Filter

Penetration Testing

Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.


Login

Penetration Testing

Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.


Login

Penetration Testing

Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing.


Login

Penetration Testing

Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear box or opaque box.


Login

Network Monitoring and Defense

Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.


Login

Application Software Security

Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts.


Login

Data Protection

Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).


Login

Secure Configuration of Enterprise Assets and Software

Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.


Login

Audit Log Management

Retain audit logs across enterprise assets for a minimum of 90 days.


Login

Audit and Assurance (A&A)

Establish, document, approve, communicate, apply, evaluate and maintain audit and assurance policies and procedures and standards. Review and update the policies and procedures at least annually.


Login