Community Gold Standard Framework v2.0

NSA - Community Gold Standard Framework v2.0

The CGS framework encompasses four overarching cybersecurity functions: Govern, Protect, Detect, and Respond & Recover. These cybersecurity functions focus on the capabilities and activities required to provide confidence in cyberspace.

• Govern: Guidance for agencies to fully understand the enterprise mission and environment, manage portfolios and resources, ensure the workforce is informed and engaged, and establishes resilience across the enterprise.

• Protect: Guidance to help the enterprise safeguard the physical and logical environment, assets, and data.

• Detect: Guidance to help identify and defend against vulnerabilities, anomalies, and attacks on the physical and logical elements of the enterprise.

• Respond & Recover: Guidance for efficient response mechanisms to address threats and vulnerabilities.

Strong governance provides a foundation for the protection and defense activities that support and sustain enterprise resilience. Governance helps the enterprise ensure mission effectiveness during standard operations and in the presence of adversarial elements. Additionally, the Govern capabilities establish processes to securely obtain, maintain, and understand resources within the enterprise.

With the support of the Protect, Detect, and Respond & Recover capabilities, the Govern capabilities guide mission assurance before, during, and following incidents. Actively establishing plans and procedures for addressing security incidents and emergency situations assists to quickly and adequately maintain and restore data and network activity.

Understanding mission(s), goals, objectives, and success criteria is critical to managing successful and secure operations. Mission objectives assist an organization in meeting goals such as understanding how data, information services, and information transactions support specific missions. It is important for personnel at all levels to understand how their efforts support these mission objectives.

• Each enterprise should identify and understand its unique operational objective(s) and supporting missions.

• Determine and document the key measure(s) for mission success.

• Define both core and related missions, prioritizing them with respect to enterprise goals and objectives.

Mission security priorities may change due to evolving threats to the environment; therefore, mission sustainment and reevaluating risk is critical to ensure overall mission objectives are met. Organizations must make informed mission assurance decisions by understanding how data supports missions and what risks are present within its environment.

• Review consolidated data flow information on an ongoing basis to support near-realtime risk management.

• Prioritize data flows based on the risk to mission needs including data protection, data availability, and critical function continuity.

Ensuring quality of service to operational components is a key enabler of mission success, and effective communication is an integral part of that process. Data performance and enterprise utilization thresholds must be closely managed to facilitate decision making, improve performance, and increase accountability.

The Understand the Environment capability defines physical and logical environments, and identifies physical and logical threats facing the enterprise.

The global nature of enterprises and the threats facing them necessitate an understanding of the factors within the external physical environment (e.g., location and socio-political considerations) and internal logical environment (e.g., network architecture and data flows) that may impact security needs.

An understanding of the logical environment is a critical foundational element in establishing enterprise baselines, identifying risks, and facilitating network security.

• Conduct real-time (or near real-time) automated mappings of all network components, using manual means when automation is not possible.

• Map both internal and external network boundaries.

• Identify the risk(s) that each enterprise network boundary introduces.

• Document mission-supporting data flows, articulating how data supports mission elements.

An understanding of enterprise physical and logical environments enables the use of threat intelligence.

• Select authoritative sources of threat information.

• Categorize threat sources by capability, intent, and targeting characteristics (for adversarial threats) or range of potential effects (for non-adversarial threats).

• Prioritize threat information, and inform appropriate security personnel and affected organizations.

• Determine the likelihood of identified threats in order to prioritize mitigations.

Enterprise policies are developed in accordance with overarching laws and regulations in coordination with key enterprise elements to provide a critical foundation for enterprise security programs.

• Identify overarching policies, procedures, and standards (IA policies) to provide oversight for IA/ cybersecurity throughout the enterprise.

• Identify the purpose of the policy, implementation mechanisms, and outcomes.

• Develop an implementation plan for enterprise policies, including timeframe and activities.

• Test new or modified policies for adverse conditions prior to enterprise implementation.

• Delegate necessary authorities and resources to implementers assigned to execute IA policies.

