search

adammontville / cis-controls-71-measures

0 stars 0 forks source link

Subcontrol 11.6 #107

Open adammontville opened 5 years ago

adammontville commented 5 years ago

Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring elevated access. This machine shall be segmented from the organization's primary network and not be allowed Internet access. This machine shall not be used for reading email, composing documents, or surfing the Internet.

Measures

None provided

Metrics

None provided
wmunyan commented 5 years ago

Inputs:

Operations:

Measures:

Metrics:

apiperCIS commented 5 years ago

A few comments: 1) Consider making a slight update to the language to make it clear that this is specifically for network administrative tasks 2) Does this proposal adequately cover the "segmented from the organization's primary network and not be allowed Internet access" piece? 3) We should coordinate this one with 4.6 (which is an IG3) as they are very similar.

ealshaer commented 5 years ago

Inputs:

- The set of devices used for administrative purposes
- The access control configuration
- The set of devices configured/managed by the admin machine

Operations: *

Measures:

M1 = (For each machine) 1 if an administrative device has internet access; 0 otherwise.
M2 = (For each machine) 1 if administrative device can run any application that is not administrative; 0 otherwise.
M3 = (For each machine) 1 if any machine can reach the administrative device but this machine is NOT in INPUT#3; 0 otherwise.
M4 = The number of administrative devices.

Metrics:

Administrative Device Configuration = 1-(SUM from i=1..M4 (M1_i AND M2_i AND M3_i)) / M4

Meaning: The ratio of admin devices that are in complaint with this subcontrol (have no internet access, fully segmented or can not run non-admin apps)