Desktop Applications and Workstations Audit

Company: Date: Worksheet 1 2 3 4 5 6 7 Name Business Impact Analysis Weightings Vulnerability Questionnaire Probability Assessment Business Risk Quotient Audit Results Final Report Purpose Used to identify the dollar impact that would occur with unethical actions/intentions with desktop applications and workstations. Determines the weighted scoring of categories within Sheet 3 -Vulnerability Questionnaire . Designed to uncover the areas of greatest vulnerability that exist with desktop applications and workstations. Determines the likelihood of a negative security event occurring in any of the 11 categories in Sheet 3 -Vulnerability Questionnaire . Statement of desktop applications and workstation's condition of relative business risk. Illustrates how desktop applications and workstation's Current State (in blue) ranks against its ideal Target State (in red), both of which are derived from Sheet 5 -Business Risk Quotient . The Final Report automatically amasses and compiles all metrics -both Current and Target -as well as general recommendations for improvement. Instructions Follow the instructions given for each table. If desired, type in new weightings in the areas shaded in gray. Base these numbers on your company's specific circumstances. If not, default weightings are used. Carefully read the questions in each category. Answer each to the best of your ability according to the current state of desktop application and workstation security. Select a number that best represents the chance of a negative security event occurring in the 11 categories in Sheet 3 -Vulnerability Questionnaire . Enter a percentage for each category. No intervention required. Outputs from Sheets 1, 3, and 4 automatically calculate the Business Risk Quotient. Note the Target State, which represents the minimum Business Risk Quotient level required to tackle desktop applications and workstations issues, according to its relative level of business risk. Complete the specific tasks on the "Policy Amendment Recommendations" chart in order to improve security from its Current State to the Target State. Outputs Business Impact Rating, which is exported to Sheet 5 -Business Risk Quotient . New weightings are automatically updated in Sheet 3 -Vulnerability Questionnaire . Vulnerability Quotients for each category are automatically fed into the "Vulnerability" column in Sheet 5 -Business Risk Quotient . Percentages are automatically exported into the "Probability" column of Sheet 5 -Business Risk Quotient . Business Risk Quotient numbers represent your Current State, which are then exported to Sheet 6 -Audit Results and Sheet 7 -Final Report . None. None. Desktop Applications and Workstation Security Audit Important Note: The scoring in Sheet 3 -Vulnerability Questionnaire and Sheet 5 -Business Risk Quotient is out of 5. The higher the scores, the less secure the desktop applications and workstations. Conversely, low scores represent better security. Consolidated Widgets 11/3/2004Company: Date: Office XP Bob S. Asset Name: Person Responsible for Asset: Low Purpose Used to identify the dollar impact that would occur with unethical actions/intentions with desktop applications and workstations. Outputs Business Impact Rating, which is exported to Sheet 5 -Business Risk Quotient . Instructions Follow the instructions given for each table. Heavy reliance on the Excel-A/R softare interface Work Performed High Medium High Business Unit/Functional Group Administration Sales/Marketing Low Minimal to no reliance on Office XP Minimal to no reliance on Office XP Office XP and associated desktop applications are installed across most of the user base for the completion of basic productivity tasks. Saturation of Office XP is pretty much complete -a vulnerability for one PC is likely a vulnerability for all PCs. Accounting IT Day-to-day productivity tasks Occasional use for in-office letter composition 1. Describe the functionality of this asset: Criticality to Work 2. List the Business Units that rely on desktop applications and workstations, describe what work is performed, and then use the drop-down list in the third column to identify their reliance on desktop applications and workstations as either ‘High,’ ‘Medium,’ or ‘Low’: Manufacturing Desktop Applications and Workstation Business Impact Analysis Consolidated Widgets 11/3/2004Loss of Efficiency Loss of Productivity In most cases, the loss of revenue due to desktop application and workstation security breaches will cause a disruption in many areas of functionality across the company. The interruption of this functionality causes your organization to not be able to sell product, or fulfill orders. This could be the result of interruption in the shipping process or the services you offer as a result of lost or stolen documents, or secure information being given to a competitor. Scenarios could also