CYB 300: 4-4 Milestone Two: Checklist Analysis and Modification ...
Checklist Analysis and Modification
Overview
Checklists play an important role in the maintenance and protection of systems. They also play a part in hardening a system. Most security analysts identify components and settings within systems that need to be modified to enhance security. Following checklists, engineers can implement the identified security enhancements from the analysts. Certificate Authority (CA) is part of public key infrastructure (PKI) that helps secure the communications within a system. In this activity, you will evaluate an existing checklist to ensure that it is relevant and up to date. Additionally, you will be asked to update the checklist according to directions in your scenario. These checklist elements rely heavily on the steps you completed in your lab in Module Three and your lab this week in Module Four. Make sure you complete your Module Four lab before beginning your milestone. Refer to that lab if you have any questions.
Your submission will include two documents: one for Part I and a second for Part II. For Part II, use the checklist template provided.
The purpose of this assignment is to explore the use of checklists. Your work on this milestone will contribute to your Final Project, where you will need to create a checklist. Furthermore, the revised checklist created in this milestone can be used as a guide for your work in Part II of your final project, which will be submitted in Module Seven.
Scenario
Your manager has provided a checklist for setting up a CA server. They would like you to review the checklist for several criteria. It is essential to verify that the checklist covers the elements needed for a CA server. They would like you to identify any possible gaps within the checklist. Your manager is aware that the checklist is old and there are items on the checklist that may require updates. Your manager has prioritized three new items for the checklist, which include automatic certificate revocation, encryption, and validity period of certificates. Your manager needs your recommendations as a security analyst for those three areas in the checklist. They would like you to fill in the Requirements and Control Overview sections of the checklist for those areas.
Your manager has identified three parameters that should be added to the Root Certificate Requirements section of the checklist. These parameters are an essential part of the root certificate and should be present for the requirements to be implemented.
Parameters
| Parameter CA-1(H): <IT-defined revocation of certificates> |
| Parameter CA-1(I): <IT-defined PKI> |
| Parameter CA-1(J): <IT-defined validity period> |
Prompt
Review the Milestone Two Checklist, which is linked in Module Four of your course, and address the critical elements listed below.
Part I: Analysis of Existing Checklist
- Evaluate the checklist: Provide feedback on the Milestone Two Checklist provided by your manager. Identify at least two areas of the checklist that require updating or improvement. Note: The checklist you are evaluating is modeled after section 4.5 of the NIST 800-70, Guidelines for Checklist Users and Developers.
- Evaluate the applicability of the checklist. Given the requirements in the scenario, is the checklist accurate in addressing the needs identified? Justify your evaluation.
Part II: Additional Checklist Elements
- Add additional checklist elements for automatic certificate revocation. Complete the Requirements and Control Overview sections for additional elements.
- Add additional checklist elements for encryption. Complete the Requirements and Control Overview sections for additional elements.
- Add additional checklist elements for the validity period of the certificate. Complete the Requirements and Control Overview sections for additional elements.
- Add identified parameters to the Root Certificate Requirements section of the checklist.
CA Server Root Certificate Requirements Checklist (CA-1)
Requirements
- Identify information systems that support organizational missions/business functions
- Identify and select the following types of information system accounts that support organizational missions/business functions: [administrative, service]
- Identify authorities from each department for root certificate assignment approval
- Secure protocols used, TLS v1.2
- Client renegotiation disabled
- Account notification to CA authorities:
- When user or system accounts are terminated
- When individual information system usage changes
- When account inactivity is for a period of 90 days
- Authorize root certificate assignment for information systems based on:
- A valid access authorization
- Other attributes as required by the organization or associated missions/business functions
- <Add element for automatic certificate revocation here>
- <Add element for encryption here>
- <Add element for validity period of the certificate here>
CA-1 Root Certificate Requirements
|
Requirements
|
|
Support organizational missions: <IT defined>
|
|
Parameter CA-1(D): <IT-defined transport layer security>
|
|
Parameter CA-1(E): <IT-defined client renegotiation policy>
|
|
Implementation Status (check all that apply):
☒ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable
|
|
Control Origination (check all that apply):
☐ Organization
☒ IT system specific
☐ Hybrid (organization and IT system specific)
|
Control Overview
Part
|
Description
|
|
Part A
|
<The IT department will be responsible for identifying and selecting the types of accounts required to support the application. Examples of account types include individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. A successful control response will need to address the specific requirements fulfilled by each account type in use.>
|
|
Part B
|
<The IT department will be responsible for select information systems, and who will have responsibilities related to the management and maintenance. A successful control response will need to discuss how information systems are defined within the organization.>
|
|
Part C
|
<The IT department will be responsible for identification of individuals responsible for CA assignment approval. A successful control response will need to identify the person responsible for CA assignments.>
|
|
Part D
|
<The IT department will be responsible for identifying the transport layer security. A successful control response will need to ensure that the proper communication security is in place.>
|
|
Part E
|
<The IT department will be responsible for verifying that the certificate renegotiation is disabled from the client machine. The certificate renegotiation will be initiated only from the server. A successful control response will need to identify that a policy is in place to be audited and maintained.>
|
|
Part F
|
<The IT department will be responsible for defining the role of an individual to be notified if any criterion [a, b, or c] is met. A successful control response will identify the individuals and procedures used to enforce those conditions.>
|
|
Part G
|
<The IT department will be responsible for the assignment of a certificate if any criterion [a or b] is met. This may include the assignment and revocation of certificates. The individual will be responsible for notifying the person responsible for the certificate authorization. A successful control response will outline the procedure and the communication needed to properly report the issue.>
|
|
Part H
|
<Include control overview explanation for automatic certificate revocation here>
|
|
Part I
|
<Include control overview explanation for encryption here>
|
|
Part J
|
<Include control overview explanation for the validity period of a certificate here>
|
