Function: Protect (PR)
Category: Information Protection Processes and Procedures (IP)
“Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.”
This Category is large so will be broken into two sections, the first covering subcategories 1-6, the second covering subcategories 7-12.
PR.IP-1: A baseline configuration of information technology/industrial controls systems is created and maintained.
As with the Identify function, a baseline configuration of information technology needs to be created and maintained to apply appropriate protections and measure future builds, releases, and/or changes to information systems. These should not only include operating system and patch levels but, application versions, standard packages, and network topology in the overall system architecture. Often using already established baselines such as the Center for Internet Security benchmarks or Security Technical Implementation Guides, are good starting points that can be modified to fit the environment.
Auditors may look to see if the organization has created or adopted baseline configurations for systems, including servers, desktops, laptops, and network equipment. Current system configurations may be sampled to verify configuration standards are in place and enforced.
Applicable CIS Critical Controls:
CIS Control 3 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers.
As delivered, the default configurations for operating systems and applications are normally geared to ease-of-deployment and ease-of-use, NOT security. Basic controls, open services and ports, default accounts and/or passwords, older (vulnerable) protocols, pre-installation of unneeded software, all can be exploitable in their default state.
Developing configuration settings with good security properties is a complex task beyond the ability of individual users. Even if a strong initial configuration is installed, it must be continually managed to avoid security “decay” as software is updated or patched.
CIS Control 11 – Secure Configurations for Network Devices such as Firewalls, Routers, and Switches.
As delivered, the default configuration for network infrastructure equipment is geared for ease-of-deployment and ease-of-use, NOT security. Open services and ports, default accounts, support for older (vulnerable) protocols, and unneeded software3 all can be exploitable in their default state.
Attackers take advantage of network devices becoming less securely configured over time as users demand exceptions for specific business needs. Sometimes the exceptions are deployed and then left undone when they are no longer applicable. Attackers will search for vulnerable settings, holes in firewalls, routers, and switches and use those to penetrate defenses.
PR.IP-2: A System Development Life Cycle to manage systems is implemented
A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions/business functions.
This also must apply to acquired applications and systems through the procurement process as well as appropriately documented configuration management.
Auditors may obtain a copy of an organization’s documented system development life cycle. They may obtain samples of rollout documentation and rollout schedules to ensure compliance with policy.
Applicable CIS Critical Controls:
CIS Control 18 – Application Software Security
Attacks often take advantage of vulnerabilities found in web-based and other application software. Managing the security life cycle of all in-house developed and acquired software is necessary to prevent, detect, and correct security weaknesses. There is a flood of information about vulnerabilities available to attackers and defenders alike, as well as a robust marketplace for tools and techniques to allow “weaponization” of vulnerabilities into exploits. The system development life cycle must include security as a component.
PR.IP-3: Configuration change control processes are in place
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Change control includes changes to baseline configurations, changes to operating systems, applications, and network infrastructure including changes to remediate vulnerabilities.
Auditors will determine if change control processes for information systems are in place and will look to see if: Proposed changes are documented and approved; changes are prohibited until approvals are received, changes are tested and validated before implementation, and changes are documented and reported upon completion.
PR.IP-4: Backups of information are conducted, maintained, and tested periodically
Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include, for example, walk-through and tabletop exercises, checklists, simulations, and comprehensive exercises. These should be scheduled and conducted on a periodic basis and especially after major component changes.
Mechanisms to backup system-level information and user-level information should be deployed and tested regularly. To protect the integrity of information system backups, digital signature or cryptographic hashes may be considered.
Auditors may ask to see the formal backup and recovery plans and review backup procedures. Additionally, they may want to verify that such data is accessible and readable. A review of the results of testing exercises may be examined as well.
Applicable CIS Critical Controls:
CIS Control 10 – Data Recovery Capability
When attackers compromise machines, they often make significant changes to configurations and software. Sometimes these changes are subtle, potentially jeopardizing organizational effectiveness with polluted information. A trustworthy data recovery capability to remove all aspects of the attacker’s presence on the machine is necessary.
PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met
Make sure that requirements to provide physical operating environment protections are documented in policy and in procedures. These cover a wide range of physical protections from emergency shutoff and power to fire suppression and protection. Are information systems located in a place that can minimize damage?
Auditors may review physical security policies, procedures and plans to ensure the following are addressed: Emergency shutoff; emergency lighting; emergency power, fire protection, temperature and humidity controls; water damage protection, and location of information system components to minimize damage.
PR.IP-6: Data is destroyed according to policy
This applies to all information system media, subject to disposal or reuse and whether the media is considered removable. While system hard drives are evident, often overlooked are hard drives found in scanners and copiers as well as network devices that may present a risk to the disclosure of sensitive information if not properly disposed of.
Make sure the organization has a data destruction policy and appropriately sanitizes media when required to prevent unauthorized disclosure of information. If using a third-party, make sure they provide you with certification of destruction. Additionally, sensitive information that is printed should be appropriately destroyed through adequate shredding rather than being found in trash cans.
Auditors may review media sanitizing policies and verify that the techniques being used are appropriate to ensure that it will not lead to an unauthorized disclosure. Trash cans, dumpsters, and shredders may also be checked to make sure they comply with policy. Last, if a media sanitizing company is used, proof of destruction (e.g. destruction certificates) may be reviewed.