INFRA-8 Host Hardening

What is this control about?

Providing various means of protection to a system is known as host hardening. A host hardening procedure provides guidance to employees with step-by-step instructions on handling systems and performing actions such as renaming default accounts, changing default passwords, locking unnecessary ports and services, etc.

There is no formal way to document this and no requirements as to what the host hardening needs to include. This remains at the discretion of each organization to define what critical systems require the step-by-step instructions.

Available tools in the marketplace

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• Host Hardening procedure template

Control implementation

Take an inventory of critical systems and determine wether each system requires a host hardening procedure.

For systems that require a host hardening procedure, document a procedure using the template provided.

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action.

• Provide the most up to date host hardening procedures for one critical system

Evidence example

From the suggested action above, an example is provided below.

1. Provide the most up-to-date host hardening procedures for one critical system.

Upload a policy or procedure. See template

No screenshot deemed necessary, as template provided serve as artifact example