• Develop system-level policies and procedures only when necessary to provide additional implementation details for enterprise-level guidance.

• Review policies, standards, and procedures for necessary updates when policies or processes change, or when significant technological advances impact established policies.

• Perform periodic reviews to identify and address gaps, and to ensure continued effectiveness and applicability.

• Enforce IA policies, including digital policies, consistently across the organization.

Securely obtaining technology, facilities, and services presents challenges in a globally integrated economy. Threats to the secure procurement process may come from either internal or external sources; without strict acquisition security, even trusted vendors may introduce supply chain risks. In addition, the nature of the global supply environment introduces another layer of supply chain risk to the enterprise. It is essential that organizations comply with all applicable acquisition laws and regulations while balancing risk, enterprise needs, and resource constraints.

Product and service requirements must be clearly defined to facilitate a smooth acquisition process.

• Develop and document system and services acquisition policy and procedures.

• Conduct an annual review of acquisition policies.

• Ensure that acquired products do not cause undue risk to the enterprise, and that they are cost-effective.

• Verifying quality performance and establishing trusted relationships with vendors limits supply chain security breaches.

• Ensure that third-party suppliers who are not value-added resellers do not tamper with or modify a product between the time the original supplier produces it and the purchasing enterprise receives it.

• Once a proposed acquisition has been evaluated against stated requirements, custody of procured goods and services must be transferred in a secure manner.

Secure lifecycle management addresses phases of a system (i.e., hardware, software, or combined solution), including conception, design, development, implementation, operation, maintenance, and disposal. Lifecycle management includes the interactions of people, processes, and technology, while addressing the need to introduce and embed security at the earliest possible phase in the development of new IT systems (e.g., infrastructure and custom developed software). It is imperative that systems and software are installed following the approved implementation plan since most enterprise vulnerabilities occur from poor configurations.

The initiation phase enables the organization to document the purpose for a proposed system, while identifying the requisite enterprise security requirements and controls.

• Identify and document business requirements that must be addressed by any proposed solution.

• Integrate IA requirements into all system and acquisition requirements.

• Identify key security roles.

• Evaluate the security requirements for information that will be processed, transmitted, or stored.

• Determine and document requirements based on confidentiality, integrity, and availability.

• Conduct a criticality analysis to identify mission critical functions and critical components.

• Tailor controls in accordance with organizational security posture and system or software security categorization.

• Develop an assurance case to demonstrate how critical security requirements will be met in the anticipated environment(s).

Design and development plans incorporating traceable system requirements and tailored security controls provide secure and maintainable systems.

• Ensure designers and developers understand security requirements.

• Create detailed system and security design specification documentation.

• Specify interfaces between the system and other network components.

• Enforce secure software development practices commensurate with system risk within development teams.

• Conduct risk assessments to supplement baseline security controls.

• Perform functional and security testing.

The test phase validates the security of the proposed system, in preparation for implementation.

• Conduct integration testing to ensure introducing the system or software into the environment will not negatively impact the organizational security posture.

• Employ an independent testing team to perform security control testing in a segregated environment that emulates the organization’s organization’s operational needs.

• Test and evaluate systems being developed or modified prior to implementation, using functional, developmental, and security testing processes.

• Ensure that acceptance tests are scoped to specific security requirements and are iterated a number of times in order to verify consistency in results.

• Utilize automated testing tools when possible.

To ensure accurate operability, systems must be maintained, reviewed, and assessed.

• Automate enterprise maintenance activities and records, where possible, to facilitate maintenance control.

• Conduct periodic operational reviews to ensure unplanned modifications to the system have not occurred.

• Ensure all system changes are approved through the enterprise change management process and a Change Control Board (CCB) documents the process.

• Reauthorize the system, as appropriate, when modifications are performed.

Systems and software must be sanitized and removed from the enterprise when they are no longer needed.

• Develop a disposal/ transition plan to include the necessary steps, decisions, and approvals to close down or move information residing on a system.

• Sanitize media by utilizing organization approved equipment and procedures to ensure confidentiality on a network system.

