11.1
Administrative Management:
11.2
Operational Responsibilities:
Users should have the necessary security
level to access data and resources, and they must know what they need.
Contract and temporary staff member should
have different level account.
Systems should not allow their boot-up
sequence to be altered in a way that could bypass operating system security
mechanisms.
11.3
Configuration Management:
Change controlled process: Sent requirement
è Approval of the change è changed
document è tested and presented è
implementation è report change to management.
Configuration management:
1.
Identification: establish id
scheme; id acceptances requirements; data id requirements; id configuration
items; document configuration items; data baselines.
2.
Change control: establish
change criteria; establish review and control organizations; establish change
control procedures; control revisions to specifications, designs, drawings,
data and document.
3.
Auditing: formal qualification
reviews, physical configuration audits, functional configuration audits.
4.
Status accounting: maintain
product description records, maintain configuration verification recodes,
maintain change satus recodes, and maintain history of change approvals.
11.4
Media Control, Network and Resource Availability:
Media librarian responsible: marking,
logging, integrity verification, physical access protection, environmental
protection, transmittal, disposition.
Redundant array of independent disks (RAID)
level:
0: data striped
over several drives.
1: mirroring
of drives
2. data striping over all drives at the bit
level. (hamming code parity)
3: data striping over all drives and parity
data held on one drive. (byte-level parity)
4: same as level 3, except party is created
at the block level isntrad of the byte level. (block-level parity)
5: data are written in disk sector units to
all drives. (interleave parity)
6: similar like 5 level but added fault
tolerance, which is a second set of parity data written to all drives? (second
parity data)
10: mirrored
and striped
11.5
Vulnerability Testing:
DNS and WHOIS è id of
targets è port scanning è system fingerprinting è id of
vulnerabilities
id of vulnerabilities è ( perimeter devices, operating system, services, web applications)
id of vulnerabilities è mandate allows exploitation?
If yes: è
deeper network penetration; exploit all possible vulnerabilities è result collation and reporting
If no: è
nondestructive exploitation of vulnerabilities è
result collation and reporting
