Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-242583 | CSCO-NC-000090 | SV-242583r714059_rule | Medium |
Description |
---|
Connections that bypass established security controls should be only in cases of administrative need. These procedures and use cases must be approved by the Information System Security Manager (ISSM). |
STIG | Date |
---|---|
Cisco ISE NAC Security Technical Implementation Guide | 2021-04-14 |
Check Text ( C-45858r714057_chk ) |
---|
Review the posture policy to ensure mandated endpoints are being assed and if there are exceptions to the policy that they are documented and approved by the ISSM. 1. Navigate to Work Centers >> Posture >> Posture Policy. 2. Examine the enabled Posture Policies to determine if the endpoints that are mandated to be assessed will use the required policies. 3. If there is an endpoint type that should be assessed and there is a condition or conditions exempting a sub group of that endpoint type, verify that the sub group is documented and approved by the ISSM. If the policy will not be applied to required endpoints or if exempted endpoints are not approved and documented, this is a finding. |
Fix Text (F-45815r714058_fix) |
---|
Configure the posture policy to assess mandated endpoints. 1. Navigate to Work Centers >> Posture >> Posture Policy. 2. Choose the drop-down located next to "Edit" on the right side of the page where you want the new policy inserted. 3. Choose "Insert new policy". 4. Define a Name. 5. Select the applicable Identity Groups. 6. Select the applicable Operating Systems configured in the requirement previously created. 7. Select the Compliance Module configured in the requirement previously created. 8. Select the Posture Type configured in the requirement previously created. 9. Select Other Conditions if used. 10. Select the Requirement ensuring there is a green check box to the left of the name indicating it is a mandatory requirement. 11. Choose "Done". 12. Choose "Save". Note: For exceptions, a condition can be made to "Not Equal" or "Not Contains" a pattern to exempt devices from the policy. |