• Periodically test the equipment and procedures used to perform sanitization.

The Information Assurance (IA) Training capability reinforces the importance of a wellinformed workforce on the principles of data integrity, network security, and assuring information. IA awareness is limited to activities that focus an individual’s attention to a security issue. Building strong information security awareness establishes required baseline security behaviors for the entire workforce. Through role-based training, staff skills are maintained and frequently updated to ensure effectiveness in countering enterprise threats. Implementing a robust training and awareness program is essential to enterprise security.

• Personnel must complete required trainings and obtain appropriate certifications to remain compliant with organizational and community standards.

• Ensure IA awareness programs address technical, physical, personnel, and environmental concerns.

An enterprise needs to align functional roles with qualified staff resources to accomplish objectives.

• Define and document roles and authorities along with assigned position responsibilities.

Develop a security training policy that addresses the following areas: purpose, roles and responsibilities, management commitment, coordination among organizational entities, and compliance requirements.

• Hold personnel accountable for compliance with training policies and procedures.

• Use a centralized performance management system to track personnel training requirements and completed training.

• Providing role based training ensures situational awareness, proper knowledge transfer, and targeted skill development to accomplish mission objectives.

The Protect cybersecurity function secures and ensures access to information. Procuring facilities and systems are managed leveraging Govern capabilities, whereas the Detect function assesses and the effectiveness of Protection measures (i.e., a system should be tracked via the Hardware and Software Inventory capability before it is hardened within the Management capability).

The Protect capabilities establish defense in depth, beginning with physical measures that should be considered and progresses through the network architecture, device configuration, and securing data. The capabilities also establish identity and access management for a system or user by creating an identity, assigning respective attributes and metadata (including privileges) to an entity, providing respective credentials, and controlling access.

The Physical Protection capability controls physical access and secures enterprise facilities, resources, and utilities. Protections must be implemented to defend against outages, malicious activity, and natural disasters and to maintain availability of physical resources. Physical protection safeguards personnel as well as enterprise information.

Planning for physical security involves developing strategies to ensure all aspects of the physical environment, including classified or sensitive information, are properly secured.

• Reconcile the organizational safety plans with the physical security plan to ensure cohesion and compliance with safety requirements.

• Identify facility services (e.g., electrical power, telecommunications, water, and Heating, Ventilation, and Air Conditioning [ HVAC]) and prioritize critical services for backup.

• Use both active and passive physical security measures (e.g., guard dogs, bollards, and lighting).

• Enforce dual authorization for privileged or sensitive actions.

• Establish varying levels of physical protections commensurate with the threat environment.

• Implement access control and intrusion detection mechanisms at ingress/egress points and for critical assets.

• Leverage facility blueprints and construction plans to ensure all ingress/egress points and critical assets are secured.

• Change shared access codes (door ciphers) periodically to ensure that only personnel with current authorization and access codes can obtain entry.

• Use biometric, electronic, and/or mechanical access control mechanisms to reduce reliance on fixed security forces.

Classified or sensitive document handling and storage requires secure environments with specific facility requirements.

• Establish specific handling and storage procedures (e.g., control logs, storage safes) for sensitive or classified information.

• Physically destroy sensitive or classified information, in accordance with organization or community policy, to ensure that any residual medium can withstand laboratory reconstruction techniques.

• Maintain chain of custody until sensitive or classified information is destroyed.

The Network Security capability defines security boundaries and controls the exchange of data across security perimeters. Establishing a secure network architecture requires the implementation of mission-aligned enterprise architecture and the adoption of defense-indepth strategies for the network.

• Establish traffic flow policy (e.g., port filtering and content filtering) for each managed interface, including encrypted traffic.

• Design all managed interfaces using layered and secure protection devices (e.g., firewalls, gateways, routers, cross domain solutions, and email guards) for enclave boundary protection.

• Ensure all managed interfaces are inventoried, physically secured, and protected from tampering.

A secure network requires a multi-tiered architecture and segmentation to protect network resources.

• Establish managed interfaces at network interconnection points to provide bidirectional information screening and filtering, block prohibited traffic, and prevent data leakage.