include theft of proprietary material. Definition Legal Costs 3-5 days of interrupted service. (This Asset is Non-Critical) Timeframe Check one only 1-3 days of interrupted service. (This Asset is Important) 3. Choose a timeframe from the list below that best describes the impact on the organization, should there be an interruption of service to desktop applications and workstations. The organization would feel a significant impact within: Remediation Costs The system is down, causing a production shift to stand around or ‘make work’ to keep busy rather than doing whatever it is they were hired to do. Order entry staff can’t take orders if the phones are down or their online systems aren’t available. Production staff can’t produce the product if the production line isn’t functioning. Since staff still has to be paid, this time is considered a loss. 4a. Determine which cost factors are associated with desktop applications and workstations in the Business Unit/Functional Group. Base the amounts on money lost per 24 hours of desktop applications and workstation downtime: 4-8 hours of interrupted service. (This Asset is Critical) 8-24 hours of interrupted service. (This Asset is Essential) Less than 4 hours of interrupted service. (This Asset is Vital) Increased Cost of Sales Increased Operating Costs Increased Labor Costs $0.00 $0.00 If customers are lost, there will need to be an increased effort to regain sales from new accounts. This will cost additional resource time from all areas of the business, in particular marketing and sales. This may also entail startup costs after an interruption of service. $2,500.00 $5,000.00 $20,000.00 $0.00 This can occur as a result of extra communication that is required to inform customers of your inability to take orders. Or, it could be the result of extra effort/time required to complete a sale. Any interruption of service that delays the sales cycle would potentially increase the cost of sales. Enter Estimated Dollar Costs From These Factors $27,500.00 Goodwill Cost Factors Subtotal Depending on the nature of the interruption and its impact outside your organization, legal costs could be a serious factor. 4b. Determine which cost factors are associated with an interruption of service in the Business Unit/Functional Group: Definition Enter Estimated Dollar Costs From These Factors $0.00 $0.00 Reduced Consumer Confidence Subtotal Production Delays $12,500.00 $7,500.00 This could have a ripple effect throughout the organization. If you expected to produce 800 widgets today, but were unable to do so, your production schedule is now one day behind schedule. If another order was to be produced the following day, that order is now delayed as the current order is finished. The impact associated with this is difficult to measure. Depending on the relationship with the customer, it could be either very minimal or cause the customer to find another supplier. There are a number of threats that could have a huge impact on the business in this regard. A security breach that the customers feel was avoidable could cost your organization dearly. A virus that found its way to a customer’s network and was traced back to your organization could damage a relationship with that customer, particularly if the industry in which you work is highly sensitive. $0.00 $5,000.00 Reduced Customer Service These might include reduced or terminated levels of service, information that is unavailable when customers call, customers unable to access information on the Web site, etc. These could be hard to estimate in most cases. Manual ‘workarounds’ are obviously less efficient than using an automated system. When the workflow is temporarily slowed, staff become less effective and less efficient. This slowdown can be measured by the percentage of loss associated with their performance. Staff, whose operating cost is $1000 per hour, would incur a loss of $500 per hour if they lost 50% of their efficiency due to an interruption of service. Financial Cost Factors If extra shifts are added to make up for the downtime, operating costs are going to increase. Extra utility costs or paying your support staff to stay late and finish a process are two examples of how operating costs are likely to increase when a company goes into overtime to make a product they anticipated making during a single shift. If the production staff has to stay overtime to produce the product, they are likely going to cost time and a half for the second shift they work. The result is the expected cost to produce the product being potentially 2.5 times higher than anticipated. Loss of RevenueRating 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 6. The total financial impact is shown beside its corresponding rating. This is the Business Impact rating for desktop applications and workstations. This rating has been automatically exported to the "Business Impact" column on Sheet 5 -Business Risk Quotient: Financial Impact 5. Total Financial Impact 38.4% Critical impact 20% to 29.9% 80% to 89.9% Definition Zero impact Minor impact Negligible impact Considerable impact Massive impact 90% to 99.9% Over 100% 40% to 49.9% Very heavy impact 70% to 79.9% 10% to 19.9% Heavy impact Strong impact 50% to 59.9% 60% to 69.9% Daily Impact Moderate impact Total Dollar Impact 30% to 39.9% 0% to 9.9% Some impact $40,000.00 Daily Revenue $104,166.00 Daily Impact 38.4%1 Application Policies 2 Enforcement 3 Purchasing 4 Post Purchase 5 Virus Checks 6 Copying 7 Installation 8 Maintenance 9 Record Keeping 10 Workstation Asset Protection 11 Protection of Confidentiality Total Your Weighting 9.09% 9.09% 9.09% 9.09% 9.09% 9.09% 9.09% 9.09% 9.09% 100% 9.09% 9.09% Desktop Applications and Workstation Weightings Company: Consolidated Widgets Date: 11/3/2004 Purpose Determines the weighted scoring of categories within Sheet 3 -Vulnerability Questionnaire . Instructions If desired, type in new weightings in the areas shaded in gray. Base these numbers on your company's specific circumstances. If not, default weightings are used. Outputs New weightings are automatically updated in Sheet 3 -Vulnerability Questionnaire . Default Weight 9.09% 9.09% 9.09% 9.09% 9.09% 9.09% 9.09% 100% 9.09% 9.09% 9.09% 9.09%1. Weight Score Response 11.1% 0.0% Yes 11.1% 0.0% Yes 11.1% 11.1% No 11.1% 0.0% Yes 11.1% 11.1% No 11.1% 11.1% No 11.1% 11.1% No 11.1% 0.0% Yes 11.1% 11.1% No 100.0% 55.6% 9.1% 5.1% 2.78 2. Weight Score Response 33.3% 33.3% No 33.3% 33.3% No 33.3% 0.0% Yes 100.0% 66.7% 9.1% 6.1% 3.33 3. Weight Score Response 11.1% 11.1% No 11.1% 11.1% No 11.1% 0.0% Yes 11.1% 11.1% No 11.1% 11.1% No 11.1% 0.0% Yes 0.0% 0.0% N/A 11.1% 0.0% Yes Has the vendor been thoroughly researched (software sold, other clients, reputation)? 0Ensure all provisions of the license agreements issued with software are followed -Low Cost -Medium Effort 20 Have previous versions been relatively free of patches and/or upgrades? 0Ensure procurement documents contain a requirement that vendors have anti-viral procedures in place to ensure their supplied media is uncontaminated by malicious software -Low Cost -Medium Effort 17 Are vendors required to demonstrate their software on stand-alone hardware? Where possible, ensure vendors demonstrate their software on stand-alone hardware -Low Cost -Low Effort Are all provisions of license agreements followed? 12 10 Vulnerability Quotient Category Weight Question # Question 13 Are periodic audits conducted to ensure software policies are being followed? Is staff held accountable for violation of any policies or copyrights? Total Vulnerability Quotient Question Total Conduct periodic audits to ensure software policies are being followed -Low Cost -Medium Effort 0 Is the purchase of software regulated? If feasible, ensure software, support, and services are obtained only through an approved procurement process -Low Cost -Medium Effort Purchasing 16 Do procurement documents contain a requirement that the vendor have anti-viral procedures in place to ensure their media is uncontaminated by malicious software? 18 Are employees restricted from installing or downloading software on company-owned equipment? 0 5 Is justification required before installing any new software? Establish business case and written authorization prior to installing any new software, including shareware and freeware -Low Cost -Medium Effort 4 Ensure in-house developed software is covered by the same policies as commercial desktop productivity software -Low Cost -Low Effort 2 Is staff restricted from taking copies of software home to install when doing so is a violation of the copyright? 0 Instructions and Definitions Responses: To answer the questions, click once on the corresponding “Response” cell. Click on the arrow and select an answer from the dropdoow menu. "Yes" answers add to your mark in the "Score" column. "No" answers will generate suggested action points in the "Recommendations" column. "N/A" answers (not applicable) are discounted from the audit, and the "Weight" column will automatically adjust to reflect their omission. Security Categories Questions: Carefully read the questions in each category. Answer each to the best of your ability according to the current state of this asset’s security. Score: This tool calculates weighting and scoring automatically. Refer to the bottom of each category (shaded in gray) to view your score for that area. Weight: Represents the percentage of each question as a portion of the category total. Each category has its own weight in relation to the Questionnaire's overall score. Analysis: Consult the Ranking Chart at the end of the Questionnaire to determine what your scores for the rest of the audit mean. The lower your score, the better your security. High scores represent an increasingly poor state of security for this asset. The "Explanations" provide a top-level state of security for their corresponding score, while the "General Recommendations" column provides advice on how to move up to the next level. Results: Look under “Final Score” at the end of this spreadsheet (shaded in yellow) to view your total score for all categories and your Maturity Score. Again, these numbers are automatically calculated. Comments: Enter your own comments, qualifications, observations, or any additional notes you have to make regarding particular questions or categories. Recommendations: Recommendations for corrective measures are automatically generated based on your response. These recommendations will form the basis of your security strategy. 9 Category Weight If privately owned software is permitted, do employees have to provide the software license and ensure copyright infringement will not occur? Prior to authorizing personally owned software, ensure the employee provides the software license to ensure copyright infringement will not occur -Low Cost -Low Effort 8 Are employees prohibited from installing or downloading software from unknown and unapproved sources? 0 6 11 Enforcement Are individuals prohibited from installing personally owned software on company equipment? Discourage employees from installing personally-owned software on company equipment unless prior approval is obtained by the IT department and/or management -Low Cost -Low Effort 7 Question # Is in-house developed software treated in accordance with established policies? Application Policies 0 Question # Is staff restricted from loaning or giving software to non-employees? Ensure staff are restricted from giving licensed or company-developed software to clients, customers, friends, and others -Low Cost -Low Effort Question Are there approved software policies in place? 13 19 Has the application been on the market for long? 0 14 Before purchasing new software, is extensive research conducted? Before purchasing software, conduct an extensive search of available software or applications which meet each particular need -Low Cost -Medium Effort 15 To guard against viruses, are machine-readable software and data files obtained only from reliable sources? 0 Desktop Applications and Workstation Vulnerability Questionnaire Company: Consolidated Widgets Date: 11/3/2004 Purpose This tool is meant to uncover the areas of greatest vulnerability that exist with desktop applications and workstation. Outputs Vulnerability Quotients for each category are automatically fed into the "Vulnerability" column on Sheet 5 -Business Risk Quotient .11.1% 11.1% No 11.1% 0.0% Yes 100.0% 55.6% 9.1% 5.1% 2.78 4. Weight Score Response 25.0% 25.0% No 25.0% 25.0% No 25.0% 0.0% Yes 25.0% 25.0% No 100.0% 75.0% 9.1% 6.8% 3.75 5. Weight Score Response 25.0% 25.0% No 25.0% 25.0% No 25.0% 25.0% No 25.0% 25.0% No 100.0% 100.0% 9.1% 9.1% 5.00 6. Weight Score Response 11.1% 0.0% Yes 11.1% 11.1% No 11.1% 11.1% No 11.1% 0.0% Yes 11.1% 11.1% No 11.1% 0.0% Yes 11.1% 0.0% Yes 11.1% 11.1% No 11.1% 11.1% No 100.0% 55.6% 9.1% 5.1% 2.78 7. Weight Score Response 16.7% 0.0% Yes 16.7% 16.7% No 16.7% 16.7% No 16.7% 0.0% Yes 16.7% 16.7% No 16.7% 16.7% No 100.0% 66.7% 9.1% 6.1% 3.33 8. Weight Score Response 9.1% 0.0% Yes Question # Is the distribution for software controlled via log book/personnel? 39 Total When copying software for back up or distribution, avoid using open access workstations (i.e. training rooms, user laboratories etc.) -Low Cost -Low Effort Where possible, use a network-isolated computer system when preparing copies for distribution -Low Cost -Low Effort 0 42 Is application software separated from system software? If possible, separate system software and install application software on different partitions or different physical drives -Medium Cost -Medium Effort When feasible, are only trained and authorized staff permitted to install and support software? Are controls established for local area networks that prevent anyone except authorized staff from loading software on file servers? 0 32 Prior to making backup copies, are the originals write-protected? Prior to making backup copies and to prevent inadvertent destruction, write-protect original diskettes or use similar safeguards -Low Cost -Low Effort When testing new software, use guest-level access and permissions so important files cannot be modified -Low Cost -Low Effort When testing new software, is guest access used? Ensure new applications are tested for viruses on a PC that is not connected to the corporate network -Medium Cost -Medium Effort Are new applications tested for viruses on a PC that is not connected to the corporate network? Scan all proprietary software for viruses, even when sealed in 'shrink-wrapped' plastic -Low Cost -Medium Effort Immediately before installing, consider double-checking that the software is properly licensed whether from the vendor or under the genral pubic license -Low Cost -Medium Effort Immediately before installing, is a double-check conducted to ensure the software is properly licensed? Question Are all vendor instructions followed carefully? Question # Maintenance 45 0 44 Is downloadable software kept on a separate drive or partition from system and critical application files? Ensure that purchased software that is downloaded is stored on a separate server or partition -Low Cost -Low Effort 43 Are operating system files and other executable files read-only? Ensure all PC machine-readable media, regardless of source, are scanned for malware before initial use and connection to the network -Low Cost -Medium Effort Question # Question 27 Total Category Weight Post Purchase Question Vulnerability Quotient Is all media scanned with virus detection software prior to initial use? Copying Question # 30 28 29 Is sealed, off-the-shelf software also checked for viruses prior to installation? Consider that the new product is as yet untested in the marketplace, or a new company just in the market; this is a reliability issue -Low Cost -Low Effort 21 If a vendor has not provided pre-approval of backup copies, ensure employees get vendor approval before creating additional copies -Low Cost -Low Effort 34 Is only the permitted number of copies made of copyrighted software? 22 Is a list of pre-authorized and restricted software maintained? 0 Total Question 36 37 When copying software for backup or distribution, are open access workstations avoided? 38 Are only new media used for copying software for backup storage and distribution? Is a standalone computer system used when preparing copies for distribution? Category Weight Vulnerability Quotient Installation 40 Ensure that licenses and proof of ownership are on file for each piece of software -Low Cost -Low Effort 35 If the license is for multiple users, is only the authorized number of copies made? 0 Is a backup copy made of all new software? 31 If licensed for multiple users, ensure only the authorized number of copies are made by assigning installation duties to IT personnel -Low Cost -Medium Effort 33 If a vendor has not provided pre-approval of backup copies, do employees get vendor approval before creating additional copies? Category Weight Is there readily available technical support for the product? Is a license or other proof of ownership on file for each piece of software? Vulnerability Quotient Question # 23 Category Weight 00Ensure licenses, software manuals, and procurement documentation are stored in a secure location (i.e. closed locked cabinet) -Low Cost -Low Effort 25 Are current copies of critical application software kept and secured? 0 Are sensitive and/or critical items stored with appropriate access controls in place? Total 24 Is software documentation stored in a secure location? Total Category Weight Vulnerability Quotient 46 0Establish software loading controls on LANs and file servers (i.e. no uploading to FTP servers) -Low Cost -Medium Effort Question 41 Ensure sensitive and/or critical items are clearly identified and stored with appropriate access controls in place -Medium Cost -Medium Effort Vulnerability Quotient Virus Checks 269.1% 0.0% Yes 9.1% 9.1% No 9.1% 9.1% No 9.1% 9.1% No 9.1% 0.0% Yes 9.1% 0.0% Yes 9.1% 9.1% No 9.1% 9.1% No 9.1% 9.1% No 9.1% 0.0% Yes 100.0% 54.5% 9.1% 5.0% 2.73 9. Weight Score Response 33.3% 33.3% No 0.0% 0.0% N/A 33.3% 33.3% No 33.3% 0.0% Yes 100.0% 66.7% 9.1% 6.1% 3.33 10. Weight Score Response 5.3% 5.3% No 5.3% 0.0% Yes 5.3% 5.3% No 5.3% 5.3% No 5.3% 0.0% Yes 5.3% 0.0% Yes 5.3% 5.3% No 5.3% 5.3% No 5.3% 5.3% No 5.3% 0.0% Yes 5.3% 5.3% No 5.3% 5.3% No 5.3% 0.0% Yes 5.3% 5.3% No 5.3% 0.0% Yes 5.3% 0.0% Yes 5.3% 0.0% Yes 5.3% 5.3% No 5.3% 5.3% No 100.0% 57.9% 9.1% 5.3% 2.89 11. Weight Score Response 7.1% 7.1% No 7.1% 7.1% No 0.0% 0.0% N/A 7.1% 7.1% No 82 In areas where workstations are shared by two or more users, does each user log out after a session? 0 83 Is CTRL+ALT+DEL always used even if login window already appears on the screen? To prevent Trojan horse attacks, ensure staff always log on with CTRL+ALT+DEL even if login window already appears on the screen -Low Cost -Low Effort 80 Are strangers permitted to use computers? Ensure strangers are not permitted to use computers without having signed a liability form -Low Cost -Low Effort 81 When leaving computers, are computers are either locked, turned off, or put into a password-protected screen saver mode? When leaving computers, ensure computers are either locked, turned off, or put into a password-protected screen saver mode -Low Cost -Low Effort Protection of Confidentiality Question # Question Total Category Weight Vulnerability Quotient 78 Are strangers and/or strange activity challenged? Establish procedures for querying strangers and/or strange activity within the facility -Low Cost -Low Effort 79 When returning from offsite visits, are diskettes, CDs, Zip disks, or electronic files run through virus checking software? When returning from offsite visits, ensure diskettes, CDs, Zip disks, or electronic files are run through virus checking software -Low Cost -Low Effort 76 Does moving, disconnecting, or altering IT or telecommunications equipment require prior authorization? 