Solved

hardening policy and vulnerability management policy

Posted on 2012-03-14
11
614 Views
Last Modified: 2012-04-02
By what names will hardening systems/applications and vulnerability management polcies be referred? Do you have such a policy at your companies or do these areas fit into an over arching policy, are they referred to as something else, or do they fit into the same policy? Do you have a comprehensive list of what security areas are covered by policy, I assume patch management is a 3rd but I guess there will be lots?
0
Comment
Question by:pma111
11 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 125 total points
ID: 37723707
not sure what exactly you're asking for, but probly following can help you:
  http://bsi-mm.com/ BSIMM
  http://bsimm2.com/ BSIMM
  http://www.isecom.org/ OSSTMM
  http://www.opensamm.org/ OpenSAMM
  https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model OpenSAMM
0
 
LVL 3

Author Comment

by:pma111
ID: 37723947
Im asking if you as a company have any sort of corporate policy that discusses the companies stance on vulnerability management and hardening servers/workstations/network devices before they are utilised in the network? And what a "hardening policy" may also be referred to as?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 125 total points
ID: 37724311
For wondows server, this link is baseline in general
 http://technet.microsoft.com/en-us/library/cc526440.aspx
But we should go another level towards hardening at application specific level. E.g lync server below
 http://technet.microsoft.com/en-us/library/gg195792.aspx
It tends to incorporate VA as part of the health checks which the policy mandate the intervals and type of critical services to be defended and patched within certain SLA reauirement by organsation needs. For example to provide high resilency of 99.9%, the checls has to be 2times per mth witb additionL chscks on baselines and eliminating unnecesary services like ftp, rtsp, etc. many more variation can evolved especially if virtual patching criteria is needed. This means, reduce windows of exposure while patched is not available by the vendor
0
 
LVL 3

Author Comment

by:pma111
ID: 37724560
Breadtan - do your company have a defined, documented and implemented policy then around systems hardening? I.e.  a piece of paper that says this is what the company has decided we do around this? Or is VA/PM/VM referenced in another policy?
0
 
LVL 3

Author Comment

by:pma111
ID: 37724564
Or is it just done by IT, but no policy that says "thou must", just a case of "thou does"?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 3

Author Comment

by:pma111
ID: 37724567
I must confess I've seen patch management documented policies but I've never seen a vulnerability management policy?
0
 
LVL 3

Author Comment

by:pma111
ID: 37724571
This is an interesting comment

"Remove All Unnecessary File Shares
Remove all unnecessary file shares on the system to prevent possible information disclosure and to prevent malicious users from using the shares as an entry to the local system."

That hints that even with access to just a share, it may be used to gain access to other resources on the server? Is that even possible?
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 125 total points
ID: 37727253
Hi.

Our company has to follow federal guidelines. Those are imposed on us because we work with restricted data that is used by the military. The term for us is "base protection guideline" and this covers hardening amongst other things. In general, you can often read about a "company security policy".

Vulnerability management? What should that term consist of? I was not aware that nowadays vulnerabilities need managers ;). Say in detail what you see behind this term and I might help you find a better one.
0
 
LVL 61

Expert Comment

by:btan
ID: 37728281
Simply said that these policy at enterprise side is not totally lockdown of these services like file shares. It is to eliminate null shares or shares that is accessible for using simple credentials. There is definitely a defined policy at my it departmemt but yet tof these extend of enforcing lockout of user if they do not meet certain health checks. The server has segregated lan ands vulnerability scanning is not in placed as it is supposed. Minimally patch mgmt is there as expertise to train on performing vunerability scan will ideally be from internal experts of audit depart....too many variation and imvestment personally that I see hence balance amd getting cio key prioroty too build they alignment of they outcome of security posture for enterprise is an ever ongoing process and education
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 125 total points
ID: 37733427
0
 
LVL 61

Expert Comment

by:btan
ID: 37733832
Just to add more specific to security strategy planning for proactive and reactive response.
 http://technet.microsoft.com/en-us/library/cc723491.aspx
Both patch and vulnerability mgmt is part of the security strategy policy enforcement to responses. The securitylist sp 80-115 and sp 80-53a are worth checking out
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

Suggested Solutions

By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now