Featured Post

Thinking Out-of-the-Box Does Not Come Out of the Box

Take a step back, change your perspective of the situation, look at the whole picture, and look for what people are ignoring. Think, out-of-...

Wednesday, October 16, 2019

NIST 800-171 Compliance - Yearly Checklist

Every once in a while you’ll need to bring in the big guns. This is one of those times. Company Management plays a key role in the yearly events.

  1. CEO, Compliance Officer, and OpsO: Conduct thorough risk assessment individually; then work together to update the risk matrix and plan implementations to mitigate or improve effectiveness of controls
  2. Compliance Officer: Conduct thorough security controls assessment with new risk mitigate plan in consideration
  3. IT Team: Conduct a social engineering exercise to help increase employees' awareness of the risk behind many common actions, habits, and natural tendencies
  4. IT Team: Conduct technical vulnerability assessment and penetration test
  5. Compliance Officer: Review access records related to employees who were terminated within last 60 days
  6. CEO or Delegate: Conduct walk-through exercises for business continuity and disaster recovery plans and evaluate the effectiveness of the planned emergency response actions
  7. Compliance Officer: Update business continuity plan after walk-through exercises and send copies to key personnel
  8. Continued:
  9. IT Team: Conduct comprehensive physical inspection of each workstation
  10. IT Team: Update requirements in GPOs, browser settings, and firewalls to ensure acceptable cryptographic standards are met by default
  11. Office Manager: Check fire extinguishers for expiration and acceptable pressure gauge reading
  12. Office Manager: Update the list of authorized maintenance organizations and personnel
  13. IT Team: Review warranty and service coverage agreements for information systems
  14. Compliance Officer: Ensure that system Mean Time Before Fail (MTBF) timelines are covered by warranty or service coverage agreements
  15. Compliance Officer: Review information systems and data risk or security categorizations. Spot check whether related policies are in place, then update company policies
  16. Compliance Officer: Request feedback on updated policies from stakeholders and responsible individuals
  17. Compliance Officer: Conduct company-wide training on policies and procedures
  18. Compliance Officer: Document and review waivers, exemptions, or exceptions to the security program and the reason for the allowances.
Posted by at No comments:

NIST 800-171 Compliance - Quarterly Checklist

Just when you think you’re safe, check again. Complacency kills.
Compliance Officer: Review annual training progress; schedule security training as necessary to ensure all employees meet the requirements.

  1. IT Team: Update organizational accounts list; Change organization or service passwords and WiFi pre-shared keys that are older than 120 days old
  2. IT Team: Review access records for drives and folders that contain CUI, PII, CUI, etc. for the last 90 days
  3. Compliance Officer or Delegate: Review access records related to employees who were hired within the last 60 days
  4. IT Team: Review access records and logs related to employees who were terminated within the 60 days; Ensure access records and logs older than 90 days are properly stored in long-term archives
  5. IT Team: Conduct automated vulnerability assessment on systems that process, store, or transmit sensitive information
  6. IT Team: Enforce mandated admin account disable for 10%-25% of admin users for 3-7 consecutive days
  7. IT Team: Review software installed on all systems; remove blacklisted software (games, P2P, VPN, coin miners etc.); ensure required software is installed, and baseline configs are still in place
  8. Compliance Officer or delegate: Review 25-50% of the Security Policies and note discrepancies or required changes; Record the results of the review so the policies can be updated at the annual review or earlier if necessary
  9. IT Team: Restore a backup that was conducted within the last 30 days to test the full restoration process, Measure the time it takes to return to full operation
  10. IT Team: Conduct test restoration of approved randomly chosen essential systems; Update backup inventory listing location, type, coverage, and schedule
  11. Compliance Officer: Ensure that recovery and restoration actions meet Mean Time to Recovery (MTTR) objectives and that the objectives are reasonable
  12. Office Manager: Conduct power management test to ensure uninterruptible power supply/systems function properly
  13. Office Manager: Identify hours that have potential of high risk activity on-site and review 10 hours of surveillance recordings at 5x speed or less
  14. Continued below:
  15. IT Team: Update network diagram
  16. IT Team: Physically check 10% of systems for unapproved peripherals or suspicious devices connected to computers
  17. IT Team: Review GPO settings for passwords: 
    1. IT / Admin users OU to 60 days
    2. Domain User OU to 90 days
    3. Service Accounts OU to 120-365 days"
  18. IT Team: Update common password list, conduct password hash reviews to ensure these passwords are not used
  19. IT Provider, Compliance Officer & OpsO: Review user permissions and roles; Ensure they match current job function requirements
  20. IT Team: Remove temporary or shared accounts that are no longer needed
  21. IT Team: Verify that technical security controls are functioning. Visit the EICAR website, attempt to log in to applications using guessed credentials, and modify test files on the audited file servers to ensure that audit records are accurate; Make sure logs for all tracked events are aggregated (SIEM) and processed appropriately
  22. Compliance Officer: Review SIEM tool reports; and evaluate effectiveness of the IT Provider actions
  23. Operations Officer: Verify the credentials, skills, references for training and certification claims
  24. Office Manager:Review list of authorized users with physical access to the facility. Review access logs and ensure that only authorized personnel have access to the facility and secure areas
  25. Data Protection Officer: Review shared documents, company communications, and public announcements to ensure privacy laws are followed
  26. Compliance Officer: Delete and clean up sensitive or confidential files to ensure only required documents are stored and reduce the footprint of classified documents
Posted by at No comments:

