Back

Establish, implement, and maintain system hardening procedures.


CONTROL ID
12001
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • System hardening through configuration management, CC ID: 00860

This Control has the following implementation support Control(s):
  • Configure the Intrusion Detection System and Intrusion Prevention System in accordance with organizational standards., CC ID: 04831
  • Configure session timeout and reauthentication settings according to organizational standards., CC ID: 12460
  • Configure “Docker” to organizational standards., CC ID: 14457
  • Configure "etcd" to organizational standards., CC ID: 14535
  • Configure "Kubernetes" to organizational standards., CC ID: 14528
  • Configure the Remote Deposit Capture system to organizational standards., CC ID: 13569
  • Block and/or remove unused software and unauthorized software., CC ID: 00865
  • Assign system hardening to qualified personnel., CC ID: 06813
  • Use the latest version of all software., CC ID: 00897
  • Change default configurations, as necessary., CC ID: 00877
  • Establish, implement, and maintain procedures to standardize operating system software installation., CC ID: 00869
  • Configure Least Functionality and Least Privilege settings to organizational standards., CC ID: 07599
  • Establish, implement, and maintain idle session termination and logout capabilities., CC ID: 01418
  • Install custom applications, only if they are trusted., CC ID: 04822
  • Configure virtual networks in accordance with the information security policy., CC ID: 13165
  • Configure Simple Network Management Protocol (SNMP) to organizational standards., CC ID: 12423
  • Configure the system's storage media., CC ID: 10618
  • Configure Internet Browser security options according to organizational standards., CC ID: 02166
  • Implement only one application or primary function per network component or server., CC ID: 00879
  • Disable all unnecessary services unless otherwise noted in a policy exception., CC ID: 00880
  • Disable all unnecessary applications unless otherwise noted in a policy exception., CC ID: 04827
  • Remove all unnecessary functionality., CC ID: 00882
  • Establish, implement, and maintain the interactive logon settings., CC ID: 01739
  • Configure the settings of the system registry and the systems objects (for Windows OS only)., CC ID: 01781
  • Apply the appropriate warning message to systems., CC ID: 01596
  • Enable logon authentication management techniques., CC ID: 00553
  • Establish, implement, and maintain authenticators., CC ID: 15305
  • Configure each system's security alerts to organizational standards., CC ID: 12113
  • Configure the system security parameters to prevent system misuse or information misappropriation., CC ID: 00881
  • Configure knowledge-based authentication tools in accordance with organizational standards., CC ID: 13740
  • Disable or configure the e-mail server, as necessary., CC ID: 06563
  • Configure the system account settings and the permission settings in accordance with the organizational standards., CC ID: 01538
  • Establish and maintain specific directory installation rules and domain controller installation rules., CC ID: 01734
  • Establish, implement, and maintain appropriate shutdown procedures., CC ID: 01778
  • Configure Multi-Function Devices to clear their hard drives in between jobs., CC ID: 04816
  • Configure shared volumes to use the appropriate file system for the network protocols being operated (NT File System in Windows OS or Netware SS), and configure the security parameters., CC ID: 01927
  • Configure utility and device driver software in accordance with organizational standards., CC ID: 12340
  • Configure appropriate Partitioning schemes., CC ID: 02162
  • Configure attached printers and shared printers., CC ID: 04499
  • Establish, implement, and maintain network parameter modification procedures., CC ID: 01517
  • Configure Automated Teller Machines in accordance with organizational standards., CC ID: 12542
  • Enable or disable remote print browsing, as appropriate., CC ID: 05718
  • Configure the time server in accordance with organizational standards., CC ID: 06426
  • Verify the organization has Emergency Power Supplies available for the systems., CC ID: 01912
  • Configure Private Branch Exchanges in accordance with organizational standards., CC ID: 02219
  • Configure Wireless Access Points in accordance with organizational standards., CC ID: 12477
  • Configure mobile device settings in accordance with organizational standards., CC ID: 04600
  • Configure Cisco-specific applications and service in accordance with organizational standards., CC ID: 06557
  • Configure custom Oracle-specific applications and services in accordance with organizational standards., CC ID: 06565
  • Configure the Global Positioning System settings as appropriate., CC ID: 06888
  • Configure endpoint security tools in accordance with organizational standards., CC ID: 07049
  • Configure e-mail security settings in accordance with organizational standards., CC ID: 07055
  • Configure web server security settings in accordance with organizational standards., CC ID: 07059
  • Certify and accredit the system before releasing it into a production environment., CC ID: 06419
  • Establish, implement, and maintain virtualization configuration settings., CC ID: 07110
  • Configure Microsoft Office to Organizational Standards., CC ID: 07147
  • Configure Services settings to organizational standards., CC ID: 07434
  • Configure network protection settings to organizational standards., CC ID: 07601
  • Configure Account settings in accordance with organizational standards., CC ID: 07603
  • Configure system integrity settings to organizational standards., CC ID: 07605
  • Configure Protocol Configuration settings to organizational standards., CC ID: 07607
  • Configure Logging settings in accordance with organizational standards., CC ID: 07611
  • Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards., CC ID: 07621
