14.6: Protect Information Through Access Control Lists
Sub-control 14.6 states that you must leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
| Asset Type | Security Function | Implementation Groups |
|---|---|---|
| Date | Protect | 1, 2, 3 |
Dependencies
-
Sub-control 1.4: Maintain Detailed Asset Inventory
-
Sub-control 1.5: Maintain Asset Inventory Information
-
Sub-control 5.1: Establish Secure Configurations
Inputs
-
Endpoint Inventory: The list of all endpoints.
-
Access control configuration policy: The organizationally defined access control configuration policy.
Operations
- For each endpoint in I1, collect the “ground truth” access policy for that endpoint and compare it to the access control configuration policy in I2. Generate a list of endpoints which comply with the specified access control configuration policy (M1) and a list of endpoints that do not comply with the specified policy (M2).
Measures
| Measure | Definition |
|---|---|
| M1 = List of endpoints that comply with access control configuration policy (compliant list) |
A list of endpoints that comply with the access control configuration policy. |
| M2 = List of endpoints that do not comply with access control configuration policy (non-compliant list) | A list of endpoints that do not comply with the access control configuration policy. |
|
M3 = Count of items in M1 |
A count of the total number of items in M1. |
| M4 = Count of items in M2 | A count of the total number of items in M2. |
| M5 = Count of endpoints in I1 (total number of endpoints to check) | A count of all the endpoints in I1. |
Metrics
Coverage
| Metric | Calculation |
|---|---|
| The percentage of endpoints which are compliant with the organization’s access control policy. | M3 / M5 |