Network & Cloud
Version 0.9 -- This Health-Check list is in DRAFT stage of development.
The purpose of the Cybersecurity Health-Check is to help organizations evaluate themselves and others they do business with against a set of common cybersecurity program best practices. The health-checks are divided into key cybersecurity oriented realms which support a full IoT solution; and will also apply to other non-IoT specific solution segments.
These Health-check lists are not meant to be all encompassing security controls programs, but to instead help gauge the health and overall due diligence of the organization's cybersecurity program. At the same time, they are also quite comprehensive in terms of key, industry best-practice security controls that will frame a robust cybersecurity program for any organization.
This Cybersecurity Health-Check list of security controls can be used as a direct gauge of where an organization falls in terms of the health and maturity of its cybersecurity program. They can also be used more generally as a controls list to be drawn upon for requirements or compliance purposes.
The "health-check" of evaluating a cybersecurity program is determined by reviewing each control relative to both a Usage Context, and a Degree of Usage Rating, as shown here below:
- In/for Enterprise Network
- In/for Production Network
Degree of Usage Ratings
- Not Used
- Partial--Ad Hoc/Informal
network & cloud - control Points
The Information Security program is managed by a dedicated Executive Security Leader.
Security Operations/Engineering is managed by a dedicated Executive Security Leader.
Operating resources are assessed and ranked for business criticality and security risk.
Internal cybersecurity reviews are conducted/overseen by dedicated internal security staff.
Risk management processes oversee agreed upon risk acceptance and mitigation measures.
Data classification and privacy guidelines establish data handling and usage restrictions.
Practices outlined in the IoT-SI: Security Design Best Practices are generally adhered to.
System asset inventory of company computing systems is maintained.
Environment software inventory is maintained.
Network ingress and egress control of ports and services based on minimal need.
Implemented and validated hardened DNS and WAN routing configurations.
Domain Name System Security Extensions (DNSSEC) is in use.
External services are screened by a full-reverse proxy or stateful firewall.
Protection and mitigation measures to combat Denial of Service attacks on Internet facing services.
Minimum yearly review/audit of firewall rulesets.
Firewall & router configurations are under change/configuration management.
Periodic review/audit of Administrative server and network access/accounts.
Dedicated security patching operations for server OS and application layer.
Dedicated security patching operations for layer 2 and 3 network appliances.
Remote administration of servers and layer 2/3 appliances use only encrypted communications.
Remote network access to LAN/WAN requires two-factor authentication (i.e. public key, OTP, U2f).
Remote system administration requires two-factor authentication (i.e. public key, OTP, U2f).
Direct server console access requires two-factor authentication (i.e. public key, OTP, U2f).
Active management of remote network access authorization and approval.
Logging and periodic audit of all remote network access.
Centralized jump servers or security gateways for Production system administration access.
Transport Layer Security (TLS) versions 2 and 3 only are functional for TCP HTTPS/TLS services.
Minimum public key sizes of 2,048 bit RSA and 512 ECC or comparable for operations use.
Production cryptographic keys stored and managed in an HSM-based key management system.
Privileged system service accounts are actively managed.
Network-based intrusion detection/prevention systems for network traffic.
Network-based breach or anomaly detection systems for network traffic.
Email content/attachment filtering security gateway for employee email.
Able to send encrypted email and files cross-organization and over the Internet.
SPF, DKIM, and DMARC in use for email systems.
Internet-facing web, application, and database services run on separate systems or instances.
Systems and services are logically compartmentalized/segregated in the network.
Perimeter network is regularly scanned for vulnerable configurations, services and web applications.
Security baseline configuration-sets for servers are used & maintained.
Security baseline configuration-sets for layer 2/3 systems are used & maintained.
Direct change & configuration management of server and layer2/3 systems.
Regular internal network vulnerability scanning of all server services.
Regular internal network vulnerability scanning of all layer 2/3 system services.
Servers log and alert system security events and operational faults.
Layer 2/3 systems log and alert system security events and operational faults.
Secondary, centralized logging of [near] real-time security event logging.
Regular root/admin-level host configuration security assessment of servers and layer 2/3 systems.
Host-based intrusion detection/prevention or OS integrity control tools on critical server systems.
External perimeter manual penetration testing of systems and services.
Internal network manual penetration testing of systems and services.
Periodic security reviews/assessments performed by independent third party.
Periodic Google-hacking exercise of the organization’s Internet resources.
Documented security procedures prescribe the handling of physical backup media.
Controlled physical access to Production-Operations facilities and monitored 24 hours.
Two-factor authentication/verification for all physical access to network operations facilities.
Controlled physical access to Corporate-Employee facilities and monitored 24 hours.
All internal company WIFI uses 802.1x based security control measures for access.
Ongoing monitoring for and shutdown of unauthorized WIFI access points in facilities.
Intrusion detection/prevention is deployed on WIFI access point networks.
External partner network connections are logically compartmentalized from company operations.
OWASP security configuration and testing best practices are leveraged for operation of web services.
Yearly cyber breach-detection audits conducted on network environments.
Company products and services utilize Bug Bounty programs.
Clear communication channels for the public to submit security vulnerabilities online.
Social-engineering awareness training is provided to employees.
VIP employees and groups are identified and provided Digital-OPSEC awareness training.
VIP-classed employees and groups are provided enhanced security protections.
Documented policy-guidelines for password uniqueness across all non-SSO system & service layers.
Documented policy-guidelines requiring and instructing password strength/complexity.
Disaster recovery & business continuity process and resources established and validated.
Incident response process and resources established, validated, and reviewed.
Security Information and Event Management (SIEM) platform centralizes threat intelligence data.
Process and resources are in place for monitoring and responding to security events/incidents.
Dedicated security personnel are in place to monitor and respond to critical security events/incidents.
LAN Ethernet ports are active-controlled and managed for necessary and intended usage.
Remote access support and security access change requests are pre-validated out-of-band.
Process, procedures, and tools exist to properly sanitize/destroy sensitive media and systems.
Employee smartphones with corporate email and/or remote access are managed by the Enterprise.
Senior Leadership and key-Operations Support use managed smartphones that receive OS updates.
IT controls are audited annually by an audit/security services firm against SSAE-16 SOC-2 Type 2.
Subsidiaries and Vendors contractually adhere to agreed security standards, guidelines, and practices.
Inventory & management of open source software libraries used s maintained.
Application code Is under change and configuration management.
Systems to notify on new public vulnerabilities for software, libraries, and systems in use.
Operations and Product personnel receive relevant new vulnerability notifications.
Practices outlined in IoT-SI Cybersecurity Health-Check: Product Development are adhered to.