Rough Assessment Guide

Document Sample
Rough Assessment Guide Powered By Docstoc
					                                             Certified Digital Security
                                               Rough Level Check




     This worksheet is version 0.5 and has been released as a living document against
     Version 3 Release 1 of the Certified Digital Security Levels. See
     www.certifieddigitalsecurity.com/levels.

     The worksheet is a draft version as we add greater funcationaity to enable better
     reporting of general compliance against the CDS Standard.

     We are seeking to generate an excel workbook that will highlight gaps in the
     organizations security whilst allowing them to quickly gague which parts of the CDS
     Standard they are already meet.

     This will allow an organization to focus on the items they are missing.

     This sheet is only a guide and does not replace a good personal level audit. All headings
     are taken from the version 1.2 of CDS. For more details about what item requires,
     please check it agains the implementation guide for the level it is introduced.



How to use this sheet:

1. Go the the "Assessment Sheet - start here" tab.
2. Review the organization, placing an 'X' against items undertaken and observed.
3. Review the three reports and look for levels that are complete.
4. The highest level with all boxes containing an 'X' is the level the organization potentially meets.
5. See what further work is requried to achieve the next level.
6. Review the CDS guidance documents for the target and all lower levels, to ensure the organization
meets all the requirement (this worksheet provides only a rough indication).
7. Consider having the organization audited against CDS (see www.certifieddigitalsecurity.com).




                                             Certified Digital Security
                                               Rough Level Check
                     Certified Digital Security
                       Rough Level Check




e the organization




                     Certified Digital Security
                       Rough Level Check
                                                                    Certified Digital Security
                                                                      Rough Level Check



Certified Digital Security - Rough Assessment sheet
Place an 'x' against items in the assessment column, once complete check the tabs for each group of levels to check rough compliance
                                                      If observed
               Assessment area                                                                              Notes
                                                         place X
Acceptable Email Usage Policy
Acceptable Internet Usage Policy
All Key Systems Code Reviewed
All Staff Use Multifactor Authentication
Anti Virus
Asset Disposal Policy
Auditing & Logging of USB Devices
Background Check of Administrators
Basic Logging of Server Activity
Basic Security Policy
Basic User Training (30 Minutes per Year)
Block Unauthorised Remote Access Software
Boundary and Internal IDS / IPS
Business Continuity & Disaster Recovery Plan
Checks Regular on Subcontractors
Code Review of Bespoke Programmes
Conduct a Software Audit
Consideration if Air Gap for High Risk Systems
Dedicated ITSy Staff (their full time role)
Encryption of all Laptops
Encryption of Data in Transit and at Rest
Forensic Readiness Plan
Formal Administrator Training
Harden Internal Servers
Harden Public Facing Servers
Implement & Enforce Configuration Control
Incident Response Team
Increased Levels of Logging
Individual User Accounts



                                                                    Certified Digital Security
                                                                      Rough Level Check
                                                      Certified Digital Security
                                                        Rough Level Check


ITSy Staff Attend Mandatory ITSy Training
ITSy Staff training & certifications are current
Justification held for connection to Internet
Lock Down of Mobile Devices
Lockdown of USB Ports
Management of Assets
Multifactor Authentication of Administrators
Multiskilled ITSY Team
Named ITSy Staff (can be a part time role)
Nominated ITSy Staff are ITSy Trained
Operate a Risk Register
Patch Client workstations (inc laptops)
Patch Servers
Physically Secure Servers and Data Stores
Prevent Access to Unauthorised Email Portals
Prohibit Non Organizational Assets on LAN
Qualified Administrators
Regular Review of Barriers by Audit
Regular Review of Barriers by Pen Testing
Regular Reviews of Security
Regular Vulnerability Analysis
Removal of private IT from the LAN
Secure Config with no Single Points of Failure
Secure configuration - defence in depth (DMZ, Proxy
of Communicating Protocols etc)
Secure Disposal of Media
Stateful Firewalls to Protect Boundaries
System Config Secured Against Alteration
Trained Users with Approved Courses
Use Application Layer Firewalls
VPN & Encryption on Regular Links
Wireless Encryption (WPA/WPA2)




                                                      Certified Digital Security
                                                        Rough Level Check
                                         Certified Digital Security
                                           Rough Level Check




                                                             1   2    3   4   5   6   7   8   9
                                     Basic Security Policy
                          Acceptable Email Usage Policy
Level 1                Acceptable Internet Usage Policy
                                Individual User Accounts
                                                Anti Virus
                                    Asset Disposal Policy
                   Background Check of Administrators
              Basic User Training (30 Minutes per Year)
                                            Patch Servers
                 Patch Client workstations (inc laptops)
Level 2                           Management of Assets
                         Basic Logging of Server Activity
                                 Forensic Readiness Plan
                      Wireless Encryption (WPA/WPA2)
             Prohibit Non Organizational Assets on LAN
                              Conduct a Software Audit
                          Formal Administrator Training
                Stateful Firewalls to Protect Boundaries
              Physically Secure Servers and Data Stores
Level 3             Removal of private IT from the LAN
          Prevent Access to Unauthorised Email Portals
          Block Unauthorised Remote Access Software
                               Secure Disposal of Media
          Business Continuity & Disaster Recovery Plan




                                         Certified Digital Security
                                           Rough Level Check
Certified Digital Security
  Rough Level Check




Certified Digital Security
  Rough Level Check
                                          Certified Digital Security
                                            Rough Level Check




                                                              1   2    3   4   5   6   7   8   9
                             Harden Public Facing Servers
                                  Harden Internal Servers
Level 4     Implement & Enforce Configuration Control
                                  Operate a Risk Register
                              Increased Levels of Logging
                      Auditing & Logging of USB Devices
              Named ITSy Staff (can be a part time role)
                  Nominated ITSy Staff are ITSy Trained
          ITSy Staff training & certifications are current
Level 5              Regular Review of Barriers by Audit
                                 Encryption of all Laptops
                            Lock Down of Mobile Devices
                                  Lockdown of USB Ports
                Dedicated ITSy Staff (their full time role)
              ITSy Staff Attend Mandatory ITSy Training
Level 6               Checks Regular on Subcontractors
                      VPN & Encryption on Regular Links
                          Use Application Layer Firewalls
                           Regular Vulnerability Analysis




                                          Certified Digital Security
                                            Rough Level Check
                                             Certified Digital Security
                                               Rough Level Check




                                                                 1    2   3   4   5   6   7   8   9
                                        Multiskilled ITSY Team
                   Regular Review of Barriers by Pen Testing
Level 7                        Boundary and Internal IDS / IPS
                                      Incident Response Team
                                   Regular Reviews of Security
                    Encryption of Data in Transit and at Rest
                                      Qualified Administrators
                        Trained Users with Approved Courses
Level 8                 Code Review of Bespoke Programmes
                Multifactor Authentication of Administrators
        Secure configuration - defence in depth (DMZ, Proxy
                             of Communicating Protocols etc)
                 Justification held for connection to Internet
                              All Key Systems Code Reviewed
Level 9            System Config Secured Against Alteration
                     All Staff Use Multifactor Authentication
               Consideration if Air Gap for High Risk Systems
               Secure Config with no Single Points of Failure




                                             Certified Digital Security
                                               Rough Level Check

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:4
posted:3/19/2011
language:English
pages:8