Back

Secure access to each system component operating system.


CONTROL ID
00551
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Technical security, CC ID: 00508

This Control has the following implementation support Control(s):
  • Enforce privileged accounts and non-privileged accounts for system access., CC ID: 00558
  • Separate user functionality from system management functionality., CC ID: 11858
  • Segregate electronically stored information from operating system access., CC ID: 00552


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The network that hosts IoT devices should be secured. For instance, network access controls can be implemented to restrict network traffic to and from an IoT device to prevent a cyber threat actor from accessing the FI's network and launching malware or DoS attacks. To further reduce IoT risks, the … (§ 11.5.3, Technology Risk Management Guidelines, January 2021)
  • Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities. (Security Control: 1381; Revision: 2, Australian Government Information Security Manual)
  • Access to network or system information must be restricted to individuals who need to have the information because it can reveal vulnerabilities to a potential attacker. (§ 8.2.1 ¶ 3, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • To ensure network security, securing network software and operating systems should be included in the data protection efforts. (§ 5.2 (Network Security), IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • A list of all security management functions that the system can provide should be compiled. These security management functions include backup and recovery, allowing Administrators to define security-related parameters, and functions performed by operators for the continued operation of the product. (§ 13.6, § H.6, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
  • Is the UNIX Operating System or the Linux Operating System used to transmit scoped data? (§ G.16, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is the UNIX Operating System or the Linux Operating System used to process scoped data? (§ G.16, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is the UNIX Operating System or the Linux Operating System used to store scoped data? (§ G.16, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • For cloud computing services that use a hypervisor to transmit, process, or store scoped data, are network virtual local area networks for host Operating System communications with guest operating systems separated? (§ V.1.72.26, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services that use a hypervisor to transmit, process, or store scoped data, do guest operating systems communicate on separate virtual local area network's from other guest operating systems that they do not need to communicate with? (§ V.1.72.27, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services that use a hypervisor to transmit, process, or store scoped data, are the host operating system management interface on a separate network than those used by guest operating systems? (§ V.1.72.28, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • CSR 2.5.1: The organization must ensure the operating security features of sensitive information systems have the following minimum requirements: a security policy, assurance, accountability, and documentation. The organization must ensure all security features are available and activated. CSR 2.10.… (CSR 2.5.1, CSR 2.10.5, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Only authorized personnel must be able to access the software, hardware, and/or firmware that performs security or systems functions. (§ 8-613.a, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Implements OS controls. (App A Objective 3:7l, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Oversees and maintains the OS, including testing and installing patches when appropriate. (App A Objective 13:6a Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Restricts operating system access to specific terminals in physically secure and monitored locations. (App A Objective 6.21.c, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Security level 1 operating system requirements are as follows: restrict the operating system to a single operator mode of operation; the cryptographic module shall prevent access to plaintext private and secret keys, critical security parameters (CSPs), and intermediate key generation values during … (§ 4.6.1, FIPS Pub 140-2, Security Requirements for Cryptographic Modules, 2)