State of California - Independent Security Assessment (ISA ... · PDF fileState of California - Independent Security Assessment (ISA) Version 2.1 Authorization Code IA17-18-ISA

State of California - Independent Security Assessment (ISA) Version 2.1

Authorization Code IA17-18-ISA-

Assessment Dates: - Delivered by: California Military Department | Cyber Network Defense Team

Entity: () Phase: 2

Access Control (AC)

2.08.1 Logical Verification - Least Privilege of Key Hosts AC-6(5)

The Principle of Least Privilege requires the separation of provisioned User level and Privileged Level access rights between two or more distinct accounts (as applicable). The assessment will select a subset of random hosts performing the below listed functions within the entity enterprise to assess the presence of any User-level accounts within the contained privileged roles on the target hosts:

% Random Hosts / Role10% / Domain Member Servers10% / System or Network Administrator workstations30% / Standard Workstations20% / Executive Laptops30% / Standard Notebook / Laptops

I – All assessed roles are absent of user-level account within privileged roles / rights

P – Between 1 and 3 hosts contains 1 or more user-level accounts provisioned within privileged roles / rights. Note: If task 2.09.1 scored as “N”, then highest score possible on this task is “P” as it does not meet the intent of the check.

N – 4 or more of the assessed roles contains one or more user-level accounts provisioned within privileged roles / rights.

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:

Comp Ent Access Mgt / Prov StrategyCISO Rpt Level: Identity and Access Mgt

Distribution Restrictions: This document contains sensitive controlled information related to government information technology. Distribution is restricted to Official Government Use Only. Content holders will ensure this content is restricted to only Government Employees and Contractors with a validated Need to Know. This report is confidential and exempt from Freedom of Information Act distribution and protected from disclosure by Public Records Act Requests pursuant to Government Code Section 6254.19 Page 1 of 29




Entity: () Phase: 2

2.08.2 Logical Verification - Least Privilege of Key Roles AC-6(1)

The Principle of Least Privilege requires the separation of provisioned User level and Privileged Level access rights between two or more distinct accounts (as applicable). The task will review a select subset of roles within the entity's enterprise to determine if standard User-level accounts are presence of User-level accounts in the assessed privileged roles:

- Enterprise Administrators- Domain Administrators- DNS Administrators- Group Policy Creators- Account Operators- Backup Operators- Root (2 random applicable hosts)- Sudoers (2 random applicable hosts)

I –All assessed roles are absent of user-level accounts

P – N/A. This is a Compliant / Non-Compliant measured standard

N – 1 or more assessed privileged roles contains user-level accounts

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:






Entity: () Phase: 2

2.09.1 Access Control - User Account Privileged Role Separation Validation AC-6(2)

Entity demonstrates the practice of separate account provisioning for privileged roles as part of their Principle of Least Privilege management. This task specifically checks for a process or indication that allows for the unique identification of privilege role accounts when viewing user-level accounts. This is validated by the use of distinct standardized naming convention for privileged accounts that is different from user accounts.

I – Entity demonstrates a process to uniquely identify privileged accounts from user-level accounts

P – N/A. This is a Compliant / Non-Compliant measured standard

N – Entity privileged account names are not standardized

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:

Comp Ent Access Mgt / Prov StrategyCISO Rpt Level: Endpoint Security





Entity: () Phase: 2

2.11.1 FIPS Validation of VPN Encryption Implementation AC-17(2), SC-7(4), SAM 5360.1

Entities with Virtual Private Networking (VPN) connections are required to demonstrate their configuration and implementation meet the requirements of FIPS 140-2 if:

- Used in a point-to-point solution for the protection of communications between two separate networks- Used for remote access to internal, non-public resources- Leverages a 3rd party remote access solution (e.g. Citrix Receiver; VM-ware Horizon; or other similar solutions)

Note: If the entity does not use VPN within the enterprise as validated by Firewall / Router configuration analysis, this is scored as "I" for this task.

I – All entity VPN / 3rd party remote access connections are configured to approved FIPS 140-2 standards

P – All entity VPN / 3rd party remote access connections are configured to use encryption, but do not meet the approved FIPS 140-2 standard

N – One or more interconnections, remote access solutions, or 3rd party remote access implementation are not encrypted; or fail multiple requirements of FIPS 140-2

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:

Network Admission ControlCISO Rpt Level: Network Security





Entity: () Phase: 2

Audit and Accountability (AU)

2.05.1 Entity Log Generation and Retention AU-12, SAM 5335.2

Entity generates and retains the following minimum key audit logs for a period of 6 months or longer (combined logs are acceptable):

- DNS Ingress / Egress - File Server Object Access- Web Usage (proxy) - Domain Controller Events- Firewall Events - IDS / IPS Events (Must be logged, exempt from minimum retention period due to size per CISO)

I – Entity retains log entries for all 5 of the required log types for a minimum of 6 months

P – Entity retains between 3 to 4 of the required log entity types for a period of 6 months OR all 5 log types are retained for a period between 3 to 5 months

N – Either less than 3 of the required log entry types are retained OR the retention period is less than 3 months for one or more of the log entry types

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:

Exposure & Intrusion Detect / Prevent CapabilitiesCISO Rpt Level: Security Analytics & Cont. Mon





Entity: () Phase: 2

Awareness and Training (AT)

2.04.2 React to Active Phishing Campaign - Practice Exercise AT-2(1), CA-8(2)

Entity provides a minimum of 100 user accounts (including 3 executive and 3 privileged users) scheduled to be on site during the assessment period to participate in an unannounced simulated phishing exercise:

- Entity provides required content for external phishing assessment as required by the assessment team- Entity coordinates with email administrator / provider to whitelist test domain (as required)- Entity maintains confidentiality of phishing exercise including refraining from the following actions: - Alerting selected users of exercise - Sending alerts related to the event to users during exercise - Opening of Cal-CSIRS event (unless designed as an ISA exercise - no action required)

Minimum Artifact Requirement: Report of the users phished, by-user results, and date of attempt. If passwords are acquired, these will be abstracted from the report for security purposes.

I – Less than 10% of phishing participants clicked link and/or provided credentials

P – Between 10.01% to 15% of phishing participants clicked link and/or provided credentials

N – Greater than 15% of phishing participants clicked link and/or provided credentials

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:

Awareness TngCISO Rpt Level: Security Governance





Entity: () Phase: 2

2.04.3 Penetration Test - Phishing Attack (Malicious Link/Payload Simulation) AT-2(1)

Entity reacts to targeted phishing attack; detects and take actions to prevent any unauthorized external footholds or unauthorized Remote Access of Network Resources Action for this task preclude removal of the email or employee notification. However, other logical protections such as net-blocks, binary removal from individual hosts, and local malware analysis as applicable in the entity organization Incident response plan are allowed.

I – The event fails to achieve the following:User clicks or takes other actions that directly result in unauthorized external footholds or Remote Access of Network Resources

P – Remote Access or unauthorized foothold is achieved, detected, reported to the ISA Team leader, and terminated by the entity within 60 minutes of establishment by threat actor

N – Remote Access or unauthorized foothold is achieved but is not reported to the ISA Team leader within the 60 minutes of launch or not terminated by the entity within the 60-minute period

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:

Awareness TngCISO Rpt Level: Security Governance





Entity: () Phase: 2

Configuration Management (CM)

2.08.3 Baseline Image Security Configuration and Analysis CM-2

Measure the application of system hardening controls/settings. This standard is assessed via the percentage of compliance against the USGCB standard for the following randomly selected representative subset of hosts under entity control:

# hosts / Role:1 / Domain Controller3 / Application Servers3 / Workstations3 / Laptops

In cases where the USGCB does not have a configuration file for a particular operating systems, the DISA STIG template will be used.

Minimum Artifact Requirement: Detailed report of findings for each of the hosts assessed.

I – The average of the combined assessed host scores meet or exceed 75% compliance

P – The average of the combined assessed host scores is between 50% to 75% compliance

N – The average of the combined assessed host scores is 50% or below

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:

Platform-Spec Hardening StdsCISO Rpt Level: Endpoint Security





Entity: () Phase: 2

2.09.2 Least Functionality Configuration – Excessive Port and Protocol

Identification

CM-7

A scan of all accessible hosts within the entity environment is conducted. The scan includes the status of common ports on all endpoints. This task determines if systems, based on role, are configured to allow excessive port listeners (e.g. Web/FTP servers on Desktop hosts) or insecure protocol listeners (FTP, Telnet, TFTP, SNMP v1 /v2)

I – No excessive or insecure ports detected within the random subset of hosts

P – Between 1 to 3 hosts have excessive or insecure ports detected within the random subset of hosts

N – 4 or more hosts have excessive or insecure ports detected within the random subset of hosts

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:

Platform-Spec Hardening StdsCISO Rpt Level: Endpoint Security





Entity: () Phase: 2

2.13.1 Boundary Protection – Prohibit use of Insecure Management Protocols /

Access

CM-7, SC-7(15)

The entity perimeter firewall (entity or parent activity managed as applicable) must restrict insecure protocol usage on the management interface to prevent unauthorized access and information leak. Insecure protocols for the purposes of this task include:

- HTTP- Telnet- SNMP v1/v2

Minimum Artifact Requirement: Include a formal report of the device management configuration; Highlight any insecure protocol usage to entity in a formal report

I – The management port is configured to prohibit the use of the insecure protocols

P – Management port is configured to prohibit listed insecure protocols from external networks, but allows one of the listed protocols from a protected internal subnet

N – Management port allows either two or more insecure protocols from an internal subnet or any of the insecure protocols from the external network

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:

Platform-spec Build StdsCISO Rpt Level: Endpoint Security





Entity: () Phase: 2

Identification and Authentication (IA)

2.10.1 Access Control - Account Testing IA-5(1)

This task assesses the enforced configuration at the directory / authenticator level of all account types within the enterprise. All accounts will require the following minimal security authenticator requirements:

- Minimum length: 8- Entropy: Requires 3 of 4 Complexity types (Upper, Lower, Numeric, and Special characters)- Maximum lifetime: 6 months- Reuse Restriction: 10 prior passwords- Lockout Account failed attempts: 5th failed attempt

I – Entity implementation meets or exceeds all task standards

P – Entity implementation meets length, entropy, and lockout requirements but fails one of more of the remaining requirements

N – Entity implementation fails to meet either length, entropy, or lockout and 1 or more other requirements

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:






Entity: () Phase: 2

Risk Assessment (RA)

2.12.1 Host Classification Documentation (FIPS 199) RA-2, SAM 5305.5

All hosts within the entity's control have been assessed for data classification requirements based on role and data processed using the criteria of FIPS 199 to include written documentation of:

- A minimal assessment level of moderate- Fully documented justification for all assets rated at low- Documentation lists each host in the environment by host name and classification level- Classification is reassessed upon change of environment or every 3 years whichever occurs first

I – Entity documentation meets all identified requirements in task

P – Entity documentation meets at least 2 of 4 requirements, including a by-host listing and classification

N – Entity documentation missing 3 or more requirements

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:

Data ClassificationCISO Rpt Level: Change Configuration Mgt





Entity: () Phase: 2

2.12.2 Host High Classification Documentation (FIPS 199) RA-3

All hosts within the entity's control have been assessed for data classification requirements to determine if any assets meet the requirements as specified in FIPS 199 for protection at the High Level:

- A review of the existing complete FIPS 199 documentation meets the standards of Task 2.12.1 and is absent of High assets- Classification is reassessed upon change of environment or every 3 years whichever occurs first

Minimum Artifact Requirement: A copy of documentation of FIPS 199 assets classified at the High level must be included in the artifact submission

I – Entity identifies High classification assets by host name; or Task 2.12.1 is scored as "I" and no hosts are listed as "High"

P – Task 2.12.1 is scored as "P" and High classification hosts are listed

N – No evidence of entity classification of High Risk assets is present; or if Task 2.12.1 is scored as "N"

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:

Data ClassificationCISO Rpt Level: Change Configuration Mgt





Entity: () Phase: 2

2.15.1 Continuous Monitoring (Vulnerability Scans) of Assets RA-5

Entity validates performance of reoccurring authenticated vulnerability scans of all systems under its control. This task will validate the presence of all asset scans:

- At least monthly- Vulnerability scanner signatures are within 15 days old from date of assessment- Results are distributed to system owners / administrators for remediation- AISO / ISO tracks status of remediation efforts- Evidence of Scan distribution requirement

Minimum Artifact Requirement: Assessment will include a best effort vulnerability scan of all systems under its control; Identification of End of Life Operating Systems will be identified to the entity; Detection of missing security patches in excess of 90 days will minimally be provided to the entity for review

I – Entity provides two consecutive prior monthly authenticated vulnerability scans of all systems; Scan includes detected vulnerabilities and impact ratings; Signatures on the vulnerability scanner are within 15 days old from date of assessment; Assessment scan documents evidence of active remediation of security patches

P – Entity prior authenticated vulnerability scans occur less often than monthly within prior year; Entity documents active project to implement monthly scanning / remediation efforts; Assessment scan documents absence of legacy security patch requirements (greater than 6 months from date of issue)

N – Entity does not have an authenticated vulnerability scanner or in-progress project; or assessment scan indicates the presence of a requirement for 10+ unique legacy security patches (greater than 6 months from date of issue)

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:

Comp Platform-Specific Vuln Patch ProcessCISO Rpt Level: Vulnerability Mgt





Entity: () Phase: 2

Security Assessment and Authorization (CA)

2.20.1 Penetration Test - Open Source Information Acquisition through Passive

Reconnaissance (External)

CA-8(2)

Use passive reconnaissance techniques to acquire relevant and actionable information for in-scope entity assets including but not limited to:

- Network Scopes- Published Services and Resources- Utilized Technologies- Meta-Data Information Leakage- Other relevant information useful in entity targeting

I – Analysis fails to collect any of the following:a- Meta-Data leakage of an artifact authors user name, email address, or user account in publicly posted content (e.g. doc,xls, pdf, etc…)b- Contracting or Vacancy advertisements detailing the use of specific security tools / applications / Technologiesc- Individual entity user email addresses published on public or non-entity sites

P – One occurrence of any above detected condition

N - Any occurrence of two or more of the above detected conditions

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:

Data Privacy & Prg EnforcementCISO Rpt Level: Data Security





Entity: () Phase: 2

2.20.2 Penetration Test - Active Entity Host / Network Reconnaissance (External) CA-8(2)

Perform active scans, service probes, and other methods of host enumeration of in-scope / unlisted external hosts for footprinting entity resources and potential weaknesses.Minimum Required Artifact: Report detailing the findings of the IP address space; scan settings used; and results for all externally discovered hosts. Report fields must minimally include: IP, Open Ports, Suspected Operating Systems; and Logon pages for any remotely accessible peripherals detected

I – Analysis fails to collect any of the following:a- Hosts not specifically identified (by IP and Host Name) within the Public in or out-of-scope list b- Absence of insecure protocol listenersc- Absence of externally exposed remote access protocols for hosts / devices d- Absence of externally exposed peripherals, HVAC, or other devices not intended for public access / exposure

P - One occurrence of any above detected conditions

N - Any occurrence of two or more of the above detected conditions

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:






Entity: () Phase: 2

2.20.3 Penetration Test - Active Entity Host / Network Reconnaissance (Internal) CA-8(2)

Perform active internal scans and direct host service interactions to footprint entity resources and potential weaknesses.

Minimum Required Artifact: Report detailing the findings of the IP address space; scan settings used; and results for all internally discovered hosts. Report fields must minimally include: IP, Open Ports, Suspected Operating System;

Minimum Required Artifact: Report detailing the findings of the IP address space; scan settings used; and results for all internally discovered hosts. Report fields must minimally include: IP, Open Ports, Suspected Operating System; Suspected Operating System Version; Screen captures of discovered Remote Management Screens

I – Scan results are absent of: a- Detected insecure protocol listenersb- Insecure remote access services to internally accessible devices c- Acceptance of default credentials or common SNMP strings on any discovered deviced- Ability to enumerate via SMB null sessions

d- Ability to enumerate via SMB null sessions

P - Scan results contain one of the following: a- Absence of acceptance of default credentials in read-only modeb- Use of common SNMP strings in read only modec- Ability to enumerate via SMB null sessions

N - Scans results indicate following occurrences:a- Presence of insecure remote access services b- Presence of default credentials for privileged accessc- Privileged access via common SNMP strings

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:






Entity: () Phase: 2

2.21.1 Penetration Test - Obtain External Foothold / Backdoor / or Unauthorized

Access using Red Team Threat Actors Tactics, Techniques, and

Procedures (External)

CA-8(2)

Application of Red Team tactics, techniques, and procedures to achieve external penetration attempts. Methods include, but are not limited to: Remote Code Execution (RCE) of exploits; abuse of exposed services; deployment of simulated backdoors / malware; remote credential capture; or attempted privilege escalation attempts.Minimum Required Artifact: The complete Penetration Test report to include all associated artifacts related to findings. Report must provide documentation of all partial and fully successful unauthorized access attempts; credentials (partial redaction allowed); and any non-public data acquired

I - Attempts failed to achieve any of the following conditions:a- Successful external deployment of any non-phishing related process, code, backdoor, or modified configuration that allows unauthorized access to entity resourcesb- Successful password guessing or brute-forcing resulting in remote access to entity resourcesc- Successful or partially successful remote code execution on an entity resource or service that allows for partial or full unauthorized access to information or resourcesd- Capture of credentials via successful external traffic capture

P - One occurrence of any above detected conditions One or more of the conditions were achieved

N - Two or more occurrences of the above conditions Two or more of the conditions were achieved

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:

Ent Event Correlation & Eval CapabilitiesCISO Rpt Level: Security Analytics & Cont. Mon





Entity: () Phase: 2

2.21.2 Penetration Test - Website / Web Application Attack Surface Exploitation

(External)

SA-11(3)

Red-Team identifies and probes selected in-scope website(s), web application(s) to determine potential attack opportunities. Perform research and apply analysis to craft exploits to gain unauthorized access, data exposure, or remote access to hosts.

I – Analysis of external web sites is absent of all the following:a- Sensitive data, user credentials, or exploitable database connection informationb- Insure configurations that result in unauthorized accessc- Changes to configuration, content, or data exfiltration

P - One occurrence of any of the above conditions

N - Two or more occurrences of the above conditions

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:

Secure Code PracticesCISO Rpt Level: Application Security





Entity: () Phase: 2

2.21.3 Penetration Test - Simulated Threat Actor Foothold / Insider Threat using

Red-Team Tactics (Internal)

CA-8(2)

Application of internal reconnaissance for targeting entity assets from an internal user network segment. Includes simulation of current Red Team tactics, techniques, and procedures including but are not limited to: Remote Code Execution (RCE) of exploits; abuse of exposed services; deployment of redirectors, credential capture; unauthorized sensitive resource acquisition, and attempted privilege escalation Minimum Required Artifact: The complete Penetration Test report to include all associated artifacts related to findings. Report must overview the methods and techniques that were employed to simulate Red Team tactics.

I - Attempts fail to achieve any of the following conditions:

a- Successful code execution on a resource that results in partial or full privilege escalation or unauthorized access to services, storage, or data b- Results in capture of plain-text or hashed credentialsc- Successful password guessing or access achieved through default password access


N - Two or more occurrences of any of the above conditions

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:

Scty Mgt PlanCISO Rpt Level: Security Governance





Entity: () Phase: 2

2.21.5 Penetration Test - Website / Web Application Attack Surface Enumeration

and Exploitation (Internal)

SA-11(3)

Red-Team identifies and probes selected in-scope website(s), web application(s) to determine potential attack opportunities. Perform research and apply analysis to craft exploits to gain unauthorized access, data exposure, or remote access to hosts.

I - Analysis of internal web sites is absent of:a- Sensitive data, user credentials, or exploitable database connection informationb- Insure configurations that result in unauthorized accessc- Changes to configuration, content, or data exfiltration


N - Two occurrence of any of the above conditions

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:






Entity: () Phase: 2

System and Communications Protection (SC)

2.13.2 Boundary Protection – Validate Ingress / Egress Monitoring SC-7

Map the entity network architecture at Layer 3 to determine points of ingress / egress. Assess the mappings against the entity provided documentation to determine:

- All points of ingress / egress are documented- All ingress / egress points traverse a firewall or IPS device- CDT provisioned Firewalls and IPSs are excluded from this requirement; entity to provide statement of boundary protection from CDT in lieu of device assessment due to security concerns on shared enterprise devices

Minimum Artifact Requirement: Include an analysis at time of assessment of all entity Layer 3 architecture and neighboring devices via initiated discovery to validate ingress / egress points. Generate formal reporting (map or written report) as an artifact of the assessment

I – The entity provided map documents all discovered ingress/egress points; All ingress/egress points are monitored by a firewall or IPS

P – Entity documentation incomplete, but the assessment scan documents all ingress/egress points are monitored by a firewall or IPS

N – Entity documentation is incomplete or inaccurate and one or more ingress/egress points are unmonitored by a firewall or IPS. This is a Critical Finding

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:






Entity: () Phase: 2

2.13.3 Boundary Protection – Validate rules for Deny All, Permit by Exception

(DAPE) configuration

SC-7(5)

Perform an analysis of the primary Boundary Protection Firewall rules sets to determine:

- Rules are implemented using a Deny All, Allow by Exception (DAPE) configuration- Exceptions are specific to the minimum IP(s) and port(s) / protocol(s) required by role / host function- The absence of “any” or overly porous rules between External or DMZ networks- Score overall firewall security rating is inclusive of At-Risk Rules, Excessive Ports/Protocols, and Best Practices; scale security rating results from 1 - 100%

Minimum Artifact Requirement: Include a formal report analyzing all rules configured on the device; report will document specific rules determined to include excessive ports, protocols, or hosts; insure formal documentation of risky rules are specifically identified in the report

I – Entity's assessed perimeter firewall Security Rating score is 75% or greater

P – Entity's assessed perimeter firewall Security Rating score is between 50% to 75%

N – Entity's assessed perimeter firewall Security Rating score is 50% or less

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:






Entity: () Phase: 2

System and Information Integrity (SI)

2.04.1 Detection and Mitigation of Network Rogue Devices SI-4

Entity deploys controls and monitors for signs of Rogue Network Devices; reacts to detected potentially unauthorized devices on the network:

- Entity deploys controls for the detection and alerting of unauthorized / rogue devices upon connection - Network security team receives rogue devices alerts and opens event for remediation - Network team reports incident to ISO / Security team- Required Logical test: Assessment team connects to random port not provided for the assessment with rogue device; waits 60 minutes to determine if connection is detected / investigated

I – Entity detects, alerts, reports security incident, and locates potentially unauthorized device within 60 minutes of connection

P – Entity detects, alerts, but does not report occurrence or locate device within 60 minutes of connection

N – Entity does not detect, alert or fails to identify location of suspect device

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:

Network Admission ControlCISO Rpt Level: Network Security





Entity: () Phase: 2

2.13.4 Review IDS/IPS Event Monitoring and Escalation Process SI-4

Entity demonstrates a practice regarding IDS/IPS events that include:

a - Routine review (daily during normally staffed hours)b - Events rated as Moderate or higher are reviewed in accordance with entity Incident Response (IR) guidelinesc - Events are cleared or escalated for further analysisd - Escalated events are reported in Cal-CSIRS

Minimum Artifact: Network capture of network primary ingress / egress to internet; capture should be compared to known indicators of compromise to valid event review and escalation of known malicious events. Results should be documented; Raw capture artifact delivery no required unless illegal / commodityware activity detected.

I - Entity deploys an IDS/IPS at Ingress/Egress point; Events are reviewed and cleared daily during normal business hours; Escalated events are reported in Cal-CSIRS

P - Entity has deployed IDS/IPS at Ingress/Egress point, however assessed logs do not support 1 of the following actions occurring:

a - Events are reviewed and cleared daily during normal business hoursb- Escalated events are reported in Cal-CSIRS

N - Entity does not have an IDS/IPS deployed at Ingress/Egress point or both the following actions are not occurring based on assessed logs:

a - Events are reviewed and cleared daily during normal business hoursb- Escalated events are reported in Cal-CSIRS

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:

Ent Event Correlation & Eval CapabilitiesCISO Rpt Level: Security Analytics & Cont. Mon





Entity: () Phase: 2

2.13.5 Review IDS/IPS Maintenance (Signature & Firmware) SI-4

Entity ensures the protection of hosts via IDS / IPS:

a - Entity deploys an IDS/IPS at Ingress/Egress pointb - Signatures within 5 days from date of assessmentc - Deployed firmware / software version is the latest stable / production maintenance release version for the device; If release date is less than 30 days, then this portion of the check will default to the prior version to accommodate maintenance window

I - IDP/IPS deployed at all Ingress / Egress points; Device signatures are within 5 days from date of assessment; Firmware is the most current production version

P - IDP/IPS deployed at all Ingress / Egress points; Device signatures are within 5 days from date of assessment; Firmware is not currently issued production version and production version release date is > 30 days from today

N - Device is not deployed or both conditions below are true:

a - Signatures are within 5 days from date of assessmentb - Firmware is not currently issued production version (version release date is > 30 days from today)

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:






Entity: () Phase: 2

2.14.1 Distribution of Cybersecurity Alerts, Messages, and Warnings SI-5

Entity documents subscription to CDT (e.g. Cal-CSIRS notifications), Cal-CSIC (Intelligence Bulletins), Government notification list servers, and industry cybersecurity notifications to stay updated on current threat tactics; Provides timely distribution of relevant received alerts / notifications to appropriate (cleared) internal Communities of Interest; ensures distribution of content does not violate handling caveats (e.g. TLP Red).

I – Entity documents access to Cal-CSIRS notifications; receipt of Cal-CSIC distributed Bulletins; Government / Industry relevant cybersecurity notifications; Documents redistribution of relevant notifications to internal Communities of Interest

P – Entity documents access to Cal-CSIRS; receipt of limited government / industry notification; no documented distribution of relevant notifications to internal Communities of Interest

N – Either entity unable to document access to Cal-CSIRS; Unable to document redistribution of relevant notifications to internal Communities of Interest

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:






Entity: () Phase: 2

2.16.1 Malicious Code Protection – Central Client Management SI-3(1)

Entity manages the status, update and reporting for all anti-virus clients under an integrated Enterprise Management Console. Clients in scope for this task are defined as all hosts in enterprise Directory / Asset inventory. This assessment will discount stale clients via AD Check-in greater than 30 Days. Non-Directory managed clients (e.g. Macintosh / Nix devices) will be manually identified. Enterprise AV endpoints meet the following minimum standard:

- Requires all entity controlled hosts to check-in to enterprise console within every 15 Days- Console configured to deploy and track AV signature files / Application updates - All clients running current AV client version within 30 day of release

I – Greater than 95% of expected clients under enterprise management meet all conditions within this task

P – Between 75% to 95% of expected clients under enterprise management meet all conditions within this task

N – Less than 75% of expected clients under enterprise management meet all conditions within this task

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:

Comp Platform-Specific Anti-MalwareCISO Rpt Level: Vulnerability Mgt





Entity: () Phase: 2

2.17.1 Primary External Website Assessment - Exploitable Configurations / Input

Validation

SI-10

Entity assesses their primary public external web site no less than every two years (or at time of major update/upgrade). Assessment detects at-risk configuration; end-of-life applications; information leaks; and other security risks related to the provisioning of the content and data rendered. Review entity assessment to determine if:

- Externally enumerable configuration information that expose insecurity were detected and remediated- Presence of Cross-site Scripting (XSS) misconfiguration was detected and remediated - Presence of Structured Query Language Injection (SQLi) misconfigurations were detected and remediated- Compare current website state of assessment scan of site to identify un-remediated issues

Minimum Artifact Requirement: Scan site and deliver a detailed report of all detected at-risk configurations / vulnerabilities related to host web service rendering

I – Entity documents external web apps/site XSS and SQLi testing at least every 2 years; Assessment scan results had no detected issues above the Moderate level

P – Entity documents external web apps/site XSS and SQLi testing at least every 2 years; Assessment scan results detected issues at the High level

N – No evidence of external web apps/site XSS and SQLi testing at least every 2 years; or Assessment scan results detect 1 or more Critical findings

NIST Ctrl:

Condition:

Measures

Remarks:

Objective:

Task Score:

