4.8.1 Countermeasures to be implemented against preconditions
This subsection describes countermeasures to be implemented against the preconditions checked in 4.6 Checking the preconditions for a secure system.
The table below shows the preconditions checked in 4.6 Checking the preconditions for a secure system and the countermeasures to be implemented.
|
Precondition type |
Countermeasure |
|---|---|
|
Physical preconditions |
|
|
Operational preconditions |
|
These countermeasures are outlined below.
- Organization of this subsection
(1) Countermeasures for physical preconditions
The countermeasures for physical preconditions are as follows.
-
Physical countermeasures
-
The System administrator should install the hardware running the system, the firewall, the servers, and the internal network within a server area that is physically isolated from the outside.
-
The System administrator should not bring into the server area any hardware or software that is not necessary for running the system.
-
The System administrator, System operator, and Auditor should enter and exit the server area in accordance with the Entry and Exit Procedure document.
-
For details about the Entry and Exit Procedure document, see 4.9 Considering work procedures.
(2) Countermeasures for operational preconditions
The countermeasures for operational preconditions are described below.
-
Measures for the System administrator
-
For the position of System administrator, a trusted user who will be responsible for the entire system and will not conduct malicious acts should be selected.
-
The System administrator should be trained about system configuration and management and should be familiar with system configuration and management methods. The System administrator also should be familiar with methods for configuring and managing the hardware that will be used in the system.
-
The System administrator should configure and manage the system, taking security precautions into consideration.
-
The System administrator should set difficult-to-guess, highly secure OS and Management Server management passwords for him or herself and for the System operators.
For details about the System Setup Procedure document, see 4.9 Considering work procedures.
-
-
Measures for System operators
-
The System operators should be trained in system operation and be familiar with system operation methods.
-
The System operators should take security precautions into consideration when operating the system.
-
The System operator should set difficult-to-guess, highly secure passwords for end-users.
For details about the System Operating Procedure document, see 4.9 Considering work procedures.
-
-
Measures for the System auditor
-
For the position of Auditor, a trusted user who will be responsible for the entire system and will not conduct malicious acts should be selected.
-
The Auditor should be a user who is not a System administrator.
-
The Auditor should verify the validity of the system setup procedures. The Auditor also audits the validity of the operating procedures.
-