[cabf_netsec] Survey Monkey Results

[Ben Wilson]

So far we've had 9 responses.  Here are the current rankings in importance
in ascending order:

 


 

WEIGHTED AVERAGE-


Password rules (currently 12 characters, OR 8 characters + changes every 90
days, OR a documented policy)

 

1.44


Modifying 2.j. "review all system account configurations every 90 days"

 

2.56


Timeframes in which to disable system access of former employees (currently
within 24 hours)

 

2.56


Addressing software development vulnerabilities and processes

 

2.89


Addressing wireless security vulnerabilities

 

3.00


Clarifying audit documentation requirements for network/system
configurations (1.f, g, and h)

 

3.22


Including mitigating factors and compensating controls in the NCSSR

 

3.22


Penetration tests after changes the CA determines are "significant"

 

3.56


Providing guidance on the criteria for acceptable penetration tests and
vulnerability scans

 

3.56


Defining "Critical Vulnerability" and "Critical Security Event" and
clarifying actions to take

 

3.56


Defining terms like "workstation", "account", "zone", "CA System," and
"Issuing System"

 

3.78


Clarifying action to take within 96 hours of detecting a vulnerability not
otherwise addressed by CA's procedures

 

4.00


Clarifying log review, "human review" of logs vs. automated reviews

 

4.11


Defining "Root CA System", "Offline" and "Air-Gapped" and clarifying
associated requirements

 

4.22

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170816/82d34544/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4974 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/netsec/attachments/20170816/82d34544/attachment.p7s>