cdpse-d2-infrastructure-system-hardening

System Hardening

isaca-cdpse · framework · Production-ready

Drawn fromCDPSE Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is System Hardening

System hardening is the disciplined process of reducing a system's attack surface by eliminating unnecessary functionality, enforcing least-privilege configurations, and applying security controls so that only the minimum required services, accounts, ports, and permissions exist. In a privacy architecture context, hardening is the technical mechanism that makes privacy controls enforceable: a system that exposes unnecessary services or retains default credentials cannot reliably protect personal data, regardless of what policies exist on paper.

Where it stops · what it isn't

—IS: Disabling unused services, ports, and protocols; removing or disabling default and shared accounts; applying OS and application security patches; enforcing secure configuration baselines (CIS Benchmarks, NIST STIGs, vendor security baselines); configuring audit logging; enabling host-based firewalls; restricting administrative access; applying file-system and registry permissions.
—IS: Infrastructure hardening scope includes on-premises servers, cloud instances (IaaS/PaaS), containers (Kubernetes, Docker), network devices, and databases — all components that store, process, or transmit personal data.
—IS NOT: Hardening is not the same as vulnerability scanning. Scanning identifies gaps; hardening closes them. Hardening is also not a one-time event — configuration drift makes it a continuous discipline — and is not synonymous with patching alone (patching is one hardening activity among many).
—IS NOT: Hardening does not replace identity and access management, encryption, or network segmentation. It works alongside them. A hardened system with weak passwords remains vulnerable.
—IS NOT: Application-layer code hardening (secure coding practices, input validation, SAST/DAST) is a related but distinct domain. This cubelet covers OS, infrastructure, and platform hardening only.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

Privacy Architecture — Infrastructure

REQUIRES

Vulnerability ManagementAsset Inventory and Classification

ENABLES

Access Control ImplementationZero Trust ArchitectureGDPR Article 32 Compliance (Security of Processing)

RELATED TO

Network SegmentationPatch Management

CONSTRAINS

Data Breach Probability

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.