0 77 Do staff understand repair protocol so components are not taken under false pretenses? 0 61 Are outside doors secured at all times? Ensure outside doors are not propped open or otherwise compromised -Low Cost -Low Effort 62 Is adequate building and office security in place? 0 Workstation Asset Protection Question # Question Total Category Weight Vulnerability Quotient When unoccupied, are office doors and windows locked? When unoccupied, keep office doors and first floor windows, fire escape windows, and security screens locked -Low Cost -Low Effort 64 Where practical, are locking devices used to anchor down PCs and equipment? Where practical, use locking devices to anchor PCs and equipment directly to desks, floors, or walls -Medium Cost -Low Effort 63 65 Are removable media locked away? 0 66 Is only what is needed installed at workstations? 0 75 Are security staff notified immediately if something goes missing? 0 67 Are various forms of locking devices considered for peripherals? Consider various forms of locking devices: floppy, keyboard and power switch locks that disable the electronics, password-protected screen savers, etc. -Low Cost -Low Effort 68 When not in use, are computers, cell phones and PDAs locked with a pass code? When not in use, lock computers, cell phones, and PDAs with a pass code -Low Cost -Low Effort 69 When away from desks for extended periods, are desks and cabinets locked up? When away from desks for extended periods, ensure desks and cabinets are locked up -Low Cost -Low Effort 70 When away from desks for extended periods, are keys, passcards, briefcases, cell phones, PDAs, etc. taken along or locked up? 0On an annual basis, compare the written inventory of software to each individual PC to ensure only legal and approved software are installed and being used -Low Cost -Medium Effort 60 Are all illegal copies of software deleted immediately? 0 59 Is a software audit conducted to ensure only legal and approved software are installed and being used on an annual basis? 56 0 Are end users trained and monitored in regards to the viral dangers of downloading free or shared programs, games, and demonstration programs? Category Weight Total Post implementation, ensure that the user functions and required administrative, technical, and physical safeguards are verified as being present and operationally adequate -Low Cost -Medium Effort 55 Ensure that obsolete software versions are disposed of in accordance with the licensing agreement -Low Cost -Low Effort Post implementation, are the user functions and required administrative, technical, and physical safeguards verified as being present and operationally adequate? When upgrades to software are purchased, are old versions disposed of properly in accordance with the licensing agreement? 54 0 53 Ensure testing is completed in a sufficient number of quality-assurance environments before releasing it into production or general use -Medium Cost -Medium Effort Is software tested in a proper quality-assurance environment before deployment? Are new, substantially modified, and/or sensitive applications thoroughly tested prior to implementation? 52 Prior to implementing new software or making changes, ensure there is a procedure in place that permits backing out and returning to a stable state -Low Cost -Low Effort 51 0 Prior to implementation or making changes, is there a procedure in place that permits backing out and returning to a stable state? Prior to implementing or making changes, are hours and days of operation considered? 50 Ensure vendor patches and/or security fixes are implemented as soon as possible after official receipt -Low Cost -Medium Effort 49 Test all vendor patches in an isolated test environment before rollout -Low Cost -High Effort Are vendor patches tested? Are any vendor recommended changes or security fixes implemented as soon as possible after official receipt? 48 47 0 Are the original diskettes used when restoring damaged software applications? 71 Are all personal effects kept in a locked container devoted to personal effects? Keep all personal effects in a locked container devoted to personal effects -Low Cost -Low Effort Vulnerability Quotient Maintain written records of software installed on each machine -Low Cost -Medium Effort 58 If cost effective, is special-purpose software purchased to inventory and document all software on all PCs? 74 Is personal accountability established for the protection of IT resources within staff control or possession? Establish personal accountability for the protection of IT resources within staff control or possession -Low Cost -Low Effort 72 Is all hardware etched or marked with identification numbers? Ensure all hardware is etched or marked with identification numbers -Low Cost -Medium Effort 73 Is an inventory of workstation kept and compared to a master list annually? 