Standard builds are formally documented. All accounts are unique, justified, authorized, and continuously reviewed. Default accounts are deleted/disabled. All administrative and security activities, and access to confidential data is logged, stored, and reviewed. Access to assessment trails is restricted. All system password controls meet defined password policies. All system accounts grant minimum necessary access as defined by policy. Administrative accounts are only used under change control procedures and not for day-to-day system operation. The controls applied, and monitoring of authorization, allocation, and use of administrative accounts and passwords are documented. All software is authorized and fully licensed.
Hardening procedures for systems, applications, and devices are formally documented to include; ICSA certified anti-malware tools (e.g. anti-virus, anti-spam, anti-spyware, etc.) are installed on systems and kept up-to-date. Anti-malware tools detect, remove, and protect against non-virus malicious software (e.g. spyware, adware, rootkits, etc.) Installation of minimum software required, default accounts and passwords are changed. Production systems do not have language compilers installed and have only the bare minimum support for any interpreted languages. File permissions are locked down.
A multi-tiered development environment exists, logically and physically separating development, staging, and production systems. The configuration of key systems complies with vendor recommendations and is documented and is separated physically, virtually, by forest and by location.