search

adammontville / cis-controls-71-measures

0 stars 0 forks source link

Subcontrol 16.5 #146

Open adammontville opened 5 years ago

adammontville commented 5 years ago

Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.

Measures

None provided

Metrics

None provided
apiperCIS commented 5 years ago

This seems like it may be a subset of 14.4. We should be sure to coordinate our measurement proposals for these two sub-controls. Though, I ended up structuring the proposal below a lot like 16.4

apiperCIS commented 5 years ago

Sub-Control Dependencies 16.1 Inventory of Authentication Systems

Inputs 1) Inventory of Authentication Systems (for each, include any related components used by that authentication system to transmit credential information over the network) 2) Approved configuration(s) to ensure that all credentials are transmitted over encrypted channels. There may be multiple configurations to handle the different types of authentication systems used in the organization, and configurations may also be required for related components involved in transmitting this data (i.e. VPNs).

Operations 1) For each authentication system provided in Input 1 (along with any listed related components), check to see if it is configured properly according to the appropriate configuration(s) provided in Input 2. Using this information, create a list of the authentication systems that are properly configured (M1) and a list of the authentication systems that are not properly configured (M2) including the deviations from proper configuration (if any related component identified in Input 1 is not configured according to the appropriate configuration, then its associated authentication system should be considered improperly configured, and the specific component should be noted as part of the deviation from proper configuration).

Measures M1: List of properly configured authentication systems (compliant list) M2: List of improperly configured authentication systems (non-compliant list) M3: Count of properly configured authentication systems (count of M1) M4: Total count of authentication systems (count of Input 1)

Metrics Ratio of properly configured authentication systems: M3 / M4