Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
6. Systems Operation<br />
These Systems Operations Non-Mandatory Baselines support the Enterprise Security <strong>Policy</strong><br />
(ITEC 7230 Rev 1), and the IT Security Self Assessment <strong>Policy</strong> (ITEC 7310).<br />
Mandatory<br />
Non-Mandatory<br />
Procedures Baselines Procedures Baselines<br />
6. Systems Operation <br />
6.1. Assessment Operations<br />
6.1.1. Perform Security Assessment (7 sets) (3 sets)<br />
6.1.2. Perform Security Self Assessment (4 sets) (2 sets)<br />
6.2. Integrity Operations<br />
6.2.1. Monitor System Security Controls (3 sets) (1 sets)<br />
6.3. Maintenance Operations<br />
6.3.1. Plan for, and Provide Notice <strong>of</strong>, Security Operations (4 sets) (1 sets)<br />
6.3.2. Perform Patch and Vulnerability Management (5 sets) (3 sets)<br />
6.3.3. Securely Maintain Systems (2 sets) (2 sets)<br />
6.4. Maintain Records <br />
6.1. Assessment Operations<br />
The following are the Non-Mandatory Baselines that support the Assessment<br />
Operations section <strong>of</strong> the Default Security Requirements:<br />
6.1.1. Perform Security Assessments<br />
Security Assessments are thorough and in-depth security analyses designed to<br />
determine all security deficiencies within a system. Agencies should complete<br />
Security Assessments to establish all security concerns that may exist in a<br />
system:<br />
6.1.1.a Security Assessment Recommendations<br />
• Security assessment plans should address the following topics:<br />
o Whether the assessment should be external, internal or<br />
both.<br />
o Whether assessments should assess potential<br />
vulnerabilities or verifiable threats.<br />
o Whether the assessment will be performed by staff <strong>of</strong><br />
third party experts.<br />
• System documentation to be reviewed should include:<br />
o System log files.<br />
o System configuration.<br />
o System rule-set.<br />
• Security assessment investigative techniques should include:<br />
o Network foot-printing.<br />
o Port and service scanning.<br />
o Vulnerability assessment.<br />
o System and account review<br />
• Security assessment validating techniques should include:<br />
16