Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Checklist - IT Network and Data Security

VIEWS: 6 PAGES: 18

									                             Schools’ Internal Financial Control Arrangements -Self-Assessment Checklist

                                         IT NETWORK AND DATA SECURITY

SCHOOL
Completed By                                             Agreed with Head Teacher: Name

Position                                                                         Signature

Date                                                     Date Presented to Governors




The questions in this checklist set out the key controls to manage the risk of security breaches of your IT network and
systems and unauthorised access to sensitive and confidential data held at your school.

The questions are derived from the Chartered Institute of Public Finance and Accountancy’s Control Matrices for Information Technology.


Contents
    IT Strategy
    IT Facilities
    Internet
    Access Controls
    File Security
    Software
    Virus
                                                                                                Proposed      Person
                            Question                              Yes   No   Action Proposed   Completion   Responsible
                                                                                                  Date


IT STRATEGY
1. Have you issued a guidance document on the use of
   usernames and passwords?

Risk:
       Impossible to link actions to a specific user.

2. Do you have any computer systems that hold pupil
   sensitive data?

Risk:
       Sensitive data may be viewed by unauthorised
        individuals

3. Have you issued any guidance on IT security?

Risk:
       Users are unaware of the school IT policy

4. Do all users have a unique username and password?

Risk:
       It is impossible to trace the actions of any individual
        using the system.
5. Are IT support staff included in this? (I.e. do they have
   their own username and password?)

Risks:
    IT support staff having generic usernames
    If IT support staff use an existing/generic username
       then changes made by IT support staff may not be
       traceable
                                                                                              Proposed      Person
                           Question                             Yes   No   Action Proposed   Completion   Responsible
                                                                                                Date

6. Are teaching support staff included in this? (I.e. do
   they have their own username and password?)

Risk:
       If teaching support staff use an existing/generic
        username then changes made by teaching support
        staff may not be traceable

7. Have instructions been issued instructing users never
   to share usernames and passwords?

Risk:
       Actions committed by the user sharing the username
        are subsequently connected with the owner of the
        username.

8. Is the policy regarding safekeeping of usernames
   strictly adhered to?

Risk:
       Endangering security on critical files – user sharing
        same username can access the username owner’s
        personal areas of the network.

9. Has a standard been imposed for the format of
   usernames and passwords?

Risk:
       The username/password combination is easy to guess

10. Are passwords changed at regular intervals?

Risk:
       The password remains the same making it easier to
        crack.
                                                                                                  Proposed      Person
                           Question                                 Yes   No   Action Proposed   Completion   Responsible
                                                                                                    Date

11. Do users of the computer equipment have to sign an
    IT security policy document outlining their
    responsibilities prior to use?

Risk:
       Users do not fully understand their responsibilities with
        regard to computer equipment in the workplace

12. Do IT support staff also have to sign the policy
    document before accessing the computer equipment?

Risk:
       IT support staff may not have the same level of
        understanding of workplace policy as normal users

13. Do teaching support staff also have to sign the policy
    document before accessing the computer equipment?

Risk:
      Teaching support staff may not have the same level of
       understanding of workplace policy as normal users.
14. Do any people not directly employed by the school
    have access to computer equipment? (E.g. supply
    teachers, volunteers, governors)

Risk:
       Such people may not have the same level of
        understanding of workplace policy.
15. Is the network separated into Curriculum and
    Administrative networks?

Risks:
    Access to an incorrect network is established.
    Sensitive data is exposed to users who should not
       have access to it.
                                                                                            Proposed      Person
                          Question                            Yes   No   Action Proposed   Completion   Responsible
                                                                                              Date

16. Is the separation into administrative and Curriculum
    networks enforced by physical separation? (I.e. is it
    impossible to sit at any one PC and access both
    networks)

Risks:
    Users of the curriculum network are able to access the
       administrative network
    File security ensures protection of sensitive files.

17. Is user access to the computer equipment removed
    when they leave? (E.g. usually the user account is
    disabled)

Risks:
    Access continues after people have left
    Access to information is permitted to unauthorised
       people

18. Is there a procedure in place for immediately
    informing the user administrator when a user leaves?

Risks:
    Access to computer equipment continues after people
       have left
    Access to information is permitted to unauthorised
       people

19. Are there different procedures for administration of
    users of the administrative and curriculum networks?

Risk:
       User administration unnecessarily complex
Back to top
                                                                                              Proposed      Person
                            Question                            Yes   No   Action Proposed   Completion   Responsible
                                                                                                Date



IT FACILITIES
20. Is support for your computer hardware provided
    externally?