00 Record Keeping Question # Question 57 Are written records of software installed on each machine maintained?7.1% 0.0% Yes 7.1% 7.1% No 7.1% 7.1% No 7.1% 0.0% Yes 7.1% 0.0% Yes 7.1% 7.1% No 7.1% 7.1% No 7.1% 7.1% No 7.1% 0.0% Yes 7.1% 0.0% Yes 7.1% 7.1% No 100.0% 64.3% 9.1% 5.8% 3.21 65.3% 3.3 Range 5 4.0 -4.9 3.0 -3.9 2.0 -2.9 1.0 -1.9 0.0 -0.9 Are passwords committed to memory? 0 86 Are desks and furniture positioned so sensitive material is not visible from windows or hallways? Position desks and furniture so sensitive material is not visible from windows or hallways -Low Cost -Low Effort Total Category Weight Vulnerability Quotient 93 Are cache files on computer and memory on devices, like printers, cleared regularly? 0 94 Are conscientious work habits recognized and encouraged? To reinforce rules, recognize and encourage safe conscientious work habits -Low Cost -Low Effort 91 Are folders arranged in file cabinets with differing security levels and the file cabinets locked when not in use? Arrange folders in file cabinets with differing security levels and ensure that the file cabinets are locked when not in use -Low Cost -Low Effort 92 Are documents and media handled and disposed of appropriately to meet security requirements? 0 89 Are day planners, rolodexes, and notebooks locked up? Ensure day planners, rolodexes, and notebooks are kept locked up rather than left out on the desk -Low Cost -Low Effort 90 Are disks and printouts labeled and stored according to their security level? Ensure disks and printouts are labelled and stored in accordance with their relative level of security -Low Cost -Medium Effort 88 Are removable media kept locked up (floppy disks, CDs, zip disks, tape, etc.)? 0 87 Managed, Measured, and Controlled Security procedures and event handling are completed against industry benchmarks; AND/OR: Security responsibilities and duties for this asset are clearly defined, assigned, and enforced; AND/OR: Security certifications are being/have been attained for this and similar assets; AND/OR: User identification and authorization are established and enforced; AND/OR: Security testing performed on this asset and improvements made where necessary. I. Continue to define security requirements and procedures for this asset. II. Work towards fully integrating the auditing of this asset with the company's overall security plan/policy. III. Assess feasibility and fit of automated software tools to address security incidents and/or logging. IV. Develop and maintain ongoing awareness and analysis of vulnerabilities specific to this asset. V. [Enter further recommendations here] VI. [Enter further recommendations here] Optimized Security requirements for this asset are clearly defined, actively pursued, and incorporated with the company’s overall IT security plan; AND/OR: Periodic security assessments for this asset are conducted; AND/OR: End users increasingly held responsible for the security of this asset (if applicable); AND/OR: Security incidents addressed with formal response procedures and automated tools; AND/OR: Information on new vulnerabilities is collected and analyzed, and proactive mitigation plans are implemented for continuous improvement. I. Few recommendations; security practices are optimized at this point in time. II. Continue to update procedures as technologies progress and best practices dictate. Danger here lies in complacency. III. Remain vigilant, with an eye on continuous improvement. IV. [Enter further recommendations here] V. [Enter further recommendations here] Planned, Tracked, and Repeatable Planned approaches to incident response have been considered, but not deployed; AND/OR: Security responsibilities and duties for this asset are assigned to someone without management authority; AND/OR: Security information for this asset is collected, but not analyzed; AND/OR: Response procedures are under development, but insufficiently resourced; AND/OR: Responses to security events still reactive, often using third-party products or services. I. Establish formal security procedures/event handling processes for this asset. II. Establish plans for security training for IT Operating System. III. Start planning the switch to bring security asset management in-house. IV. Focus on proving to senior management how IT security investments directly impact the bottom line; ensure that proposals speak towards IT/business alignment. V. Ensure that the individual in charge of security is granted sufficient leeway to conduct his/her job duties without hindrance. VI. [Enter further recommendations here] VII. [Enter further recommendations here] Defined Security procedures are in