cc5-2 Critical priority Security / Control Activities

General controls over technology are selected and developed

Technology infrastructure requires its own layer of controls. This criterion addresses the foundational technology controls that support everything else: configuration management, patch management, access controls on infrastructure, separation of environments, and security of the development pipeline. These are the controls that prevent the platform itself from being compromised or misconfigured in ways that undermine application-level controls.

20h estimated effort

infrastructure patch-management configuration environment-separation

Complete first: cc5-1

Implementation steps

1

Enforce infrastructure security baselines

Define and enforce a security baseline configuration for your infrastructure: servers must have SSH key access only, no default credentials, logging enabled, IMDSv2 required on EC2, public S3 buckets blocked by policy, security groups following least privilege. Use infrastructure-as-code to enforce these baselines and detect drift.

terraform pulumi aws-config checkov tfsec
2

Separate production, staging, and development environments

Production must be isolated from development and staging. Developer access to production should be restricted to what is operationally necessary and audited. Production credentials must never appear in development environments. Use separate accounts or projects per environment and enforce access controls at the account boundary.

aws-organizations gcp-folders azure-subscriptions
3

Implement patch and vulnerability management for infrastructure

All operating systems, containers, and infrastructure dependencies must be patched on a defined schedule. Critical vulnerabilities should be patched within 30 days; critical-severity CVEs within 7 days. Use automated patching where possible. Track patch compliance and report it as a metric.

aws-systems-manager dependabot snyk qualys tenable