Certified Digital Security Level 2
The detailed guidance document (see download at the bottom of this page) explains what is required to achieve this level, a summary is below. The document is divided in to 3 sections:
Section 1 Executive Summary of the target level.
Section 2 General guidance of how to implement the security recommended at this level.
Section 3 The audit criteria (or what is required to pass the audit).
This single document contains all the information necessary to implement the security for, evidence the fact and pass the audit required to achieve CDS Validation for the site tested.
Summary
Level 2 builds upon Level 1 by requiring the organisation to commit additional resource to improving the reliability of its digital assets by raising the awareness of its staff and ensuring that individuals entrusted with management of those assets are worthy of that trust.
To be compliant at Level 2, CDS requires the organisation is to have implemented the following:
Appropriate levels of Background Checks on their system Administrators; this is to ensure that the staff with the ultimate powers on the system are reliable and trustworthy.
User Training is mandated; users are now required to receive a minimum of 30 minutes training per year on their responsibilities and the secure operation of the system, this will reduce helpdesk calls and reduce security induced downtime.
The Patching of Servers and Workstations (and major applications where possible) to gain vendor provided stability, performance and security improvements (and to significantly reduce the risk of the system being successfully attacked).
The requirement for an Asset Tracking or management system will allow the staff and management to identify what is actually theirs and needs securing.
Enabling Logging the organization can support a basic forensics investigation should they become the victim of an incident.
A basic Forensic Readiness plan is required to prevent actions undertaken during a problem or incident from destroying digital evidence and valuable data.
The attack vector against wireless devices is reduced as Wireless Encryption is now required where hardware allows for its use.
Prohibit the connection of External Electronic Devices to the system as these can be used to both import attack tools and export the organizations important data.
CDS Certification
CDS documents are provided to the community free of charge. Organizations are encouraged to get their work independently verified through the CDS Audit scheme from either a CDS certified auditor or a partnering organisation. See the Certification section for additional information.
This is a summary; please download the detailed guidance document below. Also listed, are any supporting documents published by CDS for this level.
Any errors, omissions, comments or questions should be sent to certifieddigitalsecurity.com via of web form.
All documentation provided is formatted as PDF and a free Adobe PDF viewer can be downloaded from this link.
|
