Subcontrol 8.4

[adammontville]

Configure devices so that they automatically conduct an anti-malware scan of removable media when inserted or connected.

Measures

None provided. (Implied by metrics/KEI?)

Metrics/KEI

Use active testing or WMI service to know the configuration

We don't need to know which settings at the CAS level. We need to define measures and then later deal with how for specific software.

[adammontville]

Rough proposal

Input1) Endpoint inventory

Test1) Refine endpoint inventory to the set of endpoints supporting anti-malware (M1) Test2) Determine set of endpoints actually having anti-malware (M2) Test3) Endpoints supporting anti-malware (M1) configured to automatically scan removable media (M3)

M1: Number of endpoints supporting anti-malware M2: Number of endpoints without anti-malware that should have anti-malware M3: Number of appropriately configured endpoints M4: Total number of anti-malware eligible endpoints (M1+M2)

Metric: Coverage: (M4 - M3) / M4

Question: Some endpoints not supporting anti-malware software may support removable devices (i.e. network devices) - do we include these or simply mention the fact that not all removable media is addressable in this sub-control?

[apiperCIS]

1) We should probably include a description to clarify terms like "supporting anti-malware" vs. "having anti-malware" 2) Should proper configuration of the anti-malware to scan removable media be listed as an input?

[wmunyan]

Inputs:

• The list of endpoints
• The desired configuration setting - A "scan task" implementing automated scanning of removable media

Metric becomes # of endpoints implementing desired configuration

[apiperCIS]

Inputs 1) Endpoint inventory (with entry for each endpoint indicating whether that endpoint can support anti-malware software or not) 2) Desired anti-malware configuration (to automatically scan removable media when inserted/connected) Assumption: Some endpoints, such as network devices, may not support anti-malware software. Whether an endpoint supports anti-malware software is provided as part of Input 1. Devices that cannot support anti-malware software are removed from the list of endpoints to be checked during Operation 1, and these devices are not counted in the metric below.

Operations 1) Refine the endpoint inventory (Input 1) to only contain endpoints that can support anti-malware software endpoint inventory - this reduced list of endpoints becomes M1 2) Of the set of endpoints that can support anti-malware software (M1), generate a list of those endpoints that actually have anti-malware software installed, enabled, and adhere to the configuration specified in Input 2 (M2) and a list of the endpoints that do not adhere to the specified configuration (M3). Note: Endpoints in M1 that do not have anti-malware installed and enabled, are considered non-compliant and added to M3.

Measures M1: List of endpoints capable of supporting anti-malware software M2: List of endpoints with anti-malware software installed, enabled, and properly configured to scan removable media (compliant list) M3: List of endpoints not adhering to the specified configuration (non-compliant list) M4: Number of endpoints in M1 (number of endpoints capable of supporting anti-malware software) M5: Number of endpoints in M2 (number of compliant endpoints)

Metric: Coverage: M5 / M4

Question: If M4 is 0 (there are no endpoints capable of supporting anti-malware software), assume improper inputs and the metric results in a 0? Or, should this default to a 1 score if there are no endpoints capable of supporting anti-malware software?