search

adammontville / cis-controls-71-measures

0 stars 0 forks source link

Subcontrol 16.4 #145

Open adammontville opened 5 years ago

adammontville commented 5 years ago

Encrypt or hash with a salt all authentication credentials when stored.

Measures

None provided

Metrics

None provided
apiperCIS commented 5 years ago

Internal Question: We may also want to discuss this with the Controls team. Is each individual workstation considered an authentication system for the purposes of any local accounts it houses? If not, this could impact the proposals for other related Sub-Controls like 16.12.

Sub-Control Dependencies 16.1 Inventory of Authentication Systems

Inputs 1) Inventory of Authentication Systems (for each, include any related components used for credential storage for that authentication system such as any databases that require configuration independent of the authentication system) 2) Approved configuration(s) to ensure that all credentials are encrypted and/or hashed with a salt when stored. There may be multiple configurations to handle the different types of authentication systems used in the organization, and configurations may also be required for related components involved in storing this data (i.e. database configurations).

Operations 1) For each authentication system provided in Input 1 (along with any listed related components), check to see if it is configured properly according to the appropriate configuration(s) provided in Input 2. Using this information, create a list of the authentication systems that are properly configured (M1) and a list of the authentication systems that are not properly configured (M2) including the deviations from proper configuration (if any related component identified in Input 1 is not configured according to the appropriate configuration, then its associated authentication system should be considered improperly configured, and the specific component should be noted as part of the deviation from proper configuration).

Measures M1: List of properly configured authentication systems (compliant list) M2: List of improperly configured authentication systems (non-compliant list) M3: Count of properly configured authentication systems (count of M1) M4: Total count of authentication systems (count of Input 1)

Metrics Ratio of properly configured authentication systems: M3 / M4