01.03.02 Information Security Checklist

Document Sample
01.03.02 Information Security Checklist Powered By Docstoc
					                                                                                       Administrative Procedures

Ref    Importance    Control Objective                                                    Response                 Evidence to Support Answer

Disaster Recovery & Contingency Plan
                     Has a business contingency plan been developed and tested?
       H             Does this also include a disaster recovery plan?
Standard Builds
                     Is a standard build being used for all operating systems? Has a
       M             security lockdown been applied?
Logging Events

                     Do the audit logs contain the following: type of event, date and
       M             time, source and destination IP addresses and user id?

       M             Is a process in place to review the failed login attempt logs?
                     Do the logs contain the last login and unsuccessful login
       M             attempts?
       M             Are the logs retained for the minimum time period?
       M             Is access to the log files restricted?
       M             Do the logs contain escalation of privileges?

                     Has the EPHI inventory been updated in the last year? Have the
       H             relevant systems been inventoried and the owners identified?
Systems Testing
       M             Are security controls verified through testing?

       M             Is a process in place to report, document and resolve any flaws?
Change Control
       M            Do you have a change control process in place?
                    Are requests for program changes, system changes, and
       M            maintenance are standardized, logged and approved?
                    Are emergency change requests are documented and subject to
       M            formal change management procedures?
Termination Procedures
                    Are accounts for terminated employees removed in a timely
       H            manner?
Transfer Process
                    Are accounts for employees that are transferrring within WU
       H            updated in a timely manner?
Database Security

       M             Are databases configured in line with the security controls?
                     Is a process in place to periodically review the department
                                                                                 Physical Security

Ref Importance Control Objective                                                            Response   Evidence to Support Answer

Security Awareness Training
     M               Is Security Awareness training in place for employees?
Input Restrictions
     M               Is information input restricted to the appropriate personnel?

     M            Are unique user names and passwords used for authtentication?
Password Policy Enforcement
     M               How is password aging set up?
     M               How are the requirements setup for strong passwords?
     M            Is there a process to reset passwords?
Account Lockout after Failed Login
     M            Are accounts setup to lockout after 3 to 5 failed attempts?
Back Ups
     H            Are back-ups scheduled?
     M            Where are back up tapes stored?
Group Accounts for Operations Staff

                    Are the privileged users notified of their responsibilities regarding
                    the administrative accounts and passwords? Is a procedure in place
       M            for a secure distribution or group account passwords?
                    Do IT Personnel understand and accept their responsibility
       M            regarding internal controls?
Facility Access Controls
                    Are facility access controls in place to ensure protected information
       H            is secure?
                    Are personnel with physical access to privileged systems
       M            documented?
Visitor Access Controls
       M            Are visitors signed in and escorted in your area?
Data Destruction
                    Is data purged, over written, degaussed, destroyed when disposed
       M            or used else where?
       M            Is this logged?
Mobile Computing
       M            Are security controls for mobile devices monitored?
       M            Are mobile devices inventoried and tracked?
                                                                                       Technical Security Services

Ref    Importance      Control Objective                                                       Response              Evidence to Support Answer

Session Management

       M               Do sessions timeout after a defined period of inactivity?
       M               Are users promted to re-authenticate periodically?
Patch Management

        H             Patch managemet is required for all systems. Is a process in place?
Anti Virus Software and Updates
                      Anti Virus Software is required to be up to date. Is a process in
        H             place?
Hosting Environment

        M             Are systems deployed in a physically secure environment?
System Infrastructure
                      Is the system infrastructure, including firewalls, routers, switches,
                      servers and other related devices, properly configured to prevent
        M             unauthorized access?
                      Are networks segregated to prevent security problems in one area
        M             from affecting others?
        H             Is only valid traffic allowed?

      M              What is the process to ensure the firewalls are managed securly?
Network Intrusion Devices (NIDs)

        M               Is a mechanism in place to scan traffic and detect malicous traffic?
Testing with Sensitive Production Data
                        Protected information is prohibited to be used in the non
        M               production environment. Is a process in place?
Isolation of the Environments
                        Are the production systems isolated from the development or test
        M               environments?
                        Is a process in place to ensure the test accounts are not be shared
        M               between the environments?
Data Integrity
                        Have data integrity ownership and responsibilities been
                        communicated to appropriate data/business owners and have they
        M               accepted these responsibilities?

                      Is protected information secured logically and physically in storage
       M              and transmission against unauthorized access or modification?
Securing Data across Networks

       H               Is confidential data protected when transported across a network?
                                                                   Technical Security Mechanisms

Ref     Importance Control Objective                                                                Response   Evidence to Support Answer

                      Is a procedure in place for authorization and / or supervision of employees
        M             who work with protected information?

        M             Is least privileges implemented?

        M             Are personnel with privileged system access documented?
        M             Is authentication setup based on group or role?
Shared User ID's
        M            Are accounts unique and associated to an individual - not shared?
System Authentication
                      Is access between different servers authenticated to prevent unauthorized
         M            users from gaining access to protected information?
Disabling Default Accounts

                      Are test and default accounts disabled / removed when testing is
         M            complete?
Periodic Review of User Access

        M             Are user permissions periodically reviewed to confirm access is up to date?
                                                                              Third Party Security

Ref    Importance Control Objective                                                                  Response   Evidence to Support Answer

Third Party Security
                       A Non Disclosure Agreement (NDA) needs to be in place with a third party
                       if protected information will be disclosed or exchanged. Is a NDA in
       M               place?
                       Protected information needs to be secured in a third party environment.
                       Has the third party provided documentation confirming these standards
       M               are being met?
       M               Is data securly transferred to a third party?

       M               Have controls been implemented to confirm the integrity of the data?
                       Have controls been implemented to confirm the confidentiality of the
       M               data?
                       Is a process in place for changes and updates by third parties to be
       M               authorized?
       M               Are back-up polices in place for third parties?
                       Are security requirements documented in contracts and SLAs with a third
       M               party?

                       If product is being hosted by the third party, assurance is needed that the
       M               operation functions are in place. Is a process in place for this?

       M               Is a process in place for security incident management?
                       Is confirmation of the compliance with written security policies and
       M               procedures monitored?
                       Is data storage at a third party monitored to confirm destoryed when
       M               required?
                       Code of Conduct will apply to the third party working on Washington
       M               University premises. Is this communicated?
                       Are controls in place to ensure development or 3rd party vendors are not
       M               given access to production services?