Controls for securing removable/portable

• Implement logging and audit trails of media removal from or relocations within the organization's premises and maintain as appropriate to the data classification level.
• Require prior management approval and authorization for storage of data as appropriate to the data classification level on removable media including removal or relocation of the media.
• Impose restrictions on the type(s) of media, and usages thereof, where necessary for adequate security.
• Restrict agency users from storing high sensitivity data including but not limited to personal information on removable media (i.e., USB thumb drives, flash drives, compact discs, tapes) unless specifically directed to do so as part of their job function and authorized by agency management.
• Encrypt all data on mobile and remote computers/devices (e.g. laptops and/or desktops) that are used from outside an agency location to access or store high sensitive data to support normal business operations.
• Ensure that high sensitive maintained on peripheral devices (e.g., USB enabled portable storage devices, DVD, and/or CD-ROM) is secured through the use of encryption technologies or other security measures.
• Restrict remote access to high sensitivity information, including but not limited to PII, to authorized remote access services as identified in the Enterprise Access Control Security Policy.
• Use a “time-out” or automatic log out function for remote access and mobile devices requiring user re-authentication after a specific, agency defined period of inactivity.

Separation of Duties

• Separation or segregation of duties is a method for reducing risk of accidental or deliberate system misuse by segregating an individual staff member’s (including but not limited to employee, contractor, etc.) sphere of influence and control, and must be applied to the extent possible and practicable to all IT systems particularly those that collect, handle, store, process, dispose, or disseminate high sensitivity data.

Monitoring system use

• Configure event tracking and recording as needed per classification of the IT system. The level of monitoring should coincide with the criticality of the system and the results of the risk/vulnerability assessment.
• Monitor and review data as determined by the criticality of the application/system or information involved, past experience with information security incidents, and general risk assessment.

Antivirus

• All IT systems vulnerable to electronic viruses must be appropriately safeguarded against infection and retransmission.
• Agency wide automated updates of virus definitions must be employed where practicable to ensure that the most up-to-date definitions are in effect.
• Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
• This library of documentation is for enterprise security administrators who are either considering deployment, or have already deployed and are wanting to manage and configure Windows Defender AV on PC endpoints in their network.
• Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Windows Defender Antivirus.
• Always-on scanning, using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection")
• Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research

Network controls

• Separation of operational responsibilities for networks from those for computer systems and operations, where appropriate
• Implementation of appropriate controls to assure the availability of network services and information services using the network
• Establishment of responsibilities and procedures for management of equipment on the network, including equipment in user areas
• Special controls to safeguard the confidentiality and integrity of sensitive data passing over the organization's network and to/from public networks