search

adammontville / cis-controls-71-measures

0 stars 0 forks source link

Subcontrol 4.6 #68

Open adammontville opened 5 years ago

adammontville commented 5 years ago

Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring administrative access. This machine will be segmented from the organization's primary network and not be allowed Internet access. This machine will not be used for reading email, composing documents, or browsing the Internet.

Measures

M1 = # of total administrative account
M2 = # of administrative account login in machine reachable from outside(not in private network of organization)

Metrics

Enforcement Quality = (M1 - M2) / M1
apiperCIS commented 5 years ago

For Controls team:

  1. If the machine is segmented from the organization's primary network, how can that machine be used to administer the machines on that network?

  2. UNCC objected to the "composing documents" part. We pointed out the possibility of malicious documents from removable media.

apiperCIS commented 5 years ago

UNCC is proposing testing the level of isolation of the dedicated admin machine using a tool such as ConfigChecker.

apiperCIS commented 4 years ago

Coordinate this with 11.6 (IG2) which is very similar

adammontville commented 4 years ago

Inputs:

Operations:

Measures:

Metrics: