SAN’s 20 critical security controls

profilePROF Kay
 (Not rated)
 (Not rated)
Chat

Choose appropriate security controls from the SAN’s 20 critical security controls and choose the remainder of controls that are needed to secure this system from the listing of controls provided from NIST 800-53 rev 4 (see webliography). You will select a total of 10 security controls. List the control by type, mapping them as best as you can to the NIST Control Families (i.e. PE-3, etc. and provide a one sentence description of the function of this control). NOTE: You will address each control in the 20 critical security controls document and determine whether or not the control is appropriate to security the system in the scenario. You will provide a sentence or two on why or why not it should be selected. The 20 critical security controls must be addressed for the scenario but not necessarily selected for the scenario. The rest of the 10 controls you will select can be chosen from the NIST SP 800-53, Rev. 4 controls, from the Access Controls Family (I’ve provided a list, below, however you will review each of the controls in the document provided in Course Content). For example, if you choose two of the twenty SANS controls, you will select eight of the Access controls for a total of ten controls.

Scenario:
The following illustration shows an example of a public, unsecured Windows Communication Foundation (WCF) client and server.

The system is not secure. This is a small business. It is a client/server system. The system is located in an unlocked room within the main building of the business. The business only has two buildings. One building houses all the computer equipment plus the data about their customers. How would you secure this system?
Here are the NIST Access Controls – remember first to use the SANS Top 20 Critical Controls listed below.
http://www.sans.org/critical-security-controls/controls

The link above cannot be open in a frame and the best way to open this link is to copy the link and then enter it into your browser separately. The 20 security controls are:

Version 5
1: Inventory of Authorized and Unauthorized Devices
2: Inventory of Authorized and Unauthorized Software
3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
4: Continuous Vulnerability Assessment and Remediation
5: Malware Defenses
6: Application Software Security
7: Wireless Access Control
8: Data Recovery Capability
9: Security Skills Assessment and Appropriate Training to Fill Gaps
10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
11: Limitation and Control of Network Ports, Protocols, and Services
12: Controlled Use of Administrative Privileges
13: Boundary Defense
14: Maintenance, Monitoring, and Analysis of Audit Logs
15: Controlled Access Based on the Need to Know
16: Account Monitoring and Control
17: Data Protection
18: Incident Response and Management
19: Secure Network Engineering
20: Penetration Tests and Red Team Exercises
The NIST Access Controls are provided below:
TABLE D-2: SECURITY CONTROL BASELINES92
No. Control Name Priority Initial Control Baselines
Low Mod High
AC-1 Access Control Policy and Procedures P1 AC-1 AC-1 AC-1
AC-2 Account Management P1 AC-2 AC-2 (1) (2) (3) (4) AC-2 (1) (2) (3) (4) (5) (12) (13)
AC-3 Access Enforcement P1 AC-3 AC-3 AC-3
AC-4 Information Flow Enforcement P1 Not Selected AC-4 AC-4
AC-5 Separation of Duties P1 Not Selected AC-5 AC-5
AC-6 Least Privilege P1 Not Selected AC-6 (1) (2) (5) (9) (10) AC-6 (1) (2) (3) (5) (9) (10)
AC-7 Unsuccessful Logon Attempts P2 AC-7 AC-7 AC-7
AC-8 System Use Notification P1 AC-8 AC-8 AC-8
AC-9 Previous Logon (Access) Notification P0 Not Selected Not Selected Not Selected
AC-10 Concurrent Session Control P2 Not Selected Not Selected AC-10
AC-11 Session Lock P3 Not Selected AC-11 (1) AC-11 (1)
AC-12 Session Termination P2 Not Selected AC-12 AC-12
AC-14 Permitted Actions without Identification or Authentication P1 AC-14 AC-14 AC-14
AC-16 Security Attributes P0 Not Selected Not Selected Not Selected
AC-17 Remote Access P1 AC-17 AC-17 (1) (2) (3) (4) AC-17 (1) (2) (3) (4)
AC-18 Wireless Access P1 AC-18 AC-18 (1) AC-18 (1) (4) (5)
AC-19 Access Control for Mobile Devices P1 AC-19 AC-19 (5) AC-19 (5)
AC-20 Use of External Information Systems P1 AC-20 AC-20 (1) (2) AC-20 (1) (2)
AC-21 Information Sharing P2 Not Selected AC-21 AC-21
AC-22 Publicly Accessible Content P2 AC-22 AC-22 AC-22
AC-23 Data Mining Protection P0 Not Selected Not Selected Not Selected
AC-24 Access Control Decisions P0 Not Selected Not Selected Not Selected
AC-25 Reference Monitor P0 Not Selected Not Selected Not Selected
Use the matrix provided to prepare your assessment for the scenario.
Assessment Matrix
Name:
Date:
SANS Critical Controls Explain selection rationale Enter Y for selected and N for not selected
Inventory of Authorized and Unauthorized Devices
Inventory of Authorized and Unauthorized Software

    • 12 years ago
    PERFECTLY DONE : SAN’s 20 critical security controls
    NOT RATED

    Purchase the answer to view it

    blurred-text
    • attachment
      windows_communication_foundation_version_5.docx