place for this asset; AND/OR: Incident response procedures are standardized and formalized; AND/OR: Incident response follows a defined process available through staff training; AND/OR: General security plan exists for asset, but is IT-focused, not business-focused; AND/OR: Security responsibilities and duties for this asset are assigned, but not always enforced. I. Measure and perform security procedures/event handling against established benchmarking data. II. Collaborate with management and HR to assign security responsibilities and duties with greater clarity. III. Start considering security courses and accreditations for IT staff. IV. Align security measures and purchases with business goals. V. [Enter further recommendations here] VI. [Enter further recommendations here] Non-Existent/Not Performed Company has never performed this audit; AND/OR: Company has never (or in the last 24 months) performed a vulnerability scan for this asset; AND/OR: There is no security reporting structure in place for this asset; AND/OR: Continuity of this asset is considered unworthy of the company’s attention; AND/OR: There is no system in place for responding to an attack on this asset. I. Address quick-fix security gaps immediately. II. Company can no longer fail to support security initiatives and best practices. III. Conduct gap analyses to isolate deficiencies in security practices. IV. Assign security responsibilities immediately. V. [Enter further recommendations here] VI. [Enter further recommendations here] Ad-Hoc or Performed Informally Company only responds reactively to security events; AND/OR: IT security is recognized as important, but is still not measured; AND/OR: Security responsibilities and duties are ill-defined; AND/OR: Responses to security events made without guiding policy or procedure; AND/OR: Responses to security events are unpredictable. I. Create plans and processes for formal incident response procedures. II. Incorporate formal procedures into a guiding, company-wide security policy. III. Draft a set of security duties; incorporate them into the job description of the appropriate employee. IV. Consider how security, event, and log data will be captured and analyzed. V. [Enter further recommendations here] VI. [Enter further recommendations here] 84 Is sensitive data accessed from multiple workstations? Average Quotient (out of 5) All Categories 85 Are monitors positioned or are screen filters used so the display can not be read by passersby? 0 Explanation Final Score Ensure monitors are positioned or screen filters used so the display cannot be read by passersby -Low Cost -Low EffortDesktop Applications and Workstation Event Probabilities: Enter a percentage value for each category Note: Probability assessments are very much a judgment call on your part, as it is extremely difficult to account for criteria such as your specific hardware and software, pre-existing security measures, the physical layout of your office, geographic location, and so on. In fact, some security will almost definitely occur given enough time. The following table lists the numerical value of event probabilities. 0 to 10% = Negligible or no chance of this event occurring Application Policy Violation Non-Enforcement Poor Post Purchasing Requirements Lack of Virus Checking 11 to 20% = Minor chance 21 to 30% = Some chance 70.0% 50.0% Poor Purchasing Requirements 20.0% 51 to 60% = Good chance 61 to 70% = Strong chance 71 to 80% = Very strong chance 81 to 90% = Critical likelihood 10.0% 50.0% 31 to 40% = Fair chance 41 to 50% = Considerable chance Determines the likelihood of a negative security event occurring in any of the 11 categories in Sheet 3 -Vulnerability Questionnaire . Purpose Select a number that best represents the chance of a negative security event occurring in the 11 categories (derived from Vulnerability Questionnaire ) over the course of the next 6 to 12 months. Enter a percentage for each category. Instructions Desktop Applications and Workstation Probability Assessment 85.0% Poor Copying Practices 91 to 100% = Event is imminent Company: Consolidated Widgets Date:1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Weak Maintenance Spurious Record Keeping Poor Post Purchasing Requirements Lack of Virus Checking Poor Copying Practices Poor Installation Practices Outputs Business Risk Quotient numbers represent your Current State, which are then exported to the Audit Results and Final Report sheets. Desktop Applications and Workstation Business Risk Quotient Company: Consolidated Widgets Date: 11/3/2004 Purpose Determines the likelihood of a negative security event occurring in any of the 11 categories in Sheet 3 -Vulnerability Questionnaire . Application Policy Violation Non-Enforcement Poor Purchasing Requirements Instructions No intervention required. Outputs from Sheets 1, 3, and 4 automatically calculate the Business Risk Quotient. Any negative numