Subcontrol 13.4

[adammontville]

Only allow access to authorized cloud storage or email providers.

Measures

None provided

Metrics

None provided

[wmunyan]

Inputs:

• The list of endpoints
• The list of authorized cloud storage providers
• The list of authorized email providers
• The organization's configuration policy, including access to authorized cloud storage/email providers

Operations:

• For each endpoint, compare the endpoint's policy for access to cloud storage providers with the organization's configuration policy
• For each endpoint, compare the endpoint's policy for access to email providers with the organization's configuration policy

Measures:

• M1 = The number of endpoints
• M2 = The number of authorized cloud storage providers
• M3 = The number of authorized email providers
• M4 = (For each endpoint) 1 if the endpoint's configuration matches the policy for access to authorized cloud storage providers; 0 otherwise
• M5 = (For each endpoint) 1 if the endpoint's configuration matches the policy for access to authorized email providers; 0 otherwise

Metrics:

• Authorized Cloud Storage Provider Conformance = (SUM from 1..M1 (M4)) / M1
• Authorized Email Provider Conformance = (SUM from 1..M1 (M5)) / M1

[wmunyan]

Add manual review of overall security policy to include access to cloud storage/email providers Modify endpoint config metrics to be for UNauthorized.

[wmunyan]

UPDATED:

Inputs:

• The list of endpoints
• The list of authorized cloud storage providers
• The list of authorized email providers
• The organization's security policy, including details on access to authorized cloud storage/email providers
• The organization's configuration policy, including access to authorized cloud storage/email providers

Operations:

• For each endpoint, compare the endpoint's policy for access to cloud storage providers with the organization's configuration policy
• For each endpoint, compare the endpoint's policy for access to email providers with the organization's configuration policy
• Perform a manual review of the organization's security policy to ensure details regarding access to authorized cloud storage/email providers is included

Measures:

• M1 = The number of endpoints
• M2 = The number of authorized cloud storage providers
• M3 = The number of authorized email providers
• M4 = (For each endpoint) 1 if the endpoint's configuration matches the policy for access to authorized cloud storage providers; 0 otherwise
• M5 = (For each endpoint) 1 if the endpoint's configuration matches the policy for access to authorized email providers; 0 otherwise
• M6 = 1 if the manual review of the organizations security policy (Operation 3) has been performed; 0 otherwise

Metrics:

• Unauthorized Cloud Storage Provider Configuration = 1 - ((SUM from 1..M1 (M4)) / M1)
• Unauthorized Email Provider Configuration = 1 - ((SUM from 1..M1 (M5)) / M1)
• Security Policy Review = M6 == 1

[wmunyan]

Inputs:

• List of cloud storage providers
• List of cloud email providers
• Organizational policy detailing the list of unauthorized cloud storage providers
• Organizational policy detailing the list of unauthorized email providers

Operations:

• A manual review of the organizational polices provided by Inputs 3 and 4

Measures:

• M1 = Count of unauthorized cloud storage
• M2 = (For each endpoint) 1 if endpoint successfully blocks access to unauthorized cloud storage providers; 0 otherwise
• M3 = Count of unauthorized email providers
• M4 = (For each endpoint) 1 if endpoint successfully blocks access to unauthorized email providers; 0 otherwise
• M5 = Count of endpoints
• M6 = 1 if the manual policy review (Operation 1) has been completed

Metrics:

• Cloud Storage Provider Access Coverage = (SUM from 1..M5 (M2)) / M5
• Email Provider Access Coverage = (SUM from 1..M5 (M4)) / M5
• Policy Review = M6 == 1

[apiperCIS]

Inputs 1) List of endpoints. For each, include the configuration locations that restrict which cloud providers the endpoint can access (this could be a firewall, etc.) 2) List of cloud storage providers (this list should be as complete as possible and should indicate whether each provider is allowed or prohibited) 3) List of cloud email providers (this list should be as complete as possible and should indicate whether each provider is allowed or prohibited) 4) Organization's security policy regarding access to cloud storage and cloud email providers, including a list of which ones are allowed

Operations 1) For each of the endpoint configuration locations identified in Input 1, identify which of the cloud storage providers from Input 2 are reachable based on the configuration at that location, creating a list of reachable cloud storage providers by configuration location (M1). Mark each of the configuration locations in the list as either compliant (if it does not allow access to prohibited cloud storage providers), or non-compliant (if it allows access to at least one of the prohibited cloud storage providers). 2) For each of the endpoint configuration locations identified in Input 1, identify which of the cloud email providers from Input 3 are reachable based on the configuration at that location, creating a list of reachable cloud email providers by configuration location (M2). Mark each of the configuration locations in the list as either compliant (if it does not allow access to prohibited cloud storage providers), or non-compliant (if it allows access to at least one of the prohibited cloud storage providers). 3) For each endpoint in Input 1, check the status of each of that endpoint's configuration locations in M1 and M2, and create a count of the endpoints that have configuration locations that are all compliant (M3). 4) Manually review the organization's security policy provided in Input 4 to ensure that it properly outlines the organization's rules for accessing cloud storage and cloud email providers, including identifying which providers are allowed and which are prohibited. Score this review as M5 (could be a binary 1 for adequate, 0 for inadequate; or a more nuanced score could be generated).

Measures M1: List of reachable cloud storage providers by configuration location M2: List of reachable cloud email providers by configuration location M3: Count of endpoints for which all their configuration locations are compliant M4: Total count of endpoints (count of Input 1) M5: Score resulting from the manual review of the cloud provider access policy

Metrics Ratio of endpoints with cloud provider access properly limited: M3 / M4 Manual policy review score: M5

Note: Manual policy review included for this Sub-Control because it is not feasible to identify (and therefore check for) all cloud storage and email providers.