One Hundred sixty nine questions about your security program - By Tom brennan

Commerically Reasonable Cyber Security in 169 Questions - By Tom Brennan

Mature organizations want to manage to "best practice" so that they can be proactive about the technical risks they face.  Below are 169 questions to start that discussion and just like eating a elephant, you have to start one bite at a time.

Question

Do you remove sensitive data or systems not regularly accessed by your organization from the network? Are these systems only used as stand-alone systems (disconnected from the network) by the business unit for occasionally use? Can thes systems be completely virtualized and powered off until needed? Do you utilize approved whole disk encryption software to encrypt the hard drive of all mobile devices? Do you establish and maintain an overall data classification scheme for the enterprise? Do you document data flows? Does your data flow documentation include service provider data flows, and is it based on your data management process? Do you use enterprise software that can configure systems to allow the use of specific devices if USB storage devices are required? Do you maintain an inventory of such devices? Do you encrypt all sensitive information in transit? Do you encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into your operating system, in order to access the information? Do you segment the network based on the label or classification level of the information stored on the servers and locate all sensitive information on separated Virtual Local Area Networks (VLANs)? Do you use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data even when data is copied off a system? Do you enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring)? Do you maintain documented, standard security configuration standards for all authorized operating systems and software? Do you maintain a standard, documented security configuration standard for all authorized network devices? Do you automatically lock workstation sessions after a standard period of inactivity? Do you ensure that only network ports, protocols, and services listening on a system with validated business needs are running on each system? Do you apply host-based firewalls or port filtering tools on end systems with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed? Do you securely manage enterprise assets and software? Do you change all default passwords before deploying any new asset to have values consistent with administrative level accounts? Do you uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function? Do you configure trusted DNS servers on enterprise assets? Do you enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices? For laptops, do allow no more than 20 failed authentication attempts? For tablets and smartphones, do you allow no more than ten failed authentication attempts? Do you remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate? Do you ensure separate enterprise workspaces are used on mobile end-user devices, where supported? Do you maintain an inventory of all accounts organized by the authentication system? Do you use passwords to accounts that are unique to the system where multi-factor authentication is not supported (such as local administrator, root, or service accounts)? Do you automatically disable dormant accounts after a set period of inactivity? Do you ensure that all users with administrative account access use a dedicated or secondary account for elevated activities? Do you only use this account for administrative operations and not internet browsing, email, or similar events? Do you establish and maintain an inventory of service accounts? Does your inventory, at a minimum, contain the department owner, review date, and purpose? Do you perform service account reviews to validate all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently? Do you configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems? Do you establish and follow a process for granting access to enterprise assets upon new hire, rights grant, or user role change? Do you establish and follow an automated process for revoking system access by disabling accounts immediately upon termination or change of responsibilities of an employee or contractor? Do you Disable these accounts, instead of deleting accounts in order to preserve audit trails? Do you require all externally-exposed enterprise or third-party applications to enforce MFA, where supported? Do you require all remote login access to your organization's network to encrypt data in transit and use multi-factor authentication? Do you use multi-factor authentication and encrypted channels for all administrative account access? Do you maintain an inventory of each of your organization's authentication systems, including those located onsite or at a remote service provider? Do you centralize access control for all enterprise assets through a directory service or SSO provider? Do you define and maintain role-based access control by determining and documenting the access rights necessary for each role within the enterprise to carry out its assigned duties successfully? Do you establish and maintain a documented vulnerability management process for enterprise assets? Do you utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities? Do you deploy automated software update tools to ensure that the operating systems are running the most recent security updates provided by the software vendor? Do you deploy automated software update tools to ensure that third-party software on all systems are running the most recent security updates provided by the software vendor? Do you perform authenticated vulnerability scanning with agents running locally on each system or with remote scanners that are configured with elevated rights on the system being tested? Do you utilize an up to date SCAP-compliant vulnerability scanning tool to automatically scan all systems on your network on a weekly or more frequent basis to identify all potential vulnerabilities on your organization's systems? Based on your remediation process, do you remediate any detected vulnerabilities in software through processes and tooling on a monthly or more frequent basis? Do you establish and maintain an audit log management process that defines the enterprise's logging requirements? At a minimum, do you address the collection, review, and retention of audit logs for enterprise assets? Do you ensure that local logging has been enabled on all systems and networking devices? Do you ensure that all systems that store logs have adequate storage space for the logs generated? Do you use at least three synchronized time sources from which all servers and network devices retrieve time information regularly so that timestamps in logs are consistent? Do you enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements? Do you enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious domains? Do you log all URL requests from each of your organization's systems, whether onsite or on a mobile device, to identify potentially malicious activity and assist incident handlers with identifying potentially compromised systems? Do you enable command-line audit logging for command shells, such as Microsoft Powershell and Bash? Do you ensure that appropriate logs are being aggregated to a central log management system for analysis and review? Do you retain audit logs across enterprise assets for a minimum of 90 days? Do you review the logs to identify anomalies or abnormal events on a regular basis? Do