...
- Controls
- 3.1 Perhaps adjust the wording to note “stable” versions and at least applying security patches
- 5.5 Modify to emphasize that the events are being reviewed in addition to being logged.
- 6.1 - Change wording to include CWE/SANS Top 25 and reference UCI Application Security Checklist
- 6.x remove any that are only developer focused and redundant with appsec checklist that wouldn't be applicable to project manager control and/or vendor products?
- Dump 6.2, 6.8. Maybe dump 6.5, 6.9, 6.11, 6.12, 6.13, 6.14?
- 10.3 Might not be applicable to our environment
- 11.4 VMs?
- 16.6 Define if we mean log off or lock users and define a time frame (15 min)
- 17 add secure disposal of data or somewhere else?
- 19.2 does it belong?
...