Configuring Technical Safeguards
|Reviewing the Configuration of Technical Safeguards at USAID Mission|
|January 23, 2001|
|CIO Council Security Practices Subcommittee (SPS)|
|United States Agency for International Development (USAID), Bureau for Management, Information Resources Management (M/IRM), Information Systems Security Team|
|1.7||Level of BSP|
|1.8||Security Processes or other Framework(s) Supported|
|In the Security Process Framework: Technical Security/Operate/Administer Technical Security Safeguards/Monitor Security Safeguards. |
In the SSE CMM Framework: Monitor Security Posture /Monitor Security Safeguards.
|Not to be completed by the drafter|
|1.10||Points of Contact|
|Government BSP Owner: |
|2.0||What This BSP Does|
|This BSP discusses how to review the technical configuration of the security mechanisms of selected operating systems, network operating systems, and firewalls, and, if the configuration is not secure, to reconfigure the mechanisms at USAID missions worldwide. The procedures efficiently blend remote monitoring with onsite validation. |
This section provides a checklist designed to assess the UNIX operational security posture of an organization. Individual line items in the UNIX checklist that are checked "No" should be documented in the Justifications section of the checklist.
This section provides a checklist for configuring the security of an NT 4.0 system.
The checklist contains items relative to physical security, user account security, auditing and supervisor account security. Security configuration compliance with the checklist is considered as a minimum requirement and is mandatory for host systems connected to the organization's backbone and/or to the Internet. The security configurations included herein will also be used for any initial and follow-on system accreditation, security plans, and similar activities. This checklist is subject to change if any new system anomalies or vulnerabilities are identified.
Individual line items in the Windows NT checklist that are checked "No" should be documented in the Justifications section of the checklist.
This section provides a checklist for configuring the security of a BANYAN VINES-based system.
The checklist contains items relative to the physical security, user account security, auditing and supervisor account security. Security configuration compliance with the checklist is considered as a minimum requirement and is mandatory for host systems connected to the organization's backbone and/or to the Internet. The security configurations included herein will also be used for any initial and follow-on system accreditation, security plans, and similar activities. This checklist is subject to change if any new system anomalies or vulnerabilities are identified. Personnel using this checklist are cautioned that, because there are several variants of the basic BANYAN VINES operating, additional configuration requirements may be necessary.
Individual line items in the Banyan checklist that are checked "No" should be documented in the justifications section of the checklist.
Microsoft Proxy Server
This section provides a checklist to assess the Microsoft Proxy Server operational security posture of an organization. Individual line items in the Microsoft Proxy Server checklist that are checked "No" should be documented in the Justifications section of the checklist.
Network Review (General Security Checklist)
This section provides a checklist to assess the physical, operational, and administrative security posture of an organization. Individual line items that are checked "No" should be documented in the Comments section.
|2.2||Requirements for this BSP|
|OMB A-130 Appendix III: |
|Below is correspondence from an organization expressing their appreciation for raising their security posture through the use of this Risk Assessment Process. |
Subject: COMPUTER SECURITY TEAM VISIT
Source: David Bayer, USAID Peru Executive Office
If you have the opportunity to have the Information Systems Security Officer (ISSO) Jim Craft and his Risk Assessment Program Area Manager, Rodney Murphy, visit your Mission with their team of computer security experts, then take advantage of it. They did one hell of a job during their February visit with us at USAID/Peru in getting us up to speed and raising our level of consciousness about security issues. This is not to say that our dedicated IRM staff, led by Systems Manager, Lucho Figueroa, have not been working their hearts out to get us into shape, but it is a real injection of energy to have professional people like Jim, Rodney, John Zoble, Mike Reiter and Steve Bui come in and sit down to review your Computer Security Program and Computer Contingency Plan with you.
And last but not least, they have given us some key advice and methods for closing out some computer security audit issues which are not only USAID/Peru exposures but endemic to all Missions worldwide.
Computer security is becoming an important issue in for USAID and all organizations. In this environment, new security standards and having a formal security program in each overseas Mission is very important.
|3.0||What This BSP Is|
|3.1||Description of BSP|
Step 1. Determine the operating system on each target system host(s).
Step 2. Determine the IP addresses associated with each operating system on the target system host(s).
Step 3. Run the tool appropriate for the system(s) being reviewed to determine where configuration problems exist. (see Tools Section 4.4)
Step 4. Document problems, evaluate and obtain patches/fixes.
Step 5. Conduct an on-site visit to the organizations whose system(s) is being verified.
Step 6. Complete the Checklist as each item is verified/corrected. Items not found on the checklist should be analyzed and appropriate action taken. Items implemented as a result of the analysis should be submitted for addition to the OS checklist.
Step 7. Coordinate and document all changes with Application owners as well as the system administrators.
Step 8. Run the tool appropriate for the system being reviewed to determine that the configuration problems have been resolved. Document any remaining vulnerability.
Step 9. Prepare the Final Report and forward to the organization's ISSO, the reviewed system's owner, and other appropriate parties.
|The results of the Technical Safeguard Configuration review are contained in the overall final report of the mission's cyber-security assistance visit report. A template of that report's table of contents is attached.|
|3.2||Relationship to Other BSPs|
|This BSP comprises a sub-set of the total integrated process for conducting a cyber-security assistance visit at USAID missions worldwide.|
|4.0||How To Use This BSP|
|Having the Administrator of the system being reviewed work closely with the individual conducting the review can enhance the efficiency of this process.|
|4.2||Implementation Resource Estimates|
|Personnel: Operating System Administrator or knowledge equivalent. |
Time per System/Device:
|4.3||Performance Goals and Indicators (Metrics)|
|General Goal: To eliminate those security vulnerabilities associated with the configuration of the subject systems. |
Performance Goal: To identify existing vulnerabilities, define and implement countermeasures, and verify solution effectiveness.
Outcome Goal: Known vulnerabilities will be resolved. Unresolved vulnerabilities will be documented for further analysis and resolution development.
Output goal: To achieve compliance with OMB A130 guidelines.
General Objective: To protect automated information systems against potential threats.
Performance Indicator: The results obtained from each system scan/evaluation will provide metrics for determining requirements for repetition interval.
|The tools used to perform the Technical Safeguards Configuration Review are the configuring mechanisms provided with the subject systems and selections from the available configuration scanning tools. The tools shown here are configuration scanners in general use that have been found effective in past network surveys. Because new vulnerabilities can be discovered at any time, other tools should be evaluated and may be used if they augment the functions included in this list. The latest versions of all tools should be used:|
|User guides and materials for the above listed tools|
|A||Executive Overview and Briefing|
|The United States Agency for International Development (USAID) has contracted for general IRM support with Computer Sciences Corporation (CSC) under the Agency's Principle Resource for Information Management Enterprisewide (PRIME) contract (GS00K96AJD0012) with FEDSIM. USAID obtains its information system security support from CSC under the PRIME contract using the Performance Work Statement (PWS) at Appendix C|
|Not yet evaluated.|
|Version 1.0 of the BSP was reviewed after conducting cyber-assistance visits to Phnom Penh, Cambodia and Manila, Philippines during November and December, 2000. The review has determined the original BSP remains valid and has incorporated minor editorial revisions.|