Reference no: EM132267198

Reply 1

I have selected my title for this discussion as "IVS-12". This is the control ID in cloud controls matrix sheet for the control domain "Infrastructure & Virtualization Security Wireless Security". COBIT 5.0 is the framework I have chosen to support its scope and applicability for complying the security policies and principles.

The processes "APO01.08, APO13.01, APO13.02, DSS02.02, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06" comes under this framework for enterprise management, governance, service delivery and support (COBIT). Under this control domain to achieve security controls a well architected security policy framework and business continuity processes needs to be established and followed.

Currently, I am working for a software driven networking company which manufactures network switches and also establishing sound place in cloud market in selling virtual EOS router images. For maintaining security controls, we have established and following security policies as follows: Operational management policy, Business continuity policy, Change control policy, Third party management policy. We are following below processes which supports COBIT5.0 framework for achieving the security controls.

User access and control: We have proper access and identity management (IAM) system in all the layers/domains of the IT infrastructure. Access control with least privilege is being followed in network department, systems department, web application department, application integration department, helpdesk department.

For better security, usage of google authenticator, DUO security application is being used for logging into critical assets and operations management.

All the default passwords got from purchase will be replaced with very strong password and also rotated in timely manner using "secret server" application. All the root credentials, admin credentials will be maintained only by team leads and managers used for making high level changes. Encryption is done using yaml for critical passwords instead of hardcoding the direct passwords into applications and assets.

Unauthorized access: We will direct all the logs from cloud accounts (AWS, Azure and GCP), Servers hosted (virtual, physical and cloud), networking logs, datacenter security appliances to application "Sumo logic". We will query the logs for unusual activities, multiple password authentication failures, unauthorized access to IT assets.

Network firewalls are configured in such a way that only required ports, CIDR ranges are allowed for business process continuity. Even only 443 port is opened for backing up the data from manufacturing sites with third party data management application. All the business-critical applications and assets are kept in DMZ network zone. No user is allowed to download or transfer data from product manufacturing servers to users local machines.

Reply 2

The Cloud Security Alliance Cloud Controls Matrix (CCM) is explicitly intended to give crucial security standards to manage cloud merchants and to help forthcoming cloud clients in surveying the general security danger of a cloud supplier.

The CSA CCM gives a controls structure that gives nitty gritty comprehension of security ideas and rules that are adjusted to the Cloud Security Alliance direction in 13 areas.

The establishments of the Cloud Security Alliance Controls Matrix lay on its redid relationship to other industry-acknowledged security models, guidelines, and controls systems, for example, the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP and will expand or give inward control bearing to support association control reports confirmations given by cloud suppliers.

Benchmark security prerequisites will be set up for created or procured, organizationally-claimed or oversaw, physical or virtual, applications and foundation framework and system parts that agree to appropriate legitimate, statutory, and administrative consistence commitments. Deviations from standard benchmark arrangements must be approved after change the executives strategies and systems preceding sending, provisioning, or use.

Consistence with security pattern prerequisites must be reassessed in any event every year except if a substitute recurrence has been set up and approved dependent on business needs.