you collect service provider logs where supported? Do you ensure that only fully supported web browsers and email clients are allowed to execute in your organization, ideally only using the latest version of the browsers and email clients provided by the vendor? Do you use DNS filtering services to help block access to known malicious domains? Do you have enforced network-based URL filters that limit a system's ability to connect to websites not approved by the organization? Do you have enforced filtering for each of the organization's systems, whether they are physically at an organization's facilities or not? Do you uninstall or disable any unauthorized browser or email client plugins or add-on applications? Do you implement a Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy and verification to lower the chance of spoofed or modified emails from valid domains? Do you start by implementing the Sender Policy Framework (SPF) and the Domain Keys Identified Mail (DKIM) standards? Do you block all e-mail attachments entering your organization's e-mail gateway if the file types are unnecessary for your business? Do you deploy and maintain email server anti-malware protections, such as attachment scanning or sandboxing? Do you deploy and maintain anti-malware software on all enterprise assets? Do you ensure that your organization's anti-malware software updates its scanning engine and signature database on a regular basis? Do you configure devices to not auto-run content from removable media? Do you configure devices so that they automatically conduct an anti-malware scan of removable media when inserted or connected? Do you enable anti-exploitation features such as Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) that are available in an operating system, or do you deploy appropriate toolkits that can be configured to apply protection to a broader set of applications and executables? Do you utilize centrally managed anti-malware software to continuously monitor and defend each of your organization's workstations and servers? Do you use behavior-based anti-malware software? Do you establish and maintain a data recovery process? Do you address the scope of data recovery activities, recovery prioritization, and the security of backup data? Do you ensure that all system data is automatically backed up on a regular basis? Do you ensure that backups are properly protected via physical security or encryption when they are stored, as well as when they are moved across the network? Does this include remote backups and cloud services? Do you ensure that all backups have at least one backup destination that is not continuously addressable through operating system calls? Do you test data integrity on backup media on a regular basis by performing a data restoration process to ensure that the backup is properly working? Do you install the latest stable version of any security-related updates on all network devices? Do you maintain an inventory of authorized wireless access points connected to the wired network? Do you manage all network devices using multi-factor authentication and encrypted sessions? Do you maintain an up-to-date inventory of all your organization's network boundaries? Do you centralize network AAA? Do you ensure that wireless networks use authentication protocols, such as Extensible Authentication Protocol-Transport Layer Security (EAP/TLS), that require mutual, multi-factor authentication? Do you require users to authenticate to enterprise-managed VPN and authentication services before accessing enterprise resources on end-user devices? Do your administrators use a dedicated machine for all administrative tasks or tasks requiring administrative access? Do you segment the device from your primary network which is not allowed Internet access and not use the device for reading e-mail, composing documents, or browsing the Internet? Do you deploy Security Information and Event Management (SIEM) or log analytic tool for log correlation and analysis? Do you deploy a host-based intrusion detection solution on enterprise assets, where appropriate and supported? Do you deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack mechanisms and detect compromise of these systems at each of your organization's network boundaries? Do you enable firewall filtering betDo youen VLANs to ensure only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities? Do you scan all enterprise devices remotely logging into your organization's network prior to accessing the network to ensure that each of your organization's security policies has been enforced in the same manner as local network devices? Do you enable the collection of NetFlow and logging data on all network boundary devices? Do you deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and supported? Do you deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each of your organization's network boundaries? Do you utilize the port level access control, following 802.1x standards, to control which devices can authenticate to your network? Do you tie the authentication system into the hardware asset inventory data to ensure only authorized devices can connect to your network? Do you ensure that all network traffic to or from the Internet passes through an authenticated application layer proxy that is configured to filter unauthorized connections? Do you tune your SIEM system to better identify actionable events and decrease event noise on a regular basis? Do you create a security awareness program for all workforce members to complete on a regular basis to ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of your organization? Is your organization's security awareness program communicated in a continuous and engaging manner? Do you train the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams, and impersonation calls? Do you train workforce members on the importance of enabling and utilizing secure authentication? Do you train workforce on how to identify and properly store, transfer, archive, and destroy information? Do you train workforce members to be aware of causes for unintentional data exposures, such as losing their mobile devices or emailing the wrong person due to autocomplete in email? Do you train employees to be able to identify the most common indicators of an incident and be able to report such an incident? Do you train the workforce to verify and report out-of-date software patches or any failures in automated processes and tools? Does the training include notifying IT personnel of any failures in automated processes and tools? Do you train workforce members on the dangers of connecting to and transmitting data over insecure networks for enterprise activities? Does the training include guidance for remote workers to ensure that they securely configure their home network infrastructure? Do you deliver training to address the skills gap? It is identified to impact workforce members' security behavior positively? Do you establish and maintain an inventory of service providers? Does the inventory list all known service providers, include classification(s), and designate an enterprise contact for each service provider? Do you establish and maintain a service provider management policy? Do you ensure the policy addresses service providers' classification, inventory, assessment, monitoring, and decommissioning? Do you classify service providers? Do you ensure service provider contracts include security requirements consistent with our service provider management policy? Do you assess service providers