Compliance with CIS Security Standards for Server Configurations

• Table of Contents

  • EDC Inc Compliance with CIS Security Standards for Server Configurations Policy
  • 1.0 Purpose
  • 2.0 Scope
  • 3.0 Policy
  • 3.1 Server Configuration Standards
  • 3.2 User and Service Account Management
  • 3.3 Inventory Management
  • 3.4 Change Management
  • 3.5 Security Monitoring
  • 3.6 Incident Management
  • 3.7 Audit and Compliance
  • 4.0 Enforcement
  • 5.0 Review and Update
  • 6.0 Contact
  • Summary

EDC Inc Compliance with CIS Security Standards for Server Configurations Policy

This policy outlines the standards and procedures that EDC Inc will follow to ensure compliance with the Center for Internet Security (CIS) Security Standards for Server Configurations. This policy applies to all servers owned and operated by EDC Inc, including those managed by third-party service providers.

1.0 Purpose

The purpose of this policy is to establish guidelines for server configurations that comply with CIS Security Standards. This will help to protect EDC Inc’s information assets from unauthorized access, loss, or damage while ensuring the integrity, confidentiality, and availability of data.

2.0 Scope

This policy applies to all EDC Inc employees, contractors, and third-party service providers who manage, operate, or access EDC Inc servers. This includes servers located on-premises, in data centers, and in the cloud.

3.0 Policy

3.1 Server Configuration Standards

All servers must be configured according to the CIS Security Standards. This includes, but is not limited to:

• Operating system (OS) patching
• User and service account management
• Security settings
• Network configurations

OS patching is managed by the IT Server Operations department and must be performed every 30 days, unless an “IT Exception” is approved by IT Security.

3.2 User and Service Account Management

User and service accounts are managed in Active Directory. The IT Server Build Operations department is responsible for ensuring that all user and service accounts comply with CIS Security Standards.

3.3 Inventory Management

All servers must be registered in the CMDB inventory management tool. The IT Server Operations department is responsible for maintaining the accuracy and completeness of the CMDB.

3.4 Change Management

All changes to server configurations must be approved by the CAB. The IT-SOC is responsible for coordinating the change management process and ensuring that all changes comply with CIS Security Standards.

3.5 Security Monitoring

The IT Monitoring Operations department is responsible for monitoring server configurations for compliance with CIS Security Standards. Any non-compliance must be reported to the IT Security Operations department immediately.

3.6 Incident Management

The IT-SOC is responsible for managing any incidents related to server configurations. This includes coordinating the response, investigation, and resolution of incidents.

3.7 Audit and Compliance

The IT Audit and Compliance department is responsible for conducting regular audits to ensure compliance with this policy and the CIS Security Standards. Any non-compliance must be reported to the IT Security Operations department immediately.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. Any third-party service provider found to have violated this policy may have their contract terminated.

5.0 Review and Update

This policy will be reviewed and updated annually by the IT Security Operations department to ensure it remains relevant and effective.

6.0 Contact

For any questions or concerns related to this policy, please contact the IT Security Operations department.

Summary

This policy outlines EDC Inc’s commitment to complying with the CIS Security Standards for Server Configurations. It establishes clear roles and responsibilities for managing server configurations, ensuring compliance, and responding to incidents. By adhering to this policy, EDC Inc can protect its information assets and ensure the integrity, confidentiality, and availability of data.