1 / 18

Security Checklists for IT Products

This program provides an overview of checklist development and operational procedures for securing IT products. It includes information on current status and next steps for implementing the Cyber Security Research and Development Act of 2002. The goal is to improve out-of-the-box security and provide easily accessible checklists tailored to different environments.

dcuevas
Télécharger la présentation

Security Checklists for IT Products

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Checklists for IT Products

  2. Agenda • Overview of Checklist Program • Discussion of Operational Procedures • Current Status • Next Steps

  3. Cyber Security Research and Development Act of 2002 • Directs NIST to: • Develop, and revise as necessary, a checklist setting forth settings and option selections that minimize the security risks associated with each computer hardware or software system that is, or is likely to become widely used within the Federal Government.

  4. In Response… • NIST is developing a method for IT vendors, consortia, industry, government organizations, and others in the public and private sectors to voluntarily submit checklists in a standardized format to be placed in a public web accessible database maintained by NIST • NIST is • Creating a checklist development and description framework • Hosting a checklist web site for checklist users • Facilitating user demand for checklists • Becoming an ambassador to vendors for checklists

  5. What is a Checklist? • Often called lockdown guides, benchmark configurations, hardening guides, other terms • In simple terms, a document or list of procedures to secure a system or application • Checklists are implementation guides used to provide security controls to the information system • Could include scripts, add-on templates, or executables

  6. Why Checklists • Most products are insecure out of the box • Most users need assistance in configuring security controls due to complexity of the technology • Demand for easy-to-understand checklists for improving security • Demand for checklists tailored to different environments, such as home, small office, enterprise, or higher security • Checklists can have a large impact on security with relatively small upfront investment

  7. Goals of the Checklist Program • To significantly improve out of the box security • To be a portal for checklists in general • To encourage primarily vendors to submit and support their checklists • To encourage vendors to develop checklists as part of their products • To leverage existing checklist development work

  8. NIST Checklist Process Producer NIST Consumer Producer NIST Submit theChecklist Review and Postas a Candidate Provide Feedback and comments Respond to Comments and Maintain Review and Post the Checklist Timeframe Goal = 2 Weeks

  9. NIST Checklist Template • An XML template used to describe a checklist • Fields include: • IT product name • Environment (high security, enterprise, SOHO) • How the checklist was tested • Revision dates • Cataloged in the web-searchable database • A user searches the fields of the templates to locate appropriate checklists

  10. Security Checklists for Commercial IT Products About Checklists Search the Security Checklist Database Under the Cyber Security Research and Development Act, NIST is charged with developing security checklists. These checklists describe security settings for commercial IT products. Security Environment Security environments are SOHO, Enterprise, High Security, or Custom. Checklists can also be associated with the security as contained in FIPS 199. Partners The checklists provided on this website are provided by a wide variety of vendors, government agencies, consortia, non-profit organizations, and user organizations. For a complete list, click here. NIST gratefully acknowledges their contributions and assistance in providing this security service. Disclaimer The contents of each checklist is the responsibility of the submitting organization. We encourage users to send comments on specific checklists to the appropriate author. Search By specific product name Microsoft Windows 2000 By security environment High Security By product type Operating System Results (list of checklists) NIST Windows 2000 Special Publication NSA Windows 2000 Security Guide DISA Windows 2000 Security Configuration Guide CIS Windows 2000 Guide – Level 2

  11. Checklist Categories • Under review - out for public review • Final – completed review, issues addressed • Supported – support for the checklist available, e.g., from the submitter • Non-supported – no support available • General – non-product specific, applies to a technology or a class of products

  12. Participation Requirements • Create a checklist and submit the XML template • Agree to respond checklist-related to questions/comments – must provide a POC • For certain checklists, agree to update the checklist on timely basis or else withdraw the checklist • Agree to test the checklist and describe how the checklist was tested

  13. Reviewing Checklists • For all checklists, NIST will review for format, readability, general quality, requirements • NIST will perform a limited technical review in cases where it has expertise in the technology • NIST will post candidate checklists for public review • Comments will be provided to the submitter • Issues will be addressed by the submitter before final posting of the checklist

  14. Current Status • Workshop completed 9/03, enthusiastic response from attendees • Workshop final report 2nd Qtr, FY04 • Drafting internal procedures, 2nd Qtr, FY04 • Checklist Special Pub 1st draft ready for public review 2nd Qtr, FY04 • Comments accepted for 30 days

  15. Status Continued • Workshop for common checklist formats with configuration vendors 3rd Qtr, FY04 • Final release of Checklist Special Pub, 3rd Qtr, FY04 • DISA STIG checklists mapped to checklist framework, 3rd, 4th Qtr, FY04 • Windows XP checklists 4th Qtr, FY04 • Commitment for some vendors to participate

  16. Next Steps for FY05, FY06 • Continue working on common checklist formats • Encourage vendors to support checklists on products as released • Encourage other agencies, consortia, and forums to submit checklists • Continue posting checklists and operating checklist web site

  17. Contact Information Tim Grance Murugiah Souppaya John Wack NIST checklists@nist.gov http://csrc.nist.gov/checklists

  18. Acknowledgements • NIST gratefully acknowledges support for the checklist program from the Department of Homeland Security • NIST also recognizes important contributions from civilian and DoD agencies, vendors, and organizations

More Related