The following is a list of tasks that must be done on a regular basis to ensure security stays at a satisfactory level:
- Deny access to systems to undefined users or anonymous accounts.
- Limit and monitor the usage of administrator and other powerful accounts.
- Suspend or delay access capability after a specific number of unsuccessful logon attempts.
- Remove obsolete user accounts as soon as the user leaves the company.
- Suspend inactive accounts after 30 to 60 days.
- Enforce strict access criteria.
- Enforce the need-to-know and least-privilege practices.
- Disable unneeded system features, services, and ports.
- Replace default password settings on accounts.
- Limit and monitor global access rules.
- Remove redundant resource rules from accounts and group memberships.
- Remove redundant user IDs, accounts, and role-based accounts from resource access lists.
- Enforce password rotation.
- Enforce password requirements (length, contents, lifetime, distribution, storage, and transmission).
- Audit system and user events and actions, and review reports periodically.
- Protect audit logs.
Unauthorized Disclosure of Information
Object Reuse
Object reuse issues pertain to reassigning to a subject media that previously contained one or more objects.
Sensitive data should be classified (secret, top secret, confidential, unclassified, and so on) by the data owners.
剩余内容请看本人公众号debugeeker, 链接为CISSP考试指南笔记:5.9 访问控制实践
