An Audit (and Commentary) Based On
Risk Assessment - Best Practices
(as compiled by the Presidentís Commission on Critical Infrastructure Protection)

Conduct a security training program for all employees according to their job responsibilities and access authorizations, integrating this program with existing physical security aspects.

Authenticate the identity of all users of the system, determine the uses of the system for which they are authorized, and restrict access to only the authorized functions and data.

Isolate critical operational control systems from all public and most internal networks, or provide adequate firewalls.

Provide adequate procedural and technical controls to assure data integrity, to detect instances of unauthorized change or deletion, and to recover when necessary.

Authenticate and log the origin of all commands to change the operating conditions of the controlled infrastructure.

Create a CERT, or similar response capability, with the equipment and training needed to investigate suspected intrusions, isolate and recover damaged systems, and restore service to customers.

Provide adequate back-up and recovery capability for the programs and data of any information system that is necessary for normal operations and customer service. To better assure the availability of key control systems, information systems and data, consider redundancy, geographic separation of primary and back-up systems, alternative methods, effective use of encryption, and other relevant security options.

Conduct regular assessments of the vulnerability of information systems using the technical expertise of the National Security Agency (NSA) and others as appropriate to assure that new techniques for attacking systems can be contained by the protective measures currently installed.

While I believe that the PCCIP is well-meaning in their attempt to identify best practices in risk assessment, they seem to have missed the mark in this particular analysis. I suspect that no government agency today could pass an independent audit based on the specified criteria.

For related information on this server, look at:

Your comments are welcomed - email to fred at