Back

Establish, implement, and maintain a system hardening standard.


CONTROL ID
00876
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • System hardening through configuration management, CC ID: 00860

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain configuration standards for all systems based upon industry best practices., CC ID: 11953


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • A relevant entity must ensure that there is a written set of security standards for every system. (IV. 4.3(a), MAS-201908-Notice 655 Cyber Hygiene)
  • ACSC and vendor hardening guidance for ICT equipment is implemented. (Control: ISM-1858; Revision: 0, Australian Government Information Security Manual, June 2023)
  • ACSC and vendor hardening guidance for operating systems is implemented. (Control: ISM-1409; Revision: 2, Australian Government Information Security Manual, June 2023)
  • ACSC or vendor hardening guidance for web browsers is implemented. (Control: ISM-1412; Revision: 4, Australian Government Information Security Manual, June 2023)
  • ACSC or vendor hardening guidance for office productivity suites is implemented. (Control: ISM-1859; Revision: 0, Australian Government Information Security Manual, June 2023)
  • ACSC or vendor hardening guidance for PDF software is implemented. (Control: ISM-1860; Revision: 0, Australian Government Information Security Manual, June 2023)
  • ACSC and vendor hardening guidance for server applications is implemented. (Control: ISM-1246; Revision: 4, Australian Government Information Security Manual, June 2023)
  • The database servers must use a hardened Standard Operating Environment. (Control: 1259, Australian Government Information Security Manual: Controls)
  • The organization must ensure gateways are configured to apply the controls from the data transfers and content filtering chapter of this manual. (Control: 0631 Bullet 4, Australian Government Information Security Manual: Controls)
  • Are system configuration standards applied when new systems are configured? (2.2 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Devotes the most attention to the hardening of systems, although it does not make a distinction between acquired systems and newly developed systems. (Further Issues 9 § 3.2, ISF Security Audit of Networks)
  • Important internal Certification Authorities (and related sub-certification authorities) should be protected by 'hardening' the operating system(s) that support them (e.g., by patching all known vulnerabilities, disabling unnecessary services, and changing vendor supplied default parameters, such as… (CF.08.06.03b, The Standard of Good Practice for Information Security, 2013)
  • The responsible entity shall establish and document a process of Change Control and Configuration Management for adding, modifying, replacing, or removing critical cyber asset hardware or software, and implement supporting configuration management activities to identify, control and document all ent… (§ R6, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards CIP-003-3, version 3)
  • Each agency must develop, document, and implement an information security program agency wide that includes policies and procedures that ensure compliance with the minimally acceptable system configuration requirements and other applicable requirements. (§ 3544(b)(2)(D)(iii), Federal Information Security Management Act of 2002, Deprecated)
  • Host servers and computers where Sensa services are installed (e.g., Sensa Management server, Sensa Mail server, Exchange e-mail server, and Lightweight Directory Access Protocol [LDAP] server) must be hardened in accordance with the appropriate operating system (OS) STIG. (§ 2.2 (WIR1160), DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2)
  • The organization must use a Department of Defense reference document, such as a security recommendation guide or a Security Technical Implementation Guide, as the primary source for Implementation Guidance or security configuration for newly acquired Information Technology products. If a reference d… (DCCS-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The organization must use a Department of Defense reference document, such as a security recommendation guide or a Security Technical Implementation Guide, as the primary source for Implementation Guidance or security configuration for newly acquired Information Technology products. If a reference d… (DCCS-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Have the servers been hardened? (IT - Servers Q 8, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Configuration Management (CM): Organizations must: (i) establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enf… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)