• Configure managed interface to deny all traffic by default and only allow traffic by exception.

• Deny communications with known malicious IP addresses (i.e., blacklist) and limit access to trusted sites (i.e., whitelist).

• Limit the number of external connections.

• Ensure managed interfaces fail securely.

• Create a demilitarized zone (DMZ) for publically accessible services (e.g., email, web, and domain name systems [DNS]).

• Place DMZs as close to the network boundary as possible.

• Limit connectivity to the DMZ to specific hosts in the internal network.

• Ensure sensitive data does not reside on the DMZ.

• Segment the internal network physically and/or logically into multiple sub-networks.

• Use private virtual local area networks (VLAN) for logical segregation.

• Place network security devices at the edge of security domains and at logical network boundaries.

• Provide remote access through a service that provides both confidentiality and integrity assurance, such as a Virtual Private Network (VPN).

• Provide two-way authentication between the remote user and local system each time a connection is attempted.

• Permit encrypted traffic to traverse only approved access points in the case of site-tosite VPN implementations.

• Manage network boundary protection solutions using an out-of-band network.

Proper management and correlation of ports, protocols, and services is required to mitigate risk across the enterprise.

• Identify all available ports, protocols, and services and determine which of these should be allowed based on the mission need and risk to the enterprise.

• Document all ports, protocols, and services that are accessible to the enterprise in a centralized registry.

• Limit the use of ports, protocols, and services by allowing only those required to support the mission and conduct official business.

• Use web DNS reputation services to detect and block access to malicious web pages.

The Hardware and Software Inventory capability identifies and tracks all hardware and software assets. Hardware and software inventories encompass all assets placed on an enterprise system, and have security implications due to the transfer of data within the system. Identifying all assets within an enterprise assists organizations in maintaining accurate records and provides the ability to detect lost and unauthorized assets, and to prevent threats.

Hardware and software inventories contain information that enables secure configuration management and tracking for each asset, including removable media and wireless access points.

• Employ a consistent naming schema for hardware and software assets.

• Uniquely identify hardware devices.

• Employ automated discovery tools to create a preliminary asset inventory.

• Include information such as hardware inventory specifications, software license information, software version numbers, component owners, machine names, network addresses, manufacturer, device type, model, serial number, and physical location.

• Hold all assets in the inventories in complete, consolidated, accurate, scalable, stored, up-to-date, and centrally maintained inventory databases.

• Employ active and passive network scanning tools to identify assets on the network.

• Verify or audit the asset database and inventory using either external or internal sources.

• Compare inventories and scanning results to identify or unauthorized hardware and software.

The Configuration Management capability establishes configuration baselines and controls changes made to hardware, firmware, and software.

Configuration management provides a standardized baseline for enterprise information systems. When properly implemented, configuration management enables the organization to establish an agile environment, where changes can be quickly implemented to respond to mission evolution. These changes must be implemented safely to ensure that the enterprise security posture is unaffected, and that risks are managed appropriately. Continuous monitoring, mitigation, remediation, and reporting of system configurations are all necessary elements of a successful configuration management plan.

• Develop configuration management plans at the enterprise, network, and system levels.

• The enterprise-level configuration management plan should set the enterprise baselines and provide for a consistent, coordinated use of configuration management resources throughout the enterprise.

• Network and system devices should be compliant with the enterprise baseline. If mission needs dictate, enterprise leadership may approve deviations from the standard baseline.

• The configuration management plan should document and describe the locations of any network, component, and system configurations used by the enterprise.

• Ensure that Configuration Management Plans are centrally managed, protected, and accessible for reference.

• Review functions and services provided by information systems or individual components of information systems to ensure least functionality is achieved.

• Disable unnecessary and vulnerable ports, protocols, services, and accounts.

• Prohibit unauthorized machine to machine communications.

• Remove all unnecessary executables and registry entries.

• Employ supplemental controls to protect network components that cannot be adequately configured.

• Implement application whitelisting to ensure only authorized software and applications are allowed to execute on the network.