consistent with the enterprise's service provider management policy? Do you monitor service providers consistent with the enterprise's service provider management policy? Do you securely decommission service providers? Do you establish secure coding practices appropriate to the programming language and development environment being used? Do you establish a process to accept and address reports of software vulnerabilities, including providing a means for external entities to contact your security group? Do you perform root cause analysis on security vulnerabilities? Do you verify that the version of all software acquired from outside your organization is supported by the developer or appropriately hardened based on developer security recommendations? Do you only use up-to-date and trusted third-party components for the software developed by your organization? Do you establish and maintain a severity rating system and process for application vulnerabilities that facilitate the prioritization order to fix discovered vulnerabilities? Do you set a minimum level of security acceptability for releasing code or applications? Do you use standard hardening configuration templates for applications that rely on a database? Do you test all systems that are part of critical business processes? Do you maintain separate environments for production and nonproduction systems? Developers do not have unmonitored access to production environments? Do you ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities? Do you ensure that explicit error checking for in-house developed software is performed and documented for all input, including for size, data type, and acceptable ranges or formats? Do you only use standardized and extensively reviewed encryption algorithms? Do you apply static and dynamic analysis tools to verify that secure coding practices are being adhered to for internally developed software? Do you conduct application penetration testing? Do you conduct threat modeling? Do you designate management personnel, as well as backups, who support the incident handling process by acting in key decision-making roles? Do you assemble and maintain information on third-party contact information to be used to report a security incident, such as Law Enforcement, relevant government departments, vendors, and ISAC partners? Do you devise organization-wide standards for the time required for system administrators and other workforce members to report anomalous events to the incident handling team, the mechanisms for such reporting, and do you include this kind of information in the incident notification? Do you ensure that there are written incident response plans that define the roles of personnel as well as phases of incident handling/management? Do you assign job titles and duties for handling computer and network incidents to specific individuals and ensure tracking and documentation throughout the incident and to resolution? Do you determine which primary and secondary mechanisms will be used to communicate and report during a security incident? Do you have plan and conduct routine incident response exercises and scenarios for the workforce involved in the incident response to maintain awareness and comfort in responding to real-world threats? Do you test the exercises' communication channels, decision making, and incident responders technical capabilities using tools and data available to them? Do you conduct post-incident reviews? Do you create incident scoring and prioritization schema based on the known or potential impact on your organization? Do you utilize incident scoring to define the frequency of status updates and escalation procedures? Do you establish a program for penetration tests that include a full scope of blended attacks, such as wireless, client-based, and web application attacks? Do you perform periodic external penetration tests based on program requirements, no less than annually? Do you remediate penetration test findings based on the enterprise's policy for remediation scope and prioritization? Do you validate security measures after each penetration test? If deemed necessary, do you modify rulesets and capabilities to detect the techniques used during testing? Do you perform periodic internal penetration tests based on program requirements, no less than annually? Do you maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information? Do you ensure that the hardware asset inventory records the network address, hardware address, machine name, data asset owner, and department for each asset and whether the hardware asset has been approved to connect to your network? Do you ensure that unauthorized assets are either removed from your network or quarantined, or the inventory is updated in a timely manner? Do you utilize an active discovery tool to identify devices connected to your organization's network and update the hardware asset inventory? Do you use the Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP address management tools to update your organization's hardware asset inventory? Do you utilize a passive discovery tool to identify devices connected to your organization's network and automatically update the organization's hardware asset inventory? Do you maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose on any business system? Do you ensure that only software applications or operating systems currently supported by the software's vendor are added to your organization's authorized software inventory? Do you ensure that unauthorized software is either removed, or the inventory is updated in a timely manner? Do you utilize software inventory tools throughout your organization to automate the documentation of all software on business systems? Do you utilize application whitelisting technology on all assets to ensure that only authorized software executes, and all unauthorized software is blocked from executing on assets? Do you ensure that only authorized software libraries (such as *?dll, *?ocx, *?so, etc?) of the organization's application whitelisting software are allowed to load into a system process? Do you ensure that only authorized, digitally signed scripts (such as *?ps1, *?py, macros, etc?) of your organization's application whitelisting software are allowed to run on a system? Do you establish and maintain a data management process? In the process, do you address data sensitivity, data owner, data handling, data retention limits, and disposal requirements based on sensitivity and retention standards for the enterprise? Do you maintain an inventory of all sensitive information stored, processed, or transmitted by your organization's technology systems, including those located onsite or at a remote service provider? Do you protect all information stored on systems with file system, network share, claims, application, or database-specific access control lists? Do these control lists enforce the principle that only authorized individuals should have access to the information based on their need to access the data as a part of their responsibilities? Do you retain data according to the enterprise's data management process? Does your data retention include both minimum and maximum timelines? These are are just some of the things that need to be considered for your business to demostrate commicatelly reasonable security contrtols.  Second we have to look at the maturity of those controls ultimatly arriving with a score.  For more information, talk to a member of our team.  Call 973-298-1160 today and become proactive about the risks you face.