Level II Assessment Forms
The following forms, as shown in Tables B.5, B.6, and B.7, can be used when assessing servers and during system demonstrations.
|
Password Action |
Recommended Value |
Actual Value |
|---|---|---|
|
Enforce password history |
10 days |
|
|
Maximum password age |
30 days |
|
|
Minimum password age |
1 day |
|
|
Minimum password length |
7 characters |
|
|
Passwords must meet complexity |
Enabled |
|
|
Account lockout threshold |
After 3 attempts |
|
Auditing |
Recommended Value |
Actual Value |
|---|---|---|
|
Audit system events |
Success and failure |
|
|
Audit process tracking |
None |
|
|
Audit privilege use |
Failure |
|
|
Audit account logon events |
Failure |
|
|
Audit account management |
Success and failure |
|
|
Audit directory service access |
None |
|
|
Audit logon events |
Failure |
|
|
Audit object access |
Success |
|
|
Audit policy change |
Failure |
|
Access Options |
Recommended Value |
Actual Value |
|---|---|---|
|
Rename administrator account |
Rename |
|
|
Audit the use of backup and restore privilege |
Enabled |
|
|
Shut down system immediately if unable to log security audits |
Enabled |
|
|
Do not display last username |
Enabled |
|
|
Display message text for users attempting to log on |
Enabled |
|
|
Message title for users attempting to log on |
Enabled |
|
|
Prompt user to change password before expiration |
1 week |
|
|
Network access: Do not allow anonymous enumeration of SAM accounts |
Enabled |
|
|
Can shares be accessed anonymously |
No |
|
|
Force logoff when logon hours expire |
Enabled |
|
|
Suspend session time |
30 minutes |
|
|
Do not display last username |
Enabled |
|
|
Restrict floppy, CD-ROM, and USB ports |
Enabled |
Introduction to Assessing Network Vulnerabilities
- Introduction to Assessing Network Vulnerabilities
- What Security Is and Isnt
- Process for Assessing Risk
- Four Ways in Which You Can Respond to Risk
- Network Vulnerability Assessment
Foundations and Principles of Security
- Foundations and Principles of Security
- Basic Security Principles
- Security Requires Information Classification
- The Policy Framework
- The Role Authentication, Authorization, and Accountability Play in a Secure Organization
- Encryption
- Security and the Employee (Social Engineering)
Why Risk Assessment
- Why Risk Assessment
- Risk Terminology
- Laws, Mandates, and Regulations
- Risk Assessment Best Practices
- Understanding the IT Security Process
- The Goals and Objectives of a Risk Assessment
Risk-Assessment Methodologies
- Risk-Assessment Methodologies
- Risk-Assessment Terminology
- Quantitative and Qualitative Risk-Assessment Approaches
- Best Practices for Quantitative and Qualitative Risk Assessment
- Choosing the Best Risk-Assessment Approach
- Common Risk-Assessment Methodologies and Templates
Scoping the Project
- Scoping the Project
- Defining the Scope of the Assessment
- Reviewing Critical Systems and Information
- Compiling the Needed Documentation
- Making Sure You Are Ready to Begin
Understanding the Attacker
- Understanding the Attacker
- Who Are the Attackers?
- What Do Attackers Do?
- Reducing the Risk of an Attack
- How to Respond to an Attack
Performing the Assessment
- Performing the Assessment
- Introducing the Assessment Process
- Level I Assessments
- Level II Assessments
- Level III Assessments
Tools Used for Assessments and Evaluations
- Tools Used for Assessments and Evaluations
- A Brief History of Security Tools
- Putting Together a Toolkit
- Determining What Tools to Use
Preparing the Final Report
- Preparing the Final Report
- Preparing for Analysis
- Ranking Your Findings
- Building the Final Report
- Contents of a Good Report
- Determining the Next Step
- Audit and Compliance
Post-Assessment Activities
- Post-Assessment Activities
- IT Security Architecture and Framework
- Roles, Responsibilities, and Accountabilities
- Security Incident Response Team (SIRT)
- Vulnerability Management
- Training IT Staff and End Users
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
- Information Request Form
- Document Tracking Form
- Critical Systems and Information Forms
- Level II Assessment Forms
Appendix C. Security Assessment Sample Report
- Appendix C. Security Assessment Sample Report
- Notice
- Executive Summary
- Statement of Work
- Analysis
- Recommendations
- Conclusions
Appendix D. Dealing with Consultants and Outside Vendors
- Appendix D. Dealing with Consultants and Outside Vendors
- Procurement Terminology
- Typical RFP Procurement Steps
- Procurement Best Practices
Appendix E. SIRT Team Report Format Template
EAN: 2147483647
Pages: 138
