(2.2.a) Configuration standards must be maintained for applications, network components, critical servers, and wireless access points. These standards must be consistent with industry-accepted hardening standards as defined, for example, by SysAdmin Assessment Network Security Network (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS). [2.2.b should be captured in your system configuration standard; 2.2.c and 2.2.3.b should be covered in your procedure for new server set-up]

Configuration standards must include:

• (5.2) updating of anti-virus software and definitions
• (6.1.b) provision for installation of all relevant new security patches within 30 days
• (8.5.8.b) prohibition of group and shared passwords

Posted in Policy |