• Deploy software with the latest anti-exploitation features. o Obtain patches from a trusted source inventory.

• Maintain and update whitelists when applications are installed, changed, or removed.

• Employ location based application whitelisting to allow execution of programs only from specific locations in the file systems.

• Create secure baseline images for operating systems (OS) and common application software used by the organization.

• Test configuration changes in a nonproduction environment to determine impact and stability.

• Perform regression testing to verify functionality of configuration changes.

Control Configuration Change Boards (CCBs) provide a critical oversight role by considering the risks of each configuration change, and how it will impact the organization’s overall security posture.

• Manage configuration changes through an authorized CCB.

• Create emergency procedures to identify proper handling of configuration changes that must be expedited due to mission needs.

• Analyze the security impact of configuration changes through a Configuration Review Board (CRB) and report findings to the CCB.

• Conduct reassessment and reauthorization activities following security-relevant system changes, an attack, or a change in the threat landscape.

• Retain prior configurations to allow for a “rollback” to a previous configuration, should there be an issue with an update.

Effective vulnerability management tracks and remediates potential vulnerabilities to help ensure that system configurations are kept up to date.

• Monitor security sources (e.g. National Vulnerability Database) for known vulnerabilities, threats, and remediations.

• Create a database of remediations for organization implementation.

• Use automated patch management tools to update the remediation database.

Monitoring allows the enterprise to ensure that the system is operating with the correct configuration, and facilitates identification of unauthorized or improperly executed changes.

• Implement and manage tools for secure configuration monitoring.

• Deploy automated validation mechanisms to enforce configuration baselines.

The Data Protection capability secures data from unauthorized modification, destruction, or disclosure. Data is threatened by intentional or unintentional (e.g., human error) attacks. Multiple types and degrees of protections need to be considered to ensure the security of data. Additionally, data within the environment must be protected in each of the three potential states: in transit, in use, and at rest.

• Develop a mitigation response plan to address any sensitive data breaches, integrity failures, and non-availability.

• Develop a plan for data resilience, to include data backup.

• Identify all internal and external communication (e.g., information flows between servers, client hosts, networks, and applications) that needs to be protected.

Identify the protection requirements for all data within the enterprise environment. When identifying requirements, consider the following criteria:

• Type of data to be protected (e.g., PII)

• Type of protection required (e.g., Full Disk Encryption)

• Degree of protection required (e.g., strength of encryption key)

• Conditions within the environment (e.g., who needs access, where the data exists, how it is stored, processed, or transmitted)

To minimize the attack surface, only necessary information should reside on the network and security measures, such as encryption, should be utilized.

• Segregate data by type (e.g., sensitivity, classification, or regulation levels).

Once implementation measures have been set in place, the maintenance process validates data security on a network.

• Implement data protection solutions that are centrally managed, protected from interference, and persistently available.

• Perform periodic audits of the enterprise to determine if sensitive data is present without protections.

The Identity Management capability definitively associates and maintains globally unique identifiers to verify users and non-human entities. Person and non-person identities must be validated to gain access to sensitive information and locations where sensitive information resides to prevent identity breaches and unauthorized access to information. Unique identifiers are created and issued, distributed, managed, and archived throughout the lifecycle of the identity verification process.

• Require the physical presence of the subject, as well as the validation of multiple authentication factors, for identity proofing in the registration process.

Identity distribution should be consolidated and maintained at the enterprise level.

• Ensure the identity directory is secure and available to enterprise resources for authentication activities.

The Attribute Management capability establishes, publishes, and maintains properties associated with enterprise entities. The Attribute Management Capability is responsible for the properties or characteristics— referred to as attributes— associated with entities (e.g., individuals, groups, systems, or components) and data in the enterprise. The binding of attributes with subjects and objects is used to enable data discovery, determine entity privileges, and implement access control policies.

• Ensure entities with attributes that grant privileged access receive additional scrutiny.

• Separate duties to minimize the risks associated with the abuse of authorized privileges.

• Employ the principle of least privilege, ensuring entities are assigned only the necessary attributes to perform duties.