  • Configure Encryption settings in accordance with organizational standards., CC ID: 07625
  • Configure File Retention, Impact Level, and Classification Settings settings in accordance with organizational standards., CC ID: 07715
  • Configure System settings in accordance with organizational standards., CC ID: 07806
  • Configure Virus and Malware Protection settings in accordance with organizational standards., CC ID: 07906
  • Configure User Notification settings in accordance with organizational standards., CC ID: 08201
  • Configure Windows Components settings in accordance with organizational standards., CC ID: 08263
  • Configure File System settings in accordance with organizational standards., CC ID: 08294
  • Configure Control Panel settings in accordance with organizational standards., CC ID: 08311
  • Configure Capacity and Performance Management settings in accordance with organizational standards., CC ID: 08353
  • Configure Personal Information Handling settings in accordance with organizational standards., CC ID: 08396
  • Configure Data Backup and Recovery settings in accordance with organizational standards., CC ID: 08406
  • Configure Nonrepudiation Configuration settings in accordance with organizational standards., CC ID: 08432
  • Configure Device Installation settings in accordance with organizational standards., CC ID: 08438
  • Configure Security settings in accordance with organizational standards., CC ID: 08469
  • Configure Power Management settings in accordance with organizational standards., CC ID: 08515
  • Configure Patch Management settings in accordance with organizational standards., CC ID: 08519
  • Configure Start Menu and Task Bar settings in accordance with organizational standards., CC ID: 08615
  • Configure the proxy server to organizational standards., CC ID: 12115
  • Configure Red Hat Enterprise Linux to Organizational Standards., CC ID: 08713
  • Configure Polycom HDX to Organizational Standards., CC ID: 08986
  • Configure Apache and Tomcat to Organizational Standards., CC ID: 08987
  • Configure IIS to Organizational Standards., CC ID: 08988
  • Configure Microsoft SQL Server to Organizational Standards., CC ID: 08989
  • Configure Oracle WebLogic Server to Organizational Standards., CC ID: 08990
  • Configure security and protection software according to Organizational Standards., CC ID: 11917
  • Configure dedicated systems used for system management according to organizational standards., CC ID: 12132
  • Configure Application Programming Interfaces in accordance with organizational standards., CC ID: 12170
  • Configure the Domain Name System in accordance with organizational standards., CC ID: 12202
  • Configure payment systems in accordance with organizational standards., CC ID: 12217
  • Configure File Integrity Monitoring Software to Organizational Standards., CC ID: 11923
  • Configure Bluetooth settings according to organizational standards., CC ID: 12422
  • Remove backup files after initializing and hardening is complete., CC ID: 01602
  • Perform vulnerability testing before final installation., CC ID: 00884
  • Reboot the system after initial systems hardening is complete and before certification., CC ID: 01603
  • Configure systems to protect against unauthorized data mining., CC ID: 10095
  • Implement safeguards to protect memory from unauthorized code execution., CC ID: 10686
  • Configure network switches to organizational standards., CC ID: 12120


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The hardware and software systems and procedures for an Authentication Service provider shall be reasonably secure from intrusion and misuse. (§ 30(3)(a), The Electronic Communications and Transactions Act, 2002)
  • A purchaser may supply installation parameters necessary for the program to function properly and may customize the software by choosing options. (§ 90(3), The Electronic Communications and Transactions Act, 2002)
  • Check that the database is hardened and not placed in a vulnerable spot within the network. (Annex A1: Database Security 51, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users. (Security Control: 1494; Revision: 0, Australian Government Information Security Manual)
  • When using a software-based isolation mechanism to share a physical server's hardware, the underlying operating system running on the server is hardened. (Security Control: 1605; Revision: 0, Australian Government Information Security Manual)
  • An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used. (Security Control: 0303; Revision: 6, Australian Government Information Security Manual)
  • The procedures for applying the appropriate hardening techniques in order to manage the security and functionality of System Software should be included in the Standard Operating Procedures for the information technology security officer. (Control: 0790 Table Row "System maintenance", Australian Government Information Security Manual: Controls)
  • The organization should install, configure, operate, and administer the evaluated products in accordance with the evaluation documentation. (Control: 0289, Australian Government Information Security Manual: Controls)
  • The organization must ensure High Grade Cryptographic Equipment and high assurance products are installed, configured, operated, and administered in accordance with the specific guidance from Defence Signals Directorate. (Control: 0290, Australian Government Information Security Manual: Controls)
  • High Grade Cryptographic Equipment and high assurance products must not be used in an unevaluated configuration. (Control: 0292, Australian Government Information Security Manual: Controls)
  • The organization must ensure security patches, driver updates, firmware updates, and application installations are conducted in a way that verifies the authenticity and integrity of the process. (Control: 0303, Australian Government Information Security Manual: Controls)
  • The organization must configure, harden, and secure web servers. (Control: 1242, Australian Government Information Security Manual: Controls)
