Details of this Paper

SAN?s 20 critical security controls




Choose appropriate security controls from the SAN?s 20 critical security controls and choose the remainder of controls that are needed to secure this system from the listing of controls provided from NIST 800-53 rev 4 (see webliography). You will select a total of 10 security controls. List the control by type, mapping them as best as you can to the NIST Control Families (i.e. PE-3, etc. and provide a one sentence description of the function of this control). NOTE: You will address each control in the 20 critical security controls document and determine whether or not the control is appropriate to security the system in the scenario. You will provide a sentence or two on why or why not it should be selected. The 20 critical security controls must be addressed for the scenario but not necessarily selected for the scenario. The rest of the 10 controls you will select can be chosen from the NIST SP 800-53, Rev. 4 controls, from the Access Controls Family (I?ve provided a list, below, however you will review each of the controls in the document provided in Course Content). For example, if you choose two of the twenty SANS controls, you will select eight of the Access controls for a total of ten controls.;Scenario;The following illustration shows an example of a public, unsecured Windows Communication Foundation (WCF) client and server.;The system is not secure. This is a small business. It is a client/server system. The system is located in an unlocked room within the main building of the business. The business only has two buildings. One building houses all the computer equipment plus the data about their customers. How would you secure this system?;Here are the NIST Access Controls ? remember first to use the SANS Top 20 Critical Controls listed below.;;The link above cannot be open in a frame and the best way to open this link is to copy the link and then enter it into your browser separately. The 20 security controls are;Version 5;1: Inventory of Authorized and Unauthorized Devices;2: Inventory of Authorized and Unauthorized Software;3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers;4: Continuous Vulnerability Assessment and Remediation;5: Malware Defenses;6: Application Software Security;7: Wireless Access Control;8: Data Recovery Capability;9: Security Skills Assessment and Appropriate Training to Fill Gaps;10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches;11: Limitation and Control of Network Ports, Protocols, and Services;12: Controlled Use of Administrative Privileges;13: Boundary Defense;14: Maintenance, Monitoring, and Analysis of Audit Logs;15: Controlled Access Based on the Need to Know;16: Account Monitoring and Control;17: Data Protection;18: Incident Response and Management;19: Secure Network Engineering;20: Penetration Tests and Red Team Exercises;The NIST Access Controls are provided below;TABLE D-2: SECURITY CONTROL BASELINES92;No. Control Name Priority Initial Control Baselines;Low Mod High;AC-1 Access Control Policy and Procedures P1 AC-1 AC-1 AC-1;AC-2 Account Management P1 AC-2 AC-2 (1) (2) (3) (4) AC-2 (1) (2) (3) (4) (5) (12) (13);AC-3 Access Enforcement P1 AC-3 AC-3 AC-3;AC-4 Information Flow Enforcement P1 Not Selected AC-4 AC-4;AC-5 Separation of Duties P1 Not Selected AC-5 AC-5;AC-6 Least Privilege P1 Not Selected AC-6 (1) (2) (5) (9) (10) AC-6 (1) (2) (3) (5) (9) (10);AC-7 Unsuccessful Logon Attempts P2 AC-7 AC-7 AC-7;AC-8 System Use Notification P1 AC-8 AC-8 AC-8;AC-9 Previous Logon (Access) Notification P0 Not Selected Not Selected Not Selected;AC-10 Concurrent Session Control P2 Not Selected Not Selected AC-10;AC-11 Session Lock P3 Not Selected AC-11 (1) AC-11 (1);AC-12 Session Termination P2 Not Selected AC-12 AC-12;AC-14 Permitted Actions without Identification or Authentication P1 AC-14 AC-14 AC-14;AC-16 Security Attributes P0 Not Selected Not Selected Not Selected;AC-17 Remote Access P1 AC-17 AC-17 (1) (2) (3) (4) AC-17 (1) (2) (3) (4);AC-18 Wireless Access P1 AC-18 AC-18 (1) AC-18 (1) (4) (5);AC-19 Access Control for Mobile Devices P1 AC-19 AC-19 (5) AC-19 (5);AC-20 Use of External Information Systems P1 AC-20 AC-20 (1) (2) AC-20 (1) (2);AC-21 Information Sharing P2 Not Selected AC-21 AC-21;AC-22 Publicly Accessible Content P2 AC-22 AC-22 AC-22;AC-23 Data Mining Protection P0 Not Selected Not Selected Not Selected;AC-24 Access Control Decisions P0 Not Selected Not Selected Not Selected;AC-25 Reference Monitor P0 Not Selected Not Selected Not Selected;Use the matrix provided to prepare your assessment for the scenario.;Assessment Matrix;Name;Date;SANS Critical Controls Explain selection rationale Enter Y for selected and N for not selected;Inventory of Authorized and Unauthorized Devices;Inventory of Authorized and Unauthorized Software


Paper#67257 | Written in 18-Jul-2015

Price : $27