« Version 4.1 - 7.3 Standards Bodies | Main | Version 4.1 - 7.5 Common RFC and BCP »

Version 4.1 - 7.4 Industry Best Practices

For this test, you have to be familiar with SOX. This is the Sarbanes-Oxley Act. Paul Sarbanes (Chairman of the Senate Committee on Banking, Housing and Urban Affairs) was the Senator from Maryland and Mike Oxley (Chairman of the House Financial Services Committee) was the Representative from Ohio who created the Sarbanes-Oxley Act. It was a reaction to a number of major corporate and accounting scandals (Enron and WorldCom). Knowing this will help you with many questions for this topic. US laws only apply to the US. And this is why we need to know something that is financial-related:

"Responsibility for accurate financial reporting has landed squarely on the shoulders of senior management, including the potential for personal criminal liability for CEOs and CFOs. Since modern accounting systems are computer based, accurate financial reporting depends on reliable, and secure, computing environments."

So all the "requirements" for this will be related to the accuracy and integrity of computing systems. What controls do you have in place to ensure the integrity of the data? How do we know the data is complete and there are no missing logs, etc.? It is related to the COBIT framework. It requires you to have policies and standards. [And controls to check that the policies are being implemented/followed.] It covers access and authentication, user account management, network security, monitoring, segregation of duties and physical security.

Good document on this -- SOX Compliance Checklist

PCI-DSS is the Payment Card Industry Data Security Standard. The standard was created to increase controls around cardholder data to reduce credit card fraud. The intentions were to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data.

Control objectives and PCI DSS requirements

Build and maintain a secure network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program
5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications

Implement strong access control measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data

Regularly monitor and test networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

Maintain an information security policy
12. Maintain a policy that addresses information security

It is inexact to call SOX and PCI-DSS "industry best practices" - since they are mandates for their respective industries. "Best practices" normally refers to things that optimize and secure, but are not mandated. They are suggested and not required. Cisco actually has multiple documents that list best practices for several technologies.

Cisco WLC Configuration Best Practices

Cisco Enterprise Campus Infrastructure Best Practices Guide

Configuration Management: Best Practices White Paper


Powered by
Movable Type 3.2