  • The organization should securely configure the Database Management System software in accordance with the vendor's guidance. (Control: 1246, Australian Government Information Security Manual: Controls)
  • Network security devices that are connected to dual-stack networks or Internet Protocol version 6 networks must be Internet Protocol version 6 capable. (Control: 1186, Australian Government Information Security Manual: Controls)
  • The organization should maintain an initial hardening of the system to prevent or reduce potential vulnerabilities to the system. Organizations should develop installation procedures for the hardening of workstations and servers. (§ 3.5.8, § 3.5.10, § 3.5.12, Australian Government ICT Security Manual (ACSI 33))
  • The organization should harden the workstation application security configurations (e.g., disabling unnecessary features in Microsoft Office applications, pdf viewers, and web browsers. (Mitigation Strategy Effectiveness Ranking 26, Strategies to Mitigate Targeted Cyber Intrusions)
  • The organization should harden the server application security configuration (e.g., web applications, databases, data storage systems, and Customer Relationship Management). (Mitigation Strategy Effectiveness Ranking 28, Strategies to Mitigate Targeted Cyber Intrusions)
  • System components which are used for the rendering of the cloud service are hardened according to generally established and accepted industry standards. The hardening instructions used are documented as well as the implementation status. (Section 5.6 RB-22 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Configuration verification and audit comprises a series of reviews and audits that verify the physical existence of CIs and check that the CIs are correctly recorded in the CMDB and controlled libraries. It includes the verification of Release and configuration documentation before changing the live… (§ 7.3.5, OGC ITIL: Service Support)
  • The entity uses a combination of controls to restrict access to its information assets including data classification. The entity enforces logical separations of data structures and the segregation of incompatible duties applies device security hardening and security configuration policies, including… (S7.1 Restricts access to information assets, Privacy Management Framework, Updated March 1, 2020)
  • Is the system configured to filter JavaScript? (Table Row VI.2, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Is the system configured to filter the Java Virtual Machine vulnerability? (Table Row VI.7, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • The partition that Mac OS X will be installed on should be securely erased prior to installation. By erasing the partition, potential vulnerabilities caused by previous settings will be eliminated. (Pg 22, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition)
  • Ensure the container host has been Hardened Description: A container host is able to run one or more containers. It is of utmost importance to harden the host to mitigate host security misconfiguration. Rationale: You should follow infrastructure security best practices and harden your host OS. Keep… (1.1.1, The Center for Internet Security Docker Level 1 Linus Host OS Benchmark, v 1.2.0)
  • Ensure the container host has been Hardened Description: A container host is able to run one or more containers. It is of utmost importance to harden the host to mitigate host security misconfiguration. Rationale: You should follow infrastructure security best practices and harden your host OS. Keep… (1.1.1, The Center for Internet Security Docker Level 2 Linux Host OS Benchmark, v 1.2.0)
  • Peer-to-peer WLANs should have mutual authentication enabled. (§ 2.3.2 (2.3.2.060), The Center for Internet Security Wireless Networking Benchmark, 1)
  • (Principle 7.24, ISACA Cross-Border Privacy Impact Assessment)
  • Use configuration hardening by disabling all unnecessary services in the router configuration. Harden Web servers to tighten the security and remove exploitable tools. Harden an application server after installation. Rename built-in accounts, and change the password. Harden DNS servers. Harden mail … (§ 3-3, § 3-10, § 3-13, § 3-15, MasterCard Electronic Commerce Security Architecture Best Practices, April 2003)
  • Verify the system configuration standards are consistent with industry-accepted hardening standards. (§ 2.2.a, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Examine the system configuration standards and verify they are consistent with industry-accepted system hardening standards. (Testing Procedures § 2.2.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine policies to verify the system configuration standards are applied to new systems when they are initially configured. (Testing Procedures § 2.2.c, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Review the documented policies and procedures to verify they include processes that the protocols in use only support secure versions and configurations. (Testing Procedures § 4.1.b Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Develop configuration standards for all system components. (§ 2.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify the system configuration standards are consistent with industry-accepted hardening standards. (§ 2.2.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Are system configuration standards applied when new systems are configured? (PCI DSS Question 2.2(c), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are security parameter settings set appropriately on system components? (PCI DSS Question 2.2.4(c), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations? (PCI DSS Question 4.1(c), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations? (PCI DSS Question 4.1(c), PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
