I’m currently developing a security framework for my employer - it’s not based around NIST, or ISO27002 etc, but more around best practice and other focal points. Some of the content will of course be proprietary, although I would like to get an idea of audience as I am looking to publish it here as an open source guide.
Any interest ?
My table of contents (so far) looks like the below
CONTROL 01 – Awareness of existing and emerging Cyber Threats
CONTROL 02 – Change Control Process
CONTROL 03 – Data Protection
CONTROL 04 – Data Classification
CONTROL 05 – Data Loss Prevention (DLP)
CONTROL 06 – Data and Application Access
CONTROL 07 – Consistent Documentation
CONTROL 08 – Secure Configurations - Mobile Devices, Laptops, Workstations, and Servers
CONTROL 09 – Rolling Vulnerability Assessment and Remediation Program
CONTROL 010 – Patching Workstations and Servers
CONTROL 011 – Controlled Use of Administrative Privileges
CONTROL 012 – Maintenance, Monitoring, and Analysis of Audit Logs
CONTROL 013 – Email and Web Browser Protection
CONTROL 014 – Endpoint Defence
CONTROL 015 – Limitation and Control of Network Ports, Protocols, and Services
CONTROL 016 – Data Recovery Capability
CONTROL 017 – Secure Configurations for Network Devices
CONTROL 018 – Perimeter Defence
CONTROL 019 – Controlled Access
CONTROL 020 – Wireless Access Control
CONTROL 021 – Account Monitoring, Control and Password Storage
CONTROL 022 – Gap Analysis
CONTROL 023 – Application Software Security
CONTROL 024 – Incident Response and Management
CONTROL 025 – Incident Response, BCP, DR Testing and Contingency planning
CONTROL 026 – Penetration Tests, Security Exercises, and Round Table
CONTROL 027 – Two Factor, Trust, and Federated Identity Management
CONTROL 028 – Breach Identification and Reporting Process
CONTROL 029 – Risk Assessment
CONTROL 030 – Vendor Due Diligence
CONTROL 031 – Governance
CONTROL 032 – Inventory of Authorized and Unauthorized Devices and Software
CONTROL 033 – IoT / NAC Control and Security
CONTROL 034 – Methodology for defining systems
Any thoughts / criticisms / recommendations ? It’s a work in progress of course, and not the final document. Some controls are fully written, and others are in flight.