Title

Installation of operating systems on systems and devices in the test and development environment must be logically separated to prohibit access to any operational network. (Cat III impact)

Discussion

Systems are most vulnerable to attack during the installation of an operating system because no security controls have been put in place to protect the system. It is very important to block all access to a system while the operating system is being installed and configured until such time that security controls can be implemented.

Check Content

Determine whether the organization has a connection approval policy on the installation of operating systems within the test and development environment. The policy must include either physically disconnecting or blocking the system at the firewall in order to achieve complete isolation from any network traffic. If no connection approval policy has been developed, this is a finding.

Fix Text

Create a policy to ensure the test or development system is physically disconnected or blocked at the firewall from any external network during the installation of an operating system.

Additional Identifiers

Rule ID: SV-51538r1_rule

Vulnerability ID: V-39671

Group Title: ENTD0320 - Installation of operating systems and devices not logically separated.

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.