  • Are system configuration standards applied when new systems are configured? (PCI DSS Question 2.2(c), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are security parameter settings set appropriately on system components? (PCI DSS Question 2.2.4(c), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are security policies and operational procedures for managing vendor defaults and other security parameters documented, in use, and known to all affected parties? (PCI DSS Question 2.5, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations? (PCI DSS Question 4.1(c), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are security parameter settings set appropriately on system components? (PCI DSS Question 2.2.4(c), PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations? (PCI DSS Question 4.1(c), PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • Are system configuration standards applied when new systems are configured? (PCI DSS Question 2.2(c), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are security parameter settings set appropriately on system components? (PCI DSS Question 2.2.4(c), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are security policies and operational procedures for managing vendor defaults and other security parameters documented, in use, and known to all affected parties? (PCI DSS Question 2.5, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations? (PCI DSS Question 4.1(c), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are system configuration standards applied when new systems are configured? (PCI DSS Question 2.2(c), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Are security parameter settings set appropriately on system components? (PCI DSS Question 2.2.4(c), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Are security policies and operational procedures for managing vendor defaults and other security parameters documented, in use, and known to all affected parties? (PCI DSS Question 2.5, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations? (PCI DSS Question 4.1(c), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Servers should be subject to standard security management practices, which includes applying a comprehensive set of management tools (e.g., maintenance utilities, remote support, enterprise management tools, and back-up software). (CF.07.02.06d, The Standard of Good Practice for Information Security)
  • Business applications should be protected against unauthorized access to information by hardening the Operating System (e.g., ensuring that all unnecessary software, network services, and applications have been disabled / removed). (CF.04.01.02a, The Standard of Good Practice for Information Security)
  • Network devices should be subject to standard security management practices, which includes 'hardening' the operating system(s) that support them (e.g., by patching all known vulnerabilities, disabling unnecessary services, removing unnecessary scripts, drivers, features and sub-systems, and changin… (CF.09.01.03b, The Standard of Good Practice for Information Security)
  • The Digital Rights Management server should be subject to standard security management practices (eg restricting physical access, performing system 'hardening', applying Change Management and malware protection, monitoring them and performing regular reviews). (CF.08.08.06, The Standard of Good Practice for Information Security)
  • Office equipment shall be deployed according to a standard, technical configurations (e.g., disabling unnecessary services, such as web, mail, and File Transfer Protocol, and changing default administration passwords). (CF.12.03.02b, The Standard of Good Practice for Information Security)
  • Important internal Certification Authorities (and related sub-certification authorities) should be protected by 'hardening' the operating system(s) that support them (e.g., by patching all known vulnerabilities, disabling unnecessary services, and changing vendor supplied default parameters, such as… (CF.08.06.03b, The Standard of Good Practice for Information Security)
  • Mobile devices should be provided with standard technical build configurations that include running a standard Operating System, trusted applications, and reliable communications software. (CF.14.02.04a, The Standard of Good Practice for Information Security)
  • Protection of the instant messaging infrastructure should be improved by 'hardening' instant messaging servers (e.g., by locking down the Operating System and application). (CF.15.02.04b, The Standard of Good Practice for Information Security)
  • Business applications should be protected against unauthorized access to information by hardening the Operating System (e.g., ensuring that all unnecessary software, network services, and applications have been disabled / removed). (CF.04.01.02a, The Standard of Good Practice for Information Security, 2013)
  • Network devices should be subject to standard security management practices, which includes 'hardening' the operating system(s) that support them (e.g., by patching all known vulnerabilities, disabling unnecessary services, removing unnecessary scripts, drivers, features and sub-systems, and changin… (CF.09.01.03b, The Standard of Good Practice for Information Security, 2013)
  • The Digital Rights Management server should be subject to standard security management practices (eg restricting physical access, performing system 'hardening', applying Change Management and malware protection, monitoring them and performing regular reviews). (CF.08.08.06, The Standard of Good Practice for Information Security, 2013)
  • Office equipment shall be deployed according to a standard, technical configurations (e.g., disabling unnecessary services, such as web, mail, and File Transfer Protocol, and changing default administration passwords). (CF.12.03.02b, The Standard of Good Practice for Information Security, 2013)
  • Protection of the instant messaging infrastructure should be improved by 'hardening' instant messaging servers (e.g., by locking down the Operating System and application). (CF.15.02.04b, The Standard of Good Practice for Information Security, 2013)