Attributes must be managed and updated to ensure intended access is granted and the security of the attributes is protected.

• Centrally manage attributes within the enterprise through an integrated lifecycle approach, using automated means if possible.

The Credential Management capability creates, issues, and maintains objects (i.e., credentials) that authoritatively bind an identity and attributes to a token possessed and controlled by a subject. Credential Management is the means of asserting digital identity Management) and permissions (Attribute Management) to create a secure enterprise where only those with a need to know can access information. Operating in a digital environment requires enterprises to control access to their systems.

• The maintenance process provides assurance that credential validity is continued and that credentials are properly revoked when needed.

The Logical Access Control capability authenticates and authorizes entity permissions against a logical resource. Centralized logical access control mitigates risks by working in concert with Credential Management, Identity Management, and Attribute Management to ensure personnel and systems have access to necessary information to support the mission, and that access is not provided to those without a need to know. Logical access control standardizes the way access decisions are made across enterprise information systems.

Authentication is the process of verifying the identity or other attributes claimed by or assumed of an entity (i.e., user, process, or device), or to verify the source and integrity of data.

• Enforce password complexity and expiration requirements.

• Enforce a limit for unsuccessful authentication attempts.

• Enforce multifactor authentication for all entities requesting access to network resources.

• Remove network and remote interactive logon privileges from local, non-service, and administrator accounts.

An enterprise cannot maintain security without vigilance. The Detect cybersecurity function provides guidance to accomplish situational awareness. Protect capabilities may discuss programmatic monitoring, but the Detect function implements the enterprise security monitoring functions. The Detect capabilities establish security monitoring within the enterprise by detecting anomalies and attacks from people, processes, and technology.

The Security Evaluations capability comprehensively analyzes a system or network, identifies vulnerabilities, and provides feedback to system owners. Security evaluations assist organizations with protecting the security posture of the environment by identifying vulnerabilities in systems, networks, architectures, and processes. A combination of continuous vulnerability scanning and independent security evaluation offers the enterprise a means of obtaining objective assessment information. Security evaluations identify weaknesses and provide vulnerability assessment results for leadership to make risk-based decisions for the enterprise.

Determining the appropriate scope and approach of the security evaluation establishes how an organization plans to identify vulnerability gaps within the enterprise.

• Review published vulnerabilities and prior assessment reports to identify known or potential gaps.

• Identify the scope of the assessment.

• Identify a security evaluation approach or set of approaches, including Blue Teams, Red Teams, and internal vulnerability assessments to review the security posture of the enterprise.

• Blue Team evaluations identify security threats and risks and provide recommendations to improve the network security posture.

• Vulnerability Assessment: Conducts internal reviews— continuous or periodic— of enterprise networks to assess security, identify gaps, and evaluate applied mitigations.

• Red Team: Emulates adversary attacks and/or exploits against the enterprise to independently identify network vulnerabilities and enterprise defensive capabilities.

• Develop rules of engagement to ensure security evaluations are conducted in accordance with all policy, legal, and enterprise requirements.

Security evaluations may be conducted to assess enterprise or network security postures in support of continuous monitoring, to prepare for external assessments, in response to cyber incidents or suspected vulnerabilities, or as a routine part of system development. Once security evaluation results have been analyzed and documented, mitigation and response strategies are developed, and results are provided to assist stakeholders with assessing and their security postures.

• Consider how identified vulnerability trends may affect the enterprise.

• Compose and review analysis to minimize false positives.

• Develop mitigation strategies to address identified vulnerabilities.

• Determine whether to accept or mitigate risks associated with lower priority vulnerabilities.

• Allocate resources to address high-priority vulnerabilities.

• Track and work toward addressing identified vulnerabilities.

• Verify effective mitigations through re-evaluation.

• Collect and share lessons learned across the enterprise and with stakeholders, as appropriate.

