Physical and Virtual Server Operations (Application, Web, Email)

Risks, Vulnerabilities and Threats

  • Compromised administrator login and/or program submission passwords
  • Administrators with greater than necessary “just in case” access
  • Combined services on the same server operating system
  • Unneeded services running
  • Vendor default set ups including default passwords
  • Malware attacks

 

Control Objectives and Operational Goals

  • Follow best practices for device hardening
  • Vulnerability scans and penetration tests provide “live” security information
  • Adequate audit trails with secure copies of logs
  • Operations and system programming staff needs to be given access on a need to know basis