  • Servers should be subject to standard security management practices, which includes applying a comprehensive set of management tools (e.g., maintenance utilities, remote support, enterprise management tools, and back-up software). (CF.07.02.09d, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices should be provided with standard technical build configurations that include running a standard Operating System, trusted applications, and reliable communications software. (CF.14.02.04, The Standard of Good Practice for Information Security, 2013)
  • Servers should be configured to protect memory against misuse by malicious or compromised applications (e.g., by enabling Data Execution Prevention and using Address Space Layout Randomization to prevent buffer overflow attacks). (CF.07.02.06, The Standard of Good Practice for Information Security, 2013)
  • Servers should be configured in accordance with documented standards / procedures, which cover using standardized, predetermined server images to build / configure servers. (CF.07.02.01b, The Standard of Good Practice for Information Security, 2013)
  • Establish standard secure configurations of your operating systems and software applications. Standardized images should represent hardened versions of the underlying operating system and the applications installed on the system. These images should be validated and refreshed on a regular basis to u… (Control 3.1, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization should implement secure configurations for hardware and software on laptops, workstations, mobile devices, and servers. (Critical Control 3, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should use hardened versions of the Operating System and applications to make the standardized images. (Critical Control 3.3, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should conduct a configuration review of the database software and the Operating System where it resides, for each application that relies on a database, to verify the database settings have been hardened in accordance with the standard hardening templates. (Critical Control 6.7, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • User access to diagnostic and configuration ports shall be restricted to authorized individuals and applications. (IS-30, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Reduce the attack surface of SWIFT-related components by performing application hardening on the SWIFT-certified messaging and communication interfaces and related applications. (2.10A Control Objective, SWIFT Customer Security Controls Framework, Customer Security Programme, v2019)
  • Reduce the cyber attack surface of SWIFT-related components by performing system hardening. (2.3 Control Objective, SWIFT Customer Security Controls Framework, Customer Security Programme, v2019)
  • Maintain documented, standard security configuration standards for all authorized operating systems and software. (CIS Control 5: Sub-Control 5.1 Establish Secure Configurations, CIS Controls, V7)
  • Protection Against Malicious Code. Users need to be aware that malicious code may be introduced into their environment through network connections. Malicious code may not be detected before damage is done unless suitable safeguards are implemented. Malicious code may result in compromise of security… (¶ 13.6, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for… (PR.AC-4.3, CRI Profile, v1.2)
  • The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for… (PR.AC-4.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Implements the configuration settings; (CM-6b., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Implements the configuration settings; (CM-6b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Implements the configuration settings; (CM-6b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Implements the configuration settings; (CM-6b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Introduction of malicious code mitigation: Use one or a combination of the following methods to achieve the objective of mitigating malicious code (per Transient Cyber Asset capability): - Review of antivirus update level; - Review of antivirus update process used by the party; - Review of applicati… (Section 2. 2.2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
  • Software Vulnerability Mitigation: Use one or a combination of the following methods to achieve the objective of mitigating the risk of vulnerabilities posed by unpatched software on the Transient Cyber Asset (per Transient Cyber Asset capability): - Security patching, including manual or managed up… (Section 1. 1.3., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
  • System hardening; or (Attachment 1 Section 1. 1.3. Bullet 3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • Review of system hardening used by the party; or (Attachment 1 Section 2. 2.2 Bullet 5, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • Review of system hardening used by the party; or (Attachment 1 Section 5. 5.2 5.2.1 Bullet 5, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • Do UNIX computers or Linux computers that transmit scoped data conform to the UNIX hardening standards? (§ G.16.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Do UNIX computers or Linux computers that process scoped data conform to the UNIX hardening standards? (§ G.16.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Do UNIX computers or Linux computers that store scoped data conform to the UNIX hardening standards? (§ G.16.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Do windows systems that transmit scoped data conform to the windows hardening standards? (§ G.17.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Do windows systems that process scoped data conform to the windows hardening standards? (§ G.17.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Do windows systems that store scoped data conform to the windows hardening standards? (§ G.17.