The following is a list of tasks that must be done on a regular basis to ensure security stays at a satisfactory level:
-
Deny access to systems to undefined users or anonymous accounts.
-
Limit and monitor the usage of administrator and other powerful accounts.
-
Suspend or delay access capability after a specific number of unsuccessful logon attempts.
-
Remove obsolete user accounts as soon as the user leaves the company.
-
Suspend inactive accounts after 30 to 60 days.
-
Enforce strict access criteria.
-
Enforce the need-to-know and least-privilege practices.
-
Disable unneeded system features, services, and ports.
-
Replace default password settings on accounts.
-
Limit and monitor global access rules.
-
Remove redundant resource rules from accounts and group memberships.
-
Remove redundant user IDs, accounts, and role-based accounts from resource access lists.
-
Enforce password rotation.
-
Enforce password requirements (length, contents, lifetime, distribution, storage, and transmission).
-
Audit system and user events and actions, and review reports periodically.
-
Protect audit logs.
Unauthorized Disclosure of Information
Object Reuse
Object reuse issues pertain to reassigning to a subject media that previously contained one or more objects.
Sensitive data should be classified (secret, top secret, confidential, unclassified, and so on) by the data owners.
剩余内容请看本人公众号debugeeker, 链接为CISSP考试指南笔记:5.9 访问控制实践