management:

    3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
    3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems.
    3.4.3 Track, review, approve or disapprove, and log changes to organizational systems.
    3.4.4 Analyze the security impact of changes prior to implementation.
    3.4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
    3.4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
    3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
    3.4.8 Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
    3.4.9 Control and monitor user-installed software.

    RELEVANT INFORMATION:

    These controls focus on managing and securing organizational systems throughout their life cycles. They involve establishing baseline configurations and inventories, enforcing security settings, tracking and reviewing system changes, analyzing security impacts, and controlling access restrictions. The principle of least functionality is applied by configuring systems to provide only essential capabilities and restricting nonessential programs. Additionally, software usage is controlled and monitored to prevent unauthorized software and ensure compliance with authorized software execution. Overall, these measures aim to bolster the security and integrity of organizational systems.

     

    Resources to consider:

    3.1.1

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.