Major Prepare security guidelines as part of the product and in other traditional forms. For example, a part of the product could be warning messages that pop up when the features are going to be used, and other forms of security guidelines are booklets and manuals.
Follow these guidelines:
- Create security guides that tell the users how to securely use or configure the device/software.
- If the software/module is being used in another system, fully document the security parameters, capabilities and settings.
- Seek and fill out standard security statement forms (such as MDS2 form) to specify the security and privacy features of your product.
Include these topics in security documents where applicable:
- Privacy policies and types of data that are handled.
- Authentication and authorization mechanisms.
- Security features for all services, protocols, and ports that are in use.
- Data protection methods (data in transit and data at rest).
- Emergency procedures (break-glass features).
- Backup/restore, logging and auditing features.
- Communication with other software/devices including removable devices (for example, external hard drives, and flash memory).
- Physical security (if applicable).
- Virus and malware protection mechanisms.
- Device sanitization (for example, instructions on how to permanently delete personal data).
Document insecure settings
Address insecure settings that are present during the first system bootup in installation and configuration documentation. If they are not addressed appropriately, the system may be left vulnerable to cyberattacks.
FedRAMP / Moderate Baseline
*_ SA-4 (1): System And Services Acquisition | Acquisition Process | Functional Properties Of Security Controls *_
The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.
*_ SA-5: System And Services Acquisition | Information System Documentation *_
The organization:
a. Obtains administrator documentation for the information system, system component, or information system service that describes:
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security functions/mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
b. Obtains user documentation for the information system, system component, or information system service that describes:
1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
3. User responsibilities in maintaining the security of the system, component, or service;
c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response;
d. Protects documentation as required, in accordance with the risk management strategy; and
e. Distributes documentation to [Assignment: organization-defined personnel or roles].
Imported from SD Elements: https://redhat.sdelements.com/bunits/psse-secure-development/group-3-supporting-and-tooling-offering/openshift-zero-trust-workload-identity-manager/tasks/phase/specifications/311-T379/