Risk:
         Lack of expertise to provide properly secure IT
         environment in which to work

21. Is support for your network hardware provided
    externally?

Risk:
        Lack of expertise to provide properly secure Network

22. Do you have a secure method of disposing of old IT
    equipment?

Risks:
    Data can be extracted from old equipment
    Old equipment is not disposed of properly

23. Has someone been given responsibility for disposing
    of out of date computer equipment?

Risks:
            Data accessed by unauthorised persons
            Non compliance with legislation including data
             protection act
                                                                                            Proposed      Person
                          Question                            Yes   No   Action Proposed   Completion   Responsible
                                                                                              Date


24. Where a security breach is noticed, would you report
    the incident?

Risks:
    Security issues are not dealt with
    Security breaches persist
    Sensitive data is accessed

25. Do you have a procedure for reporting security
    incidents?

Risks:
    Insufficient details are recorded to make the security
       issue worthy of investigation
    Line of reporting is not clear
    Delays occur in reporting

26. Is your computer equipment located in a secure area?

Risks:
    Computer equipment is not secured sufficiently
    Unauthorised access to equipment occurs


27. Is your network equipment located in a secure area?

Risks:
    Network equipment is not secured sufficiently
    Unauthorised access to equipment occurs
                                                                                            Proposed      Person
                            Question                          Yes   No   Action Proposed   Completion   Responsible
                                                                                              Date


28. Are rooms containing IT and network equipment kept
    locked?

Risk:
       Unauthorised persons can physically access the
        equipment

29. Is any of the IT equipment used offsite (e.g. laptops)?

Risk:
       Items used offsite are more exposed to theft

30. Where equipment is used offsite have you issued
    guidance on its use?

Risks:
    Health and safety issues
    Environmental threats to equipment (e.g. sitting near
       heaters)

31. Is each item of IT equipment labelled with a unique
    identification?

Risk:
       Identification of equipment is difficult

32. Are details of your computer equipment recorded in
    an asset log/inventory?

Risk:
       Removal of equipment is undetected
                                                                                                Proposed      Person
                           Question                               Yes   No   Action Proposed   Completion   Responsible
                                                                                                  Date

33. Has the responsibility for asset log/inventory
    maintenance been allocated to an individual?

Risk:
       Updates to computer equipment are not recorded

34. Is the asset log/inventory checked regularly?

Risk:
       Items in the asset log/inventory no longer exist

35. Do you have a provider responsible for an upgrade
    service for your computer operating system/software?

Risk:
       The critical software/operating system files are not
        kept up to date

36. Are upgrades performed regularly?

Risk:
       Updates to critical operating system files/software are
        not performed sufficiently regularly


Back to top
                                                                                                  Proposed      Person
                           Question                                 Yes   No   Action Proposed   Completion   Responsible
                                                                                                    Date



INTERNET
37. Have you issued a policy on Internet use to pupils?

Risk:
       Pupils are unaware of their responsibilities whilst using
        the Internet

38. Does the Internet policy for pupils include details on
    misuse of email?

Risks:
    Virus attachments
    Inappropriate content

39. Does the Internet policy for pupils include details on
    inappropriate Internet sites?

Risk:
       Legislation is broken through Internet use

40. Have you issued a policy on Internet use to staff?

Risk:
       Staff are unaware of their responsibilities whilst using
        the Internet

41. Does the Internet policy for staff include details on
    misuse of email?

Risks:
    Virus attachments
    Inappropriate content
                                                                                            Proposed      Person
                           Question                           Yes   No   Action Proposed   Completion   Responsible
                                                                                              Date

42. Does the Internet policy for staff include details on
    inappropriate Internet sites?

Risks:
    Staff use inappropriate sites during work time
    Staff access inappropriate content
    Legislation is broken through Internet use

43. Do all users have to sign a copy of the Internet policy
    prior to browsing the Internet from equipment at your
    location?

Risk:
       Users unaware of details of the policy

44. Have you employed Internet Filtering technology?

Risk:
       Inappropriate sites remain accessible from the
        workplace

45. Does the Internet filter employ a log, which records
    browsing behaviour against an identifiable user?

Risks:
    Unauthorised users gain access to websites
    Inability to detect inappropriate Internet use
    Inappropriate Internet use cannot be investigated
       effectively
                                                                                               Proposed      Person
                           Question                              Yes   No   Action Proposed   Completion   Responsible
                                                                                                 Date


46. Is the Internet filter log regularly reviewed for evidence
    of inappropriate browsing behaviour?

Risk:
       Lack of review means that inappropriate behaviour is
        unmonitored

47. Does the Internet filter log distinguish between staff
    browsing behaviour and pupil browsing behaviour?

Risk:
       Log does not distinguish between staff and pupils
        making it impossible to determine where the
        inappropriate behaviour originates

48. Would action be taken when inappropriate activity is
    discovered?

Risk:
       Viewing of sites prohibited by site policy

49. Have you issued guidance as to what action should be
    taken if illegal material is viewed?

Risk:
       Guidance on illegal material is not compliant with
        police advice
                                                                                                 Proposed      Person
                            Question                               Yes   No   Action Proposed   Completion   Responsible
                                                                                                   Date


50. Would you contact someone if you suspected illegal
    material had been viewed?

Risk:
       If the contact is not the relevant person – sufficiently
        expeditious action may not be taken

51. Does the Internet filter restrict the hours of Internet
    browsing?

       Risk: Undetected browsing out of hours

52. Is there a policy on attaching modems to IT
    equipment?

Risks:
    Ability to bypass firewall
    Ability to bypass Internet filter


Back to top
                                                                                               Proposed      Person
                          Question                               Yes   No   Action Proposed   Completion   Responsible
                                                                                                 Date



ACCESS CONTROLS
53. Is a warning banner employed at log on? (I.e. a
    message that pops up as the user attempts to log onto
    the computer equipment)

Risk:
       Inappropriate users attempt to use the system


54. Does this warning banner discourage use of the
    system by unauthorised users?

Risks:
    Unauthorised users attempt access to the PC
    Security critical data is accessed
    Unauthorised users can claim that they had no
       relevant warning if action is taken

55. Does the user’s account lock out after a defined
    number of attempts at logging on?

Risk:
       External “hackers” get an unlimited number of attempts
        to crack the password

56. Are generic/shared logon accounts in use?

Risks:
    Impossible to track the actions of any one user
    Inappropriate behaviour identified with the wrong user
                                                                                           Proposed      Person
                          Question                           Yes   No   Action Proposed   Completion   Responsible
                                                                                             Date

57. Does the system force you to change a password at
    intervals?

Risks:
    Passwords in continuous use give a long period of
       time for a “hacker” to break them
    If a password is compromised – lack of password
       changes causes the account to be open for use
       continuously

58. Are sensitive files secured?

Risks:
    Unauthorised access to files and data
    Important files are lost or corrupted

59. Has the system been set to time out after a defined
    period of inactivity?

Risk:
       Unauthorised access to another user’s session

60. Is there a policy of logging out of the PC when not in
    use?

Risks:
    Unauthorised access to another user’s session
    Critical files locked open and cannot be backed up


Back to top
                                                                                               Proposed      Person
                           Question                              Yes   No   Action Proposed   Completion   Responsible
                                                                                                 Date



FILE SECURITY
61. Have you read the recent guidance document “Data
    Backup, Guidance for Cambridgeshire Schools”?

Risk:
       Approved backup procedures are not followed

62. Have you implemented any of the recommendations
    from the recent guidance document “Data Backup,
    Guidance for Cambridgeshire Schools”?

Risk:
       Data is not adequately backed up

63. Are user files included in a backup strategy?

Risk:
       If files are not backed up then data loss could result

64. Do you have a contact for the restoration of files (e.g.
    those deleted by mistake or corrupted)?

Risks:
    Inability to get file restored
    No process for file restoration
    Reporting structure not adequately defined


Back to top
                                                                                              Proposed      Person
                           Question                             Yes   No   Action Proposed   Completion   Responsible
                                                                                                Date



SOFTWARE
65. Is licensing information for installed software
    maintained?

Risks:
    Insufficient records of software licenses are kept such
       that compliance with licensing requirements cannot be
       proven
    Non-compliance with FAST regulations

66. Are users restricted to the software that they need to
    perform their job?

Risks:
    Viruses installed with software
    Introducing software conflicts on the PC

67. Is there a policy preventing users from installing their
    own software?

Risks:
    Viruses installed with software
    Introducing software conflicts on the PC

68. Do users have to sign a copy of the policy (preventing
    installation of their own software) prior to using the IT
    equipment?

Risk:
       User unaware of responsibilities under the policy

Back to top
                                                                                           Proposed      Person
                            Question                         Yes   No   Action Proposed   Completion   Responsible
                                                                                             Date



VIRUS
69. Do PCs have a current Anti-Virus solution installed?

Risk:
       PCs are not protected against virus infection

70. Is there a person whose responsibility it is to ensure
    that the anti-virus solution is kept up to date?

Risk:
           Anti-virus product fails to update correctly

71. Is there a policy on removable media (e.g. floppy
    disks)?

Risks:
    Viruses can be brought into the workplace.
    Data can be removed from the workplace.


72. Is there a procedure to follow if a virus infection is
    detected?

Risk:
       A virus infection is able to spread to other PCs.


Back to top

								
To top