The administrative aspect of a security standard consists of a has the following elements, which one might consider foundational in readiness for a secure operating environment.
Installation, Change, Configuration and Patch Management - All critical information assets should be patched on a regular basis to eliminate known vulnerabilities.
Security requirements should be incorporated into the installation process. The operating environment should be secured or hardened before all other software installation. Where possible, put a restriction on where connections to each target system can originate from.
Authentication, Authorisation, and Access Control - Empower administrators to manage systems, but restrict their access. Actions of privileged accounts have to be limited. Use roles to assign and manage privileges. Access to production environment from all other none production environments should not be allowed.
Data Discovery and Classification - There should be a complete and continuous inventory of all information assets, irrespective of lifecycle status. Knowing which targets contain sensitive data is key requirement in any security strategy; therefore all systems should be located and classified according to the sensitivity of their data. One other thing to do is to identify data types that need to be protected following business requirements, and legal and regulatory mandates. There are systems that can help automate the scanning of your environment and discover available targets.
