| Table of Contents |
|---|
| Task | Tools to Identify and Classify Systems | Potentially Useful Classifications | Remediation Strategies |
|---|---|---|---|
| Patching |
|
| If not automatic, make automatic. Else:
|
| Encryption |
|
| Primary concern: "not encrypted, but required" systems. Must make compliant. Any way to automate such systems' encryption? |
| Screen Lock |
|
| Current solution: manually verify non-networked systems for screen lock compliance. |
Understanding Main Considerations
...
This will require getting a list from AD of all critical computers that are encrypted and generating an excel file from inventory of all critical computers whose function is not instrumentation or virtual machines and whose machine name follows the naming convention. Then, match up the two lists and find out which ones are in common to solve concern #2.
Screen Lock
5.10 mandates that all computer systems not in a secure, private space run a password-protected screen saver that is automatically triggered after 15 minutes of inactivity.
Our main efforts, then, will be to eliminate systems that are typically in secured locations (such as instrumentation machines) from our search to refine which systems are at most risk, and therefore need more immediate attention for remediation. Thus, our primary concern is the following:
- Find out which non-secured critical computers are not in AD.
Current Solution to Screen Lock Conern #1
So far, we know to conduct a standard search of critical computers not in AD, but with the caveat that they also not be instrumentation machines (as these are tyically secured).
Remediation
Edge Cases
After we have gathered enough information and have started/almost finished remediation on critical computers of primary concern, then we can deal with edge cases, including: other operating systems, exceptions, etc. We simply need to focus our efforts on more important considerations before having a complete implementation of the policies.