Version 1.3 (in progress)
- Controls
- Wording changes:
- 3.1, 5.5, 6.1, 11.4, 15.1, 16.6
- Added:
- 17.4
- Removed:
- 19.2, 6.2, 6.8, 6.9, 6.12, 6.13
- x3.1 Perhaps adjust the wording to note “stable” versions and at least applying security patches
- 5x5.5 Modify to emphasize that the events are being reviewed in addition to being logged.
- 6x6.1 - Change wording to include CWE/SANS Top 25 and reference UCI Application Security Checklist
- 6x6.x remove any that are only developer focused and redundant with appsec checklist that wouldn't be applicable to project manager control and/or vendor products?
- Dump 6.2, 6.8. Maybe dump 6.5, 6.9, 6.11, 6.12, 6.13, 6.14?
- 10x10.3 Might not be applicable to our environment
- 11x11.4 VMs?
- 16x15.1 wording?
- x16.6 Define if we mean log off or lock users and define a time frame (15 min)
- 17 x17 add secure disposal of data or somewhere else?
- 19x19.2 does it belong?
- Wording changes:
Version 1.2
...