Configure the system security parameters to prevent misuse of the system.

UCF ID: 00881
Control Type: Configuration
Status: Live

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

Authority documents complied with:

AICPA Suitable Trust Services Principles and Criteria, ¶ .17 § 3.8, ¶ .20 § 3.11, ¶ .24 § 3.12, ¶ .29 § 3.11; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1, § 2.2.3; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, Exhibit 8 Control 13; Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 7 Release 2, 28 August 2006, § 2.1, § 5.6, § 5.6.4; DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2, § 3.2; ISO/IEC 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008, § 15.10, § J.10; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 2.2.3; DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3, § 2.2 (WIR3250), § 3.15.2, App B.2 Row “Site Access/URL Substitutions”; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § AC-18(4); ISO/IEC 13335-5 Information technology — Guidelines for the management of IT Security — Part 5: Management guidance on network security, 2001, ¶ 13.6

Payment Card Guidance

The organization must ensure all system security parameters are configured to prevent misuse.
Examine the configuration files and standards to verify the the security parameters are included in the system configuration standards.
Interview System Administrators and/or security managers to ensure they know the common security settings for the operating systems, servers, and other components of the network. [§ 2.2.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1]

The organization must ensure all system security parameters are configured to prevent misuse. [§ 2.2.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

US Internal Revenue Guidance

The system boot settings or initialization files must be password-protected. [Exhibit 8 Control 13, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

The organization should ensure only authorized personnel are allowed to configure wireless networking capabilities. [App F § AC-18(4), Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

System Configuration Guidance

The Information Assurance Officer should regularly scan the security posture of the system to identify potential security weaknesses. Waiting for security violations to occur and reacting to them is not adequate. ACLs can be used to grant or deny access to objects based on security groups (users, user groups, or program groups). The Security Officer or the Site Management Complex (SIMAN) Administrator should be the only users allowed to grant or deny access permissions to objects. [§ 2.1, § 5.6, § 5.6.4, Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 7 Release 2, 28 August 2006]

Other Configuration Guidance

The System Administrator must ensure security measures have been implemented to prevent security incidents from occurring. [§ 3.2, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2]

§ 2.2 (WIR3250) Configure a filter on the GMI server to block the download of prohibited file types. Ensure that all required wireless email servers and device configuration settings are implemented.
§ 3.15.2 Prohibited file types must be blocked from being downloaded on to the smartphone, including .cab, .exe, and .zip.
App B.2 Row “Site Access/URL Substitutions” under Site Access Tab, click ‘Yes’ and change from ‘local host’ to ‘www.google.com’. Localhost is blocked so that users cannot access data on the GMI host server. [§ 2.2 (WIR3250), § 3.15.2, App B.2 Row “Site Access/URL Substitutions”, DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3]

ISO Guidance

The system should ensure that security policy enforcement functions succeed before functions are allowed to proceed. [§ 15.10, § J.10, ISO/IEC 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008]

Protection Against Malicious Code. Users need to be aware that malicious code may be introduced into their environment through network connections. Malicious code may not be detected before damage is done unless suitable safeguards are implemented. Malicious code may result in compromise of security safeguards (e.g. capture and disclosure of passwords), unintended disclosure of information, unintended changes to information, destruction of information, and/or unauthorized use of system resources.
Some forms of malicious code can be detected and removed by special scanning software. Scanners are available for firewalls, file servers, mail servers, and workstations for some types of malicious code. Further, to enable detection of new malicious code it is very important to ensure that the scanning software is always kept up to date, through at least weekly updates. However, users and administrators should be made aware that scanners cannot be relied upon to detect all malicious code (or even all malicious code of a particular type) because new forms of malicious code are continually arising. Typically, other forms of safeguard are required to augment the protection provided by scanners (where they exist).
Users and administrators of systems with network connections should be made aware that there are greater than normal risks associated with malicious software when dealing with external parties over external links. Guidelines for users and administrators should be developed outlining procedures and practices to minimize the possibility for introducing malicious code.
Users and administrators should take special care to configure systems and applications associated with network connections to disable functions that are not necessary in the circumstances. (For example, PC applications could be configured so that macros are disabled by default, or require user confirmation before execution of macros.) [¶ 13.6, ISO/IEC 13335-5 Information technology — Guidelines for the management of IT Security — Part 5: Management guidance on network security, 2001]

General Guidance

The system security parameters should be configured in accordance with the organization's security policy to ensure only authorized users can gain access to the system. [¶ .17 § 3.8, ¶ .20 § 3.11, ¶ .24 § 3.12, ¶ .29 § 3.11, AICPA Suitable Trust Services Principles and Criteria]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of systems for which approved configuration settings have been implemented as required by policy. [UCF Control ID 02097]
    Report on the percentage of systems with configurations that do not deviate from approved standards. [UCF Control ID 02098]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.