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that transmit scoped data, are Enterprise Security Manager (Resource Access Control Facility) and inherent security configuration settings configured to support the access control standards and requirements? (§ G.18.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that process scoped data, are Enterprise Security Manager (Resource Access Control Facility) and inherent security configuration settings configured to support the access control standards and requirements? (§ G.18.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that store scoped data, are Enterprise Security Manager (Resource Access Control Facility) and inherent security configuration settings configured to support the access control standards and requirements? (§ G.18.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • For cloud computing services, are the component and system configuration standards available during a client audit? (§ V.1.20.4, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Does security hardening involve the cloud computing providers providing default hardened images? (§ V.1.49.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, does system hardening involve client supplied default hardened images? (§ V.1.49.2, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, are The Center for Internet Security hardening standards applied? (§ V.1.49.3, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, are the National Institute of Standards and Technology hardening standards applied? (§ V.1.49.4, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, are the System Administration, Networking, And Security Institute hardening standards applied? (§ V.1.49.5, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, are the vendor hardening standards applied? (§ V.1.49.6, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, are other hardening standards applied? (§ V.1.49.7, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services that use a hypervisor to transmit, process, or store scoped data, are hypervisor hardening standards applied? (§ V.1.72.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • § 3.10.1 ¶ 1: As part of the configuration management program, CMS business partners are highly encouraged to use the documents listed in Appendix C to develop configuration standards, templates, and processes to securely configure Medicare systems. § 3.10.1 ¶ 3: The CMS hierarchy for implementi… (§ 3.10.1 ¶ 1, § 3.10.1 ¶ 3, § 3.10.2 ¶ 2, § 3.10.3, § 3.10.4 ¶ 2, § 3.10.4 ¶ 4, CMS Business Partners Systems Security Manual, Rev. 10)
  • CSR 2.1.2: The organization must ensure all security features are available and activated. CSR 3.6.5: The organization must configure the operating system so the security software and application controls cannot be circumvented. CSR 10.7.9: The organization must configure the security settings to th… (CSR 2.1.2, CSR 3.6.5, CSR 10.7.9, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The organization must adhere to all security requirements listed in the applicable Operating System STIG(s) and the applicable Desktop Application STIG(s) when using devices that access a DoD network remotely. (§ 3, § 5.1, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • § 2.2 (WIR3160) Host servers and computers that have Good Mobile Messaging (GMM) services installed on them should be hardened in accordance with the applicable operating system STIG (Security Technical Implementation Guide). § 2.2 (WIR3250) Ensure that all required wireless e-mail servers and dev… (§ 2.2 (WIR3160), § 2.2 (WIR3250), App B.1 Row "Enable Access to Good Contacts", App B.1 Row "Enable beaming contacts", § 3.3.1, DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3)
  • Host servers and computers that have Windows Mobile Messaging services installed on them should be hardened in accordance with the applicable operating system STIG (Security Technical Implementation Guide). § 2.2 (WIR2250) All required wireless e-mail server and device configuration should be imple… (§ 2.2 (WIR2160), § 2.2 (WIR2250), § 3.4.1, § 3.4.2, App B.1Row "SSL connection to ISA server", App B.2 Row "SSL connection to Exchange", DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4)
  • Hardening / patching / maintenance of OSs and applications IAW industry standards. DoD SRGs and STIGS or DoD-accepted equivalents must be used if the service is private or community cloud used by DoD. For Information Assurance (IA) Vulnerability Management (IAVM) message compliance, the CSP will be … (Section 5.10.3.1 ¶ 2 Bullet 5, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • The organization must verify that all Department of Defense configuration guides or implementation guides have been implemented for enclaves and Automated Information System applications. (ECSC-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Determine whether management has processes to harden applications and systems (e.g., installing minimum services, installing necessary patches, configuring appropriate security settings, enforcing principle of least privilege, changing default passwords, and enabling logging). (App A Objective 6.13, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should have a process to introduce changes to the environment in a controlled manner. Changes to the IT environment include the following: - Configuration management of IT systems and applications. - Hardening of systems and applications. - Use of standard builds. - Patch management. (II.C.10 Change Management Within the IT Environment, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Before a system is put into the production environment, it should be hardened by removing or disabling any unnecessary or insecure files and services. (Pg 29, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • Whether network servers are satisfactorily hardened against the risk of internal or external hacking. (App A Tier 2 Objectives and Procedures C.2 Bullet 6, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The service provider shall use the level 1 guidelines from the center for internet security to develop a list of prohibited or restricted functions, protocols, ports, and/or services or establish its own list, if the united states government configuration baseline is not available. (Column F: CM-7, FedRAMP Baseline Security Controls)
  • Implements the configuration settings; (CM-6b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Implements the configuration settings; (CM-6b. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Implements the configuration settings; (CM-6b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The system must be configured to provide only essential capabilities. (§ 5.6.5, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Are all Operating Systems appropriately configured to protect critical data and sensitive data, e.g., disabling unnecessary services and accounts? (IT - Security Program Q 8, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • All hosts should be appropriately hardened. They should be configured to provide the minimum amount of services to users and hosts, have defaults changed, display warning banners, have auditing enabled, and log security events. (§ 3.1.2 ¶ 3, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1)
  • Implement the configuration settings; (CM-6b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Implement the configuration settings; (CM-6b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Implement the configuration settings; (CM-6b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Implement the configuration settings; (CM-6b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Organizational records and documents should be examined to ensure mandatory configuration settings are used throughout the system; configuration settings are documented; automated mechanisms are used to manage, apply, and verify configuration settings; the security settings are configured to the mos… (CM-6, CM-6(1), CM-6.8, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Implements the configuration settings; (CM-6b. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Implements the configuration settings; (CM-6b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Implements the configuration settings; (CM-6b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization should establish the configuration settings for each system component. (SG.CM-6 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid Information System must fail to a known state for defined failures. (SG.SC-22 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid Information System should store the system state information when it is in failure. (SG.SC-22 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should use automated mechanisms to centrally manage, apply, and verify configuration settings. (App F § CM-6(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must establish and document mandatory configuration settings that configure the security settings of Information Technology products to the most restrictive mode consistent with Information System Operational Requirements. (App F § CM-6.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must implement the configuration settings. (App F § CM-6.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use standard configurations for systems, system components, and Information Technology products. (App F § SA-12(5), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The Information System should load and execute the operating environment from hardware-enforced, read-only media. (App F § SC-34.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The Information System must load and execute defined applications from hardware-enforced, read-only media. (App F § SC-34.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use nonautomated mechanisms or procedures as compensating controls in accordance with the general tailoring guidance when the Industrial Control System cannot support automated mechanisms for centrally managing, applying, and verifying configuration settings. (App I § CM-6 Control Enhancement: (1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Establish continuous monitoring configuration settings issues and coordination sub-group. (T1000, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Establish a process to provide technical help to continuous monitoring mitigators. (T0995, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization implements the configuration settings. (CM-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization implements the configuration settings. (CM-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization implements the configuration settings. (CM-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization implements the configuration settings. (CM-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Implements the configuration settings; (CM-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Implements the configuration settings; (CM-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Implements the configuration settings; (CM-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Implements the configuration settings; (CM-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Implement the configuration settings; (CM-6b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ [Selection (one or more): design modification, augmentation, reconfiguration] on [Assignment: organization-defined systems or system components] supporting mission essential services or functions to increase the trustworthiness in those systems or components. (SA-23 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Implements the configuration settings; (CM-6b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Wherever feasible, use data encryption, in combination with host protection and access control, to protect higher-risk personal information. (Part I ¶ 10, California OPP Recommended Practices on Notification of Security Breach, May 2008)
  • Implements the configuration settings; (CM-6b., TX-RAMP Security Controls Baseline Level 1)
  • Implements the configuration settings; (CM-6b., TX-RAMP Security Controls Baseline Level 2)