NOTE: Proposal very similar to 5.1, but for network devices and not software.
Inputs:
The list of authorized network devices, per Control 1.
The list of enterprise security configuration standards.
Assumption:
Documentation of secure configuration standards should include any approved deviations/exceptions from industry-standard security baselines such as CIS benchmarks, DISA Security Technical Implementation Guides (STIGs), or U.S. government configuration baselines (USGCB).
Operations:
Perform a set calculation, computing the Intersection (M1) of Input 1 and Input 2
Measures:
M1 = The intersection of Input 1 and Input 2. This intersection measures those authorized network devices with security configuration standards.
M2 = The "left" side of the set calculation measures the number of authorized network devices without security configuration standards.
M3 = The "right" side of the set calculation measures the number of security configuration standards without any authorized network devices to which they are associated.
Maintain standard, documented security configuration standards for all authorized network devices.
Measures
Metrics