When auditing an object using the Relational Security Assessment Model, there are many different types of controls that can be checked. Policies should be developed that dictate minimums level of controls for objects of certain risk levels. Table C.1 includes some common controls that should be audited:
Table C.1. Example Risk Controls Sorted by Object Type
All Objects |
Local authentication | To gain direct access to the object, what level of authentication is required? |
Remote authentication | To gain remote access to the object, what level of authentication is required? |
Level of logging | To what degree are the subject's actions logged? |
Level of monitoring | To what degree are such logs monitored? |
Internal redundancy | What level of redundancy exists internal to the object (such as a RAID configuration)? |
External redundancy | Are there other objects that are fully redundant to this object? |
Backup/Recovery control | If the object was destroyed, how much could be recovered and how quickly? |
Routers and Other Network Devices |
Level of hardening | To what degree have hardening tasks been performed? Have services been disabled, patches applied, accounts locked down? |
Degree of maintenance | How often is this object audited and updated for new vulnerabilities? |
Servers |
Antivirus software installed | Is antivirus software installed and running? |
Antivirus software updated | Is the antivirus software updated regularly and automatically? |
Level of hardening | To what degree have hardening tasks been performed? Have services been disabled, patches applied, accounts locked down? |
Degree of maintenance | How often is this object audited and updated for new vulnerabilities? |
Physical Areas |
Room construction | Is the room secure enough to store equipment of this risk level? |
Degree of disaster prevention | Are there adequate fire controls and other safety precautions? |
Environmental conditions | Is the environmental conditioning adequate for a room of this risk level? |