The Physical Enterprise Monitoring capability maintains awareness of physical access and the status of enterprise facilities, resources, and utilities, while ensuring that affiliates have and maintain proper authorization and clearances. Within the physical enterprise, facilities and utilities must remain available and monitored to ensure information and operations are not compromised. Careful monitoring of personnel, records, and physical access to these resources reduces risk to the enterprise. As with logical access control, management of physical access is particularly important when dealing with facilities housing classified information.

Unauthorized physical access to systems and facilities poses numerous security risks, including threats to data integrity and personnel safety.

• Use a combination of manual and automated means to detect physical intrusions and provide notification of the presence of unauthorized individuals.

The Intrusion Detection and Prevention capability relies on technology that detects and analyzes events in order to execute appropriate courses of action, including generating alerts, as well as redirecting and blocking anomalous or malicious activity.

Automated intrusion detection and prevention is key to minimizing the number of infected systems and the potential for damage to the enterprise. The concept of defense in depth advocates layered protections, both network-and host-based, throughout the enterprise. By combining automated and manual intrusion detection and prevention, the enterprise gains the ability to respond in near real time to or anomalous activities.

Host and network intrusion detection and prevention systems should be used in concert to address potential threats from multiple vectors.

• Use a combination of active intrusion prevention systems (IPS) and passive intrusion detection systems (IDS).

• Deploy both host intrusion detection systems (HIDS) and network intrusion detection systems (NIDS).

• Use a combination of signature-based, anomaly-based, and manual methods of event identification.

• Employ a combination of vendor provided signatures, custom signatures, and reputation services.

• Ensure intrusion detection and prevention systems react in near real-time and are able to initiate action based on the source and type of threat.

Deploy network-based IDP technologies to the following locations, at a minimum:

• Perimeter firewall

• DMZ

• Logical or physical network segments that house sensitive intranet services, critical resources, or network and security management servers

• Wide Area Network (WAN) junction points between the regional enclave and the local enclave networks

• VPN concentrators

• Remote Access Servers (RAS)

• Tunnel endpoints

• Databases

Proper management is critical to enable prompt response to attacks against the IDP system, and ensure sensitive information contained on the IDP components is not compromised.

• Manage IDP devices from a centralized location on an out-of-band (OOB) network.

• When tuning devices, conduct analysis to optimally balance security and availability considerations for the environment.

• Monitor and tune IDP devices to increase accuracy; numerous false positives can cause alerts to be ignored and intrusions to remain undetected.

• Establish baselines for the enterprise to ensure abnormal activities are detected.

• Configure IDP products to update signature files and scan engines when vendors publish updates.

• Employ a registry monitor to protect information about the programs installed, OS configurations and a list of recently executed programs.

• Employ a file integrity monitor to report on changes to critical system and application files.

• Employ a process/application behavior monitor to study the behavior of processes that are running on the system and alert if an application attempts some action that is outside of its normal or allowed actions.

The Network Enterprise Monitoring capability employs active and passive network monitoring, at an enterprise level, to achieve situational awareness regarding the state of the network and associated devices. Continuously monitoring enterprise network connections and configurations enables mission activities by ensuring security has not been compromised and data is protected. Security log management enables organizations to maintain accurate records and understand events occurring on a network.

Working in concert, data monitoring, log management, and analysis provide the enterprise with the capability to understand, in near-real-time, its networks, and to offer historical context for network events.

• Develop procedures to guide information processing and to support data fusion and analysis, diagnostics, long-term trend and pattern analysis, and warning communications channels and procedures.

• Employ enterprise-level active and passive network monitoring to detect security-or performance-relevant changes or events.

• Enable near-real-time network monitoring through a managed system of sensors.

• Monitor traffic flow in accordance with the established baseline, and provide notification when traffic flow deviates from this baseline.

• Support failover and redundancy for critical monitoring functions.

• Identify anomalous network traffic and host behavioral changes.

• Provide monitoring results in a standardized format for correlation locally or with peer networks.

• Conduct monitoring activities out of band to ensure information is protected from system disruptions, and that monitoring does not interfere with normal network operations.

Security Log Management helps the enterprise organize records and formalize an approach that provides insight to events within the network.

• Determine which events are auditable and when they are to be audited.