NIST 800-171 Compliance - Monthly Checklist

    The list below states who and what. It’s partially up to you to determine the final thresholds and timelines. Generally, doing less but more consistently and more thoroughly is better than inconsistent or incomplete. Do what you can, do it well, and stay the course.
                                                  1. IT Team: Review employees with Admin Privileges
                                                  2. IT Team: Review access rights for all users with elevated privileges
                                                  3. IT Team: Review access records related to users with elevated rights; ensure actions taken are approved and appropriate
                                                  4. IT Team: Review access records related to employees who were hired within 60 days
                                                  5. IT Team: Compare the list of employees terminated during last 60 days with a list of current active accounts. Disable any user accounts for terminated employees. Also review list of all system accounts
                                                  6. IT Team: Review access records related to employees who were terminated within 60 days
                                                  7. IT Team: Review overall access records and events for drives containing CUI, ensure logging is functioning as expected, and that all user actions on CUI are being tracked and documented
                                                  8. IT Team: Conduct scan of local network for unknown devices
                                                  9. IT Team: Ensure necessary updates are completed for all systems that process, store, or transmit CUI
                                                  10. Compliance Officer: Conduct inventory of hard-copy documents with CUI and compare with previous month's checks to ensure all document copies are destroyed, stored, or delivered appropriately
                                                  11. IT Team: Sample 10% of systems to ensure backup or alternative systems function properly
                                                  12. IT Team: Sample 10% of systems to ensure change management policies are valid, that processes are being followed, results of changes are measured, and documentation is complete
                                                  13. Compliance Officer: Review 75 random hours of surveillance footage at high speed for to ensure that it is functioning as expected during appropriate hours
                                                  14. IT Team: Review cryptographic connection requirements in GPO, browser settings, and firewall to ensure acceptable standards are met on a sample of 10% of systems
                                                  15. IT Team: Check hard drive encryption
                                                  16. Office Manager: Inventory all media containing sensitive or confidential data that is not encrypted. document with reasons for not encrypting it; Determine if stronger protections are available and applicable for each item;
                                                  17. Compliance Officer: Review files stored in shared drives for sensitive or confidential files
                                                  18. Compliance Officer: Physically inspect secure areas to ensure locks and protections are in good working order
                                                  19. Compliance officer: Review all NDAs, ensure they are current, and update as necessary
                                                  20. IT Team: Bundle all auto generated Antivirus Report tickets for the previous month to compliance check ticket
                                                  21. IT Team: Verify Group Policy - “gpresult” output on 10% of total workstations; This output should be reported by scripts that run automatically on each workstation. Just review the script output and make sure it's accurate, appropriate, and consistent
                                                  22. IT Team: Verify Flash is set to "Click to play" on 10% of total workstations
                                                  23. Compliance Officer: Send email reminder to employees regarding their job related maintenance of required skills and qualifications
                                                  24. Office Manager: Inventory all plain text media containing sensitive or confidential data with reasons for using lower standards; Determine if stronger protections are available and applicable for each piece of media;
                                                  25. IT Team: Review sample of 10% of tickets related to servers, firewall, or network architecture. Ensure rollback strategy is being documented in each ticket and that a second individual is reviewing the effectiveness of the changes  implemented.
                                                  Posted by at No comments:
                                                  Subscribe to: Posts (Atom)