Support Center > Search Results > SecureKnowledge Details
Compliance Blade R77.30 - New Best Practices and Regulations
Solution

(1) New Best Practices added to R77.30

 

Application Control

APP110: Check that the Hit Count is enabled for all Gateways (via Global Properties)

APP111: Check the Hit Count data storage setting in the Global Properties

APP112: Check that the Hit Count is enabled on each relevant Gateway for Application Control

APP115: Check the Accessibility settings for UserCheck

APP123: Check that 'HTTP Inspection' is enabled on the Application Control blade

 

DLP

DLP101: Check that the DLP policy restricts the distribution of Financial Reports

DLP123: Check that the DLP Portal for Self Incident Handling is enabled on relevant Gateways

DLP124: Check the Accessibility settings for the DLP Portal

DLP132: Check that critical and high severity DLP policies are set to Prevent

DLP133: Check that the DLP blade has a valid Email address or Domain defined

DLP137: Check that default Mail Server settings are configured in the DLP blade

DLP138: Check the Extreme Conditions of the DLP Policy

 

Firewall

FW109: Check the Capacity Optimization of each Gateway

FW119: Check that no expired rules exist in the Firewall Rule Base

FW121: Check that each Gateway has a Firewall installed

FW145: Check that there are no unused rules in the Firewall rulebase

FW149: Check the Platform Portal's Accessibility settings

FW154: Check that sections in the Firewall rule base contain text in their header

FW155: Check that the Firewall rule base is optimally managed

 

Gaia

OS103: Check that Network Access via Telnet is disabled

OS104: Check that the IPv4 Static Routes contains a default route

OS108: Check that the System Clock is set automatically using NTP

OS109: Check that the NTP synchronization is working correctly

OS112: Check that Core Dump are enabled

OS114: Check that the Syslog messages are being sent to the Management server

OS115: Check that the Audit logs are being sent to the Management server

OS116: Check that the Audit logs are being sent to the Syslog server

OS117: Check that a remote server is configured to receive system logs

OS118: Check that a DNS Suffix is configured

OS119: Check that a Primary DNS Server is defined

OS120: Check that a Secondary DNS Server is defined

OS121: Check that a Tertiary DNS Server is defined

OS122: Check that the Inactive Timeout for the Command Line Shell is set to 10 minutes or less

OS123: Check that the Inactive Timeout for the Web UI is set to 10 minutes or less

 

IPS

IPS128: Check the IPS Protection: TCP SYN Modified Retransmission

IPS129: Check the IPS Protection: TCP Invalid Retransmission

IPS130: Check the IPS Protection: Sequence Verifier

IPS131: Check the IPS Protection: DNS - General Setting

IPS132: Check the IPS Protection: Scrambling

IPS133: Check the IPS Protection: Mismatched Replies

IPS134: Check the IPS Engine Setting: MS-RPC - General Settings

IPS135: Check the IPS Engine Setting: TCP Segment Limit Enforcement

IPS136: Check the IPS Engine Setting: TCP Urgent Data Enforcement

IPS137: Check the IPS Engine Setting: Stream Inspection Timeout

IPS138: Check the IPS Engine Setting: TCP Out of Sequence

IPS139: Check the IPS Engine Setting: TCP Invalid Checksum

 

Mobile Access

MOB101: Check the Simultaneous Login setting in the Mobile Access blade

 

Threat Emulation

TE101: Check the Protected Scope of each Threat Emulation profile

TE102: Check the HTTP protocol setting of each Threat Emulation profile

TE103: Check the SMTP protocol setting of each Threat Emulation profile

TE104: Check the SMTP protocol configuration of each Threat Emulation profile

TE105: Check that Threat Emulation profiles block files when the nesting level is exceeded

TE106: Check the Emulation Environment of each Threat Emulation profile

TE107: Check the Excluded Mail recipient list of each Threat Emulation profile

TE108: Check the Excluded Mail senders list of each Threat Emulation profile

TE109: Check the Emulation Connection Handling Mode of each Threat Emulation profile

TE110: Check that Logging is enabled for each Threat Emulation profile

TE114: Check that Threat Emulation engine are automatically updated

TE115: Check the frequency of scheduled updates of Threat Emulation engine

TE116: Check that Threat Emulation images are automatically updated

TE117: Check the frequency of scheduled Threat Emulation images in the Threat Emulation blade

 

URL Filtering

URL115: Check the Accessibility settings for UserCheck

URL137: Check that 'HTTP Inspection' is enabled on the URL Filtering blade

URL145: Check that the Hit Count is enabled for all Gateways (via Global Properties)

URL146: Check the Hit Count data storage setting in the Global Properties

URL147: Check that the Hit Count is enabled on each relevant Gateway for URL Filtering

 

VPN

VPN112: Check that the Client verifies the Gateway's certificate against the revocation list

VPN113: Check that Users Internal CA Certificates are renewed automatically

VPN123: Check the renewal process of Users internal CA Certificates

 

Example: Security Best Practice #APP111 (click to enlarge)

 

(2) New Features

  • Send Security Alerts to Log Server
  • E-mail Notifications for Security Alerts
  • Users can define their own Best Practices around Firewall policy
  • Users can create their own corporate security policies and link them to Best Practices
  • Changed Security Scale from "Secure - High - Medium - Low", to "Secure - Good - Medium - Poor"
  • New set of Gaia OS Best Practices (see above)
  • New set of Threat Emulation Best Practices (see above)

 

 

(3) New Regulations added to R77.30

 

Australian Privacy Principles

The Australian Privacy Principles (APPs) replace the National Privacy Principles and Information Privacy Principles and apply to organisations, and Australian, ACT and Norfolk Island Government agencies. The APPs reference here are taken from Schedule 1 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012, which amends the Privacy Act 1988.

CJIS

CJIS is the Criminal Justice Information Services Security Policy. The essential premise of the CJIS Security Policy is to provide appropriate controls to protect the full lifecycle of CJI, whether at rest or in transit. CJIS is divided into 12 individual policy areas. The controls listed here are referenced in Version 5.2, dated 08/09/2013.

Katakri

Katakri 3.0 refers to the Finnish National Security Authority's National Security Auditing Criteria. Katakri is divided into four sub-divisions: Administrative, Personnel, Physical, and Information Assurance. The mapping provided by Check Point has focused on Information Assurance. Katakri provides different levels of security requirements. The Check Point Katakri mapping is based on 'Requirements for the base level (IV)'.

NERC CIP v.5

Cyber security requirements for Utility companies in the USA

PCI 3.0

Global framework for the protection of credit card data

PPG 234

This prudential practice guide (PPG) aims to assist regulated institutions in the management of security risk in information and information technology (IT). It is designed to provide guidance to senior management, risk management and IT security specialists (management and operational).

POPI

The Protection of Personal Information Act, 2013, is an official act of the Republic of South African parliament. This report refers specifically to Chapter 3 (Conditions for Lawful Processing of Personal Information), and more specifically Condition 7.19, Security Safeguards - Security measures on integrity and confidentiality of personal information.

Statement of Controls (ISAE3402/SSAE16)

This report identifies the core control requirements of the Check Point Security Management, Security Gateways and Software Blades. All relevant security best practices have been mapped in line with Check Point recommendations. This report allows Check Point users to verify the status of their Check Point security environment and to ensure that it is in line with Check Point's recommendations.

 

 

Important Note: The R77.30 New Best Practices, Features and Regulations require the installation of sk105412 - R77.30 Add-On on Security Management Server / Multi-Domain Security Management Server.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment