-
Notifications
You must be signed in to change notification settings - Fork 10
Suggested Controls
(Suggested and Specified by James Younger, Ned Goren)
NIST 800-52 Rev5 PDF
-
-
Proofs:
- users and their associated privileges
- identify system administrator and privileges
- identify system user and privilegesprivileges
- identify that the SSP has been updated
- list user groups and roles
- verify that users have valid system access authorizations
- verify that user system usage is documented
- no group or shared accounts
- AWS-generated, date-specific list of user accounts. Need to verify that when an account change request is received, user accounts are updated.
EVIDENCE: Need access to system user accounts and ACLs.
- Need AWS-generated printout of user privileges.
- Need a printout of privileged and non-privileged users and their associated privileges on the system.
EVIDENCE: Need access to the system admin console and to account creation workflows to review system admin privileges.
- Need AWS-generated printout of user privileges.
- Need a printout of users and their privileges to identify system administrator privileges.
EVIDENCE: Need access to the system admin console and to account creation workflows to identify system user privileges.
- Need AWS-generated printout of user privileges.
- Need a printout of users and their privileges to identify system user privileges.
- Need account creation workflows.
- Need to review completed and approved workflows to identify what privileges system users were given.
EVIDENCE: Need access to Blossom account creation workflows and review approved user authorizations to identify user privileges, roles, and access authorizations.
EVIDENCE: Need access to the system admin console and the SSP to verify users on the system.
- Need AWS-generated ACLs.
- Need to identify system users.
- Need to create a workflow with information in the comment box stating that the SSP has been reviewed.
- Need to review completed workflows identifying that the SSP has been updated.
EVIDENCE: Need access to the system admin console and the SSP to verify system user group and role membership.
- Need to create a workflow with user group and role membership identified.
- Need to review completed workflows identifying user group and role membership.
- Need AWS generated printout or list user groups and roles.
EVIDENCE: Need access to the system and to account creation workflows to verify user system access authorizations.
- Need AWS-generated user accounts.
- Need to review AWS generated printout and verify that users have valid access authorizations.
- Need account creation workflows.
- Need to review workflows to verify that users have valid system access authorizations.
EVIDENCE: Need access to the system account creation workflows.
- Need to review user account request workflows to validate that account requests have been submitted and are complete and approved.
EVIDENCE: Need access to the system account creation workflows.
- Need to review user account request workflows to validate that account changes/updates have been submitted and are complete and approved.
EVIDENCE: Need documentation showing user accounts are monitored.
- Need to create a workflow where account use monitoring information is noted in the comment box.
- Need to review completed workflows to validate that system administrators are monitoring Blossom.
Verify that Blossom account managers, system owner, and program manager are notified within:
1 business day when accounts are no longer required. EVIDENCE: Need documentation showing notification.
- Need to create a workflow where account information from HR is noted in the comment box.
- Need to review completed workflows to validate that user account changes are documented.
1 business day when users are terminated or transferred. EVIDENCE: Need documentation showing notification.
- Need to create a workflow from the system administrator to the account managers, system owner, and program manager, where account information is noted in the comment box.
- Need to review completed workflows to validate that user account changes are documented.
1 business day when system usage or need-to-know changes for an individual. EVIDENCE: Need documentation showing notification.
- Need to create a workflow where account information is noted in the comment box.
- Need to review completed workflows to validate that user account changes are documented.
Verify that system access authorizations are based on:
A valid access authorization. EVIDENCE: Need access to the system account creation workflows to verify approval of accounts.
- Need to review completed workflows to verify that user access accounts are authorized.
Intended system usage. EVIDENCE: Need access to the system account creation workflows to verify user-intended usage of the system.
- Need to review completed workflows to verify that user system usage is documented.
Verify that accounts are reviewed for compliance with account management requirements every 6 months. EVIDENCE: Need documentation showing user accounts are reviewed every 6 months.
- Need to create a workflow where the system administrator notes in the comment box that system user accounts have been reviewed in this 6-month cycle.
- Need to review completed workflows to verify that system administrators review all user accounts every 6 months.
Verify that there are no group or shared accounts created for accessing Blossom. EVIDENCE: Need access to the system admin console to verify that there are no shared or group system accounts.
- Need AWS-generated printout of system accounts.
- Need to review system user accounts and verify that there are no group or shared accounts.
Verify that the Blossom system administrator updates all Blossom user accounts when they are terminated or transferred, where their Blossom account is not required. EVIDENCE: Need access to the system admin console to review account changes.
- Need AWS-generated, date-specific list of user accounts. Need to verify that when an account change request is received, user accounts are updated.
- Need to review AWS-generated system user accounts and verify that accounts have been updated.
- Need to review completed workflows to verify that system account changes have been requested.
-
- AC-3 CFS Reference
- AC-3 CSRC Reference
- Goal: Demonstrate logical access enforcement
- Proofs:
- Fabric-CA Query of the users currently Enrolled
- Verify that CA-certificates for these users are Active
- See un-enrolled users and revoked CA-certs
-
- AC-6 CFS Reference
- AC-6 CSRC Reference
- Proofs:
- Roles and privileges mapping confirmation
- Pull all the roles
- Pull corresponding privileges
- Make sure the user-in-roles are not over-endowed with privileges
-
- AC-17 CFS Reference
- AC-17 CSRC Reference
- Proofs:
- URL is HTTPS
- SSL is the only allowed protocol
-
- AU-2 CFS Reference
- AU-2 CSRC Reference
- Proofs:
- CloudTrail, CloudWatch are ON
- Proof that config has all AWS logging turned ON
-
- AU-3 CFS Reference
- AU-3 CSRC Reference
- Proofs:
- CloudTrail, CloudWatch Logs Are Collecting:
- All events
- Events are mapped to Identity
- Action timestamp
- CloudTrail, CloudWatch Logs Are Collecting:
-
- IA-2 CFS Reference
- IA-2 CSRC Reference
- Proofs:
- Listing of separate (individual) identities within the system.
- Process diagrams of how authentication is achieved.
- (Note:) This can be a flow diagram.
-
- RA-5 CFS Reference
- RA-5 CSRC Reference
- Proofs:
- Show any tools or platforms that provide vulnerability or configuration compliance information.
- In the case of Blossom this could include a cloud security platform tools like GuardDuty and Security Hub.
-
- SA-11 CFS Reference
- SA-11 CSRC Reference
- Proofs:
- Outputs from development pipelines which show checks for vulnerabilities or compliance with code.
-
- SC-2 CFS Reference
- SC-2 CSRC Reference
- Proofs:
- Outputs of rights assigned to an admin user versus a general user of the system.