Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Version 1.3 (in progress)

  • Controls
    • Wording changes:
      • 3.1, 5.5, 6.1, 11.4, 15.1, 16.6
    • Added:
      • 17.4
    • Removed:
      • 19.2, 6.2, 6.8, 6.9, 6.12, 6.13
    • x3.1 Perhaps adjust the wording to note “stable” versions and at least applying security patches
    • x5.5 Modify to emphasize that the events are being reviewed in addition to being logged.
    • x6.1 - Change wording to include CWE/SANS Top 25 and reference UCI Application Security Checklist
    • x6.x remove any that are only developer focused and redundant with appsec checklist that wouldn't be applicable to project manager control and/or vendor products?
      • Dump 6.2, 6.8.  Maybe dump 6.5, 6.9, 6.11, 6.12, 6.13, 6.14?
    • x10.3 Might not be applicable to our environment
    • x11.4 VMs?
    • x15.1 wording?
    • x16.6 Define if we mean log off or lock users and define a time frame (15 min)
    • x17 add secure disposal of data or somewhere else?
    • x19.2 does it belong?

Version 1.2

  • Risk Classification Calculation
    • It now gives an automatic High rating any time restricted data is reported, regardless of availability/impact/likelihood input.
  • Addition of Control 17.1
    • Although it could be implied before from wording on other items, we wanted to make it crystal clear that “Restricted data should be eliminated where possible or must always be encrypted at rest using industry standard strong encryption technologies.”
  • Action Plan
    • Addition of Priority column
      • Although before people could infer the prioritization of action items by the target date (something sooner = more important?) that wasn’t always the case, so now it’s easier to communicate prioritization accurately.
    • Increased number of available rows and minor wording changes.
  • Residual Risk Acceptance
    • Completely new section, residual risk is the remaining risk left over after implementing (or choosing not to implement) the safeguards in the Controls section.  The purpose of this is that each Control that is required but not fully met should either have an associated action item defined for it in the Action Plan or be formally documented in this new section as an accepted risk by the appropriate risk decision maker.  Keep in mind that person is usually the Proprietor / data owner, not the IT person.
  • Other usability improvements
    • Link to data classification help page is clickable.
    • Included links to example network diagrams and data flow diagrams (including Visio templates) help page.

Version 1.1

  • Main sections are now numbered
  • System dropboxes options changed
  • Identify Threats section shortened
  • Risk Level Calculation tables removed
  • Whitespace between controls sections removed
  • Various small formatting changes
  • SRAQ LITE version created (same document with control detail sections removed)

Version 1.0

  • Initial version.

 

  • No labels