search

adammontville / cis-controls-71-measures

0 stars 0 forks source link

Subcontrol 4.5 #67

Open adammontville opened 5 years ago

adammontville commented 5 years ago

Use multi-factor authentication and encrypted channels for all administrative account access.

Measures

M1 = total account with multi-factor authentication
M2 = total account

Metrics

Coverage(Quality Measure)[0-1] = M1 / M2
apiperCIS commented 5 years ago

UNCC proposed identifying multifactor through incoming and outgoing traffic (ex: the one time code to the phone must be sent, the user must then provide that code, and then the code must be verified). We suggested that non-mobile phone multifactor (like a SecureID token) might not fit their proposed model.

apiperCIS commented 5 years ago

For Controls Team: Does encrypted channels equal VPN here?

apiperCIS commented 5 years ago

Inputs 1) List of Administrative accounts in the organization along with corresponding authentication system for each 2) Approved Multi-Factor Authentication Configuration(s) - there may be multiple configurations based on the types of accounts and authentication systems involved 3) Approved Encrypted Channel Configuration(s) - there may be multiple configurations based on the types of accounts and authentication systems involved

Operations 1) For each account in Input 1, check its configuration against the appropriate Multi-Factor Authentication configuration in Input 2. Create a list of compliant accounts (M1) and non-compliant accounts (M2) 2) For each account in Input 1, check its configuration against the appropriate Encrypted Channel configuration in Input 3. Create a list of compliant accounts (M3) and non-compliant accounts (M4)

Measures M1: List of Administrative Accounts that are configured properly for Multi-Factor Authentication (Multi-Factor compliant list) M2: List of Administrative Accounts that are not configured properly for Multi-Factor Authentication (Multi-Factor non-compliant list) M3: List of Administrative Accounts that are configured properly to be accessed through encrypted channels (Encrypted Channel compliant list) M4: List of Administrative Accounts that are not configured properly to be accessed through encrypted channels (Encrypted Channel non-compliant list) M5: Count of Multi-Factor compliant Administrative Accounts (count of M1) M6: Count of Encrypted Channel compliant Administrative Accounts (count of M3) M7: Total count of Administrative Accounts (count of Input 1)

Metrics Multi-Factor compliance ratio: M5 / M7 Encrypted Channel compliance ratio: M6 / M7

wmunyan commented 5 years ago

Could add 1 - the metrics above to get violation ratios