Security/Scoring and other levels: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Automated sync from https://github.com/mozilla/wikimo_content)
 
(Automated sync from https://github.com/mozilla/wikimo_content)
 
Line 45: Line 45:
== Scoring and other levels ==
== Scoring and other levels ==


These levels should be used when possible.
These levels can optionally be used.


=== RFC2119 handling recommendation levels ===
=== RFC2119 handling recommendation levels ===
Line 56: Line 56:
|-
|-
|-
|-
! <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">OPTIONAL</span>
! <span style="border-radius: .25em; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">OPTIONAL</span>
|
|
* This is up to the reader to choose to follow or not to follow this recommendation.
* This is up to the reader to choose to follow or not to follow this recommendation.
|-
|-
! <span style="background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">SHOULD</span>
! <span style="border-radius: .25em;display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">SHOULD</span>
|
|
* Should is very close to "must do" - however, exceptions may be granted after discussion.
* Should is very close to "must do" - however, exceptions may be granted after discussion.
|-
|-
! <span style="background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">MUST</span>
! <span style="border-radius: .25em;display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">MUST</span>
|
|
* This must be done, is required, mandatory - there is no exception.
* This must be done, is required, mandatory - there is no exception.
Line 79: Line 79:
! Expectations
! Expectations
|-
|-
! <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Modern</span>
! <span style="border-radius: .25em; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Modern</span>
|
|
* State of the art configuration from a security point of view.
* State of the art configuration from a security point of view.
Line 85: Line 85:
* Fewer server/clients may be compatible.
* Fewer server/clients may be compatible.
|-
|-
! <span style="background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Intermediate</span>
! <span style="border-radius: .25em; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Intermediate</span>
|
|
* Usually the default configuration we recommend.
* Usually the default configuration we recommend.
Line 91: Line 91:
* Fewer server/clients may be compatible, though the majority should be compatible with this configuration.
* Fewer server/clients may be compatible, though the majority should be compatible with this configuration.
|-
|-
! <span style="background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Old</span>
! <span style="border-radius: .25em;display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Old</span>
|
|
* Configuration that you may only use if other configurations cannot be followed for technical reasons
* Configuration that you may only use if other configurations cannot be followed for technical reasons

Latest revision as of 18:22, 21 September 2016

READY

The goal of this document is to ensure consistency, coherence between security documents. All Mozilla security documentation should follow the recommendations below.

The Enterprise Information Security (Infosec, formerly OpSec) team maintains this document as a reference guide for operational teams.

Updates to this page should be submitted to the source repository on github. Changes are detailed in the commit history.

OpSec.png

Scoring and other levels

These levels can optionally be used.

RFC2119 handling recommendation levels

See also RFC 2119 for a formal definition.

Level Expectations
OPTIONAL
  • This is up to the reader to choose to follow or not to follow this recommendation.
SHOULD
  • Should is very close to "must do" - however, exceptions may be granted after discussion.
MUST
  • This must be done, is required, mandatory - there is no exception.

Recommended configuration states

These are used to match recommended configuration states. It describes set of documentation configuration state that we recommend using, depending on your use-case.


Level Expectations
Modern
  • State of the art configuration from a security point of view.
  • Generally better for security sensitive services.
  • Fewer server/clients may be compatible.
Intermediate
  • Usually the default configuration we recommend.
  • Reasonable configuration that we recommend while covering the largest amount of clients.
  • Fewer server/clients may be compatible, though the majority should be compatible with this configuration.
Old
  • Configuration that you may only use if other configurations cannot be followed for technical reasons
  • Relatively safe - but must be moved to the intermediate configuration above when possible.
  • Generally supports the largest amount of servers/clients.

Document Status Codes

These are used in the header of every document to clearly signify its current status.

Level Expectations
READY
  • Means the document is ready for user consumption and is expected to be followed.
DRAFT
  • Means the document is in progress or does not cover all cases.
  • You may follow this document for guidance, at your own risk.
NOT READY
  • Means the document should not be followed right now.

Pass/fail tests

Tests are not levels per se. When possible, they either pass or fail. It's similar to a walk/don't walk traffic sign.

Level Coding rationale Expectations
PASS
  • Green generally means acceptance, allowance such as the traffic sign "Walk".
  • Means a test successfully passed.
  • There is no "almost passed": test must completely pass.
FAIL
  • Red generally means refusal, denial, such as the traffic sign "Don't walk".
  • Means a test did not pass.

Scoring levels

Scores are used to gamify usage of security controls and features. Note these levels do not directly signify risk, and are instead intended to provide a grade for a particular objective. The mapping to objective can be used as a base to create a mapping to Security/Standard_Levels.

The letter E is not used in the grades in order to keep scores concise and voluntarily less granular (see expectations for each grade below). The use of + and - modifiers is allowed if necessary. These are added to represent going slightly above or below expectations.

Level Expectations
A+, A, A-

Highest possible grade.

  • Support all features and controls.
  • All intentions of objective met.
B+, B, B-
  • Supports most important features and controls.
  • Some outliers need attention.
  • Most intentions of objective met.
C+, C, C-

D+, D, D-

Score may moderately contribute to risk.

  • Potential service blocker.
  • Needs attention and features need to be enabled/controls added.
  • Minimal to moderation intentions of objective met.
F

Lowest possible grade, score may greatly contribute to risk.

  • Zero to minimal intentions of objective met.
  • Immediate attention and action are required.
  • Score likely to block the service.
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Scoring_and_other_levels&oldid=1148627"