RMC - Security Implementation Best Practices (CIS-Based Guidelines)

What is a security implementation?

A security implementation refers to a set of security measures, controls, and frameworks applied to a project/service/vendor during planning, deployment, and closing phases. The Service Owner is responsible for documenting how these security measures, controls, and frameworks are applied within the organization's environment (systems, infrastructure, processes, etc.).

What security measures, controls, and frameworks provide guidance during a security implementation?

The Office of Cybersecurity uses the Center for Internet Security (CIS) Critical Security Controls (CIS Controls) to serve as best practices for a security implementation. The CIS Controls provide a set of security best practices to reduce overall risk.

While the CIS Controls establish the minimum security best practices, regulatory and compliance requirements may require a more comprehensive review of security. Ensure that a security implementation is extended to fully satisfy all regulatory (e.g., HIPAA, FERPA, PCI DSS, CMMC), compliance (e.g., Universities of Wisconsin and UW Policy), and contractual (e.g., BAAs, DUAs, DTUAs) standards governing the data involved.

What are the CIS Controls best practices?

Access Control Management (authorization) - Develop processes, tools, and documentation to create, assign, manage, and revoke permissions by granting accounts with only the necessary privileges and splitting responsibilities among different people.

Account/Credential Management - Develop processes, tools, and documentation to issue, manage, verify, revoke, and audit service, general, privileged, default, and local accounts.

Application Software Security - Develop processes, tools, and documentation to ensure secure application development including the separation of non-production and production environments and addressing software vulnerabilities. 

Audit Logs - Develop processes, tools, and documentation to confirm records of system activity are clearly defined, collected, and properly kept according to policy.

Contingency Planning - Create, review, update, and test disaster recovery, business continuity, and data backup plans according to policy in order to ensure minimal disruption during adverse events.

Email and Web Browser Protections - Develop processes, tools, and documentation to strengthen defenses against threats that come through email or web browsing, and improve how quickly they’re detected. 

Encryption at Rest - Develop processes, tools, and documentation to ensure data at rest is protected by modern encryption so it remains safe-guarded even if accessed without permission.

Encryption in Transit - Develop processes, tools, and documentation to ensure data in transit is protected by modern encryption so it remains safe-guarded even if intercepted without permission.

Incident Response Management - Develop a comprehensive Incident Response Plan (IRP) according to policy that clearly defines roles and responsibilities, outlines training requirements, and establishes reporting and communication protocols, ensuring sufficient response to cybersecurity incidents.

Incident Response Testing - Develop an Incident Response Plan (IRP) testing procedure that tests communication channels, decision making, and workflows on an annual basis, at a minimum.

Malicious Code Protection - Develop processes, tools, and documentation to prevent the installation, spread, and execution of malicious applications, code, or scripts on assets.

Network Monitoring and Defense - Develop processes, tools, and documentation to establish and maintain comprehensive network monitoring and defense against security threats across the network infrastructure and user base.

Penetration Testing Consultation - Periodically consult the Office of Cybersecurity to develop a process for penetration testing of appropriate size, complexity, and maturity.

Physical Inventory - Develop processes, tools, and documentation to keep track of all physical equipment and devices.

Physical Security Controls - Create and document physical security controls and maintenance processes to protect physical locations.

Privacy and Security Training - Ensure that all relevant personnel complete annual training on privacy and security practices in accordance with applicable policies and standards.

Secure Configuration & Change Management - Develop processes, tools, and documentation to support asset hardening and change management, including approval workflows, stakeholder communication, testing protocols, rollback procedures, and ongoing monitoring.

Secure Network Architecture - Develop processes, tools, and documentation to build and maintain a secure network infrastructure that addresses segmentation, least privilege, high availability, and is regularly updated to protect against threats.

Third-Party/Service Provider Management - Develop a process to evaluate and inventory third-party providers that addresses the business impact, risk posture, event monitoring, contractual obligations (BAA, DUA, etc.), and decommissioning of these providers.

Software Inventory - Develop processes, tools, and documentation to maintain an up-to-date list of all software being used, and validate each asset is actively managed and monitored.

Sufficient Authentication - Validate that sufficient authentication methods are in place based on acceptable risk levels, which could include multi-factor authentication, strong password policies, password management, and federated identity protocols.

System Audit Log Review and Analysis - Develop processes, tools, and documentation to regularly review audit logs according to policy, to detect anomalies or abnormal events, for indications of potential threat.

Vulnerability Management Plan - Develop processes, tools, and documentation for physical and software assets that identify vulnerabilities, implement timely remediation, and reduce exposure to potential threats.