11.6: Use Dedicated Workstations for All Network Administrative Tasks
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring elevated access. This machine shall be segmented from the organization’s primary network and not be allowed Internet access. This machine shall not be used for reading email, composing documents, or surfing the Internet.
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
Network |
Protect |
2, 3 |
Dependencies
Sub-control 1.4: Maintain Detailed Asset Inventory
Sub-control 1.5: Maintain Asset Inventory Information
Inputs
The set of devices used for administrative purposes
The access control configuration
Operations
N/A
Measures
M1(i) = (For each machine “i”) 1 if an administrative device has internet access; 0 otherwise.
M2(i) = (For each machine “i”) 1 if administrative device can run any application that is not administrative; 0 otherwise.
M3 = Count of administrative devices
Metrics
Administrative Device Configuration
Metric |
The ratio of improperly configured administrative devices to the total number of
administrative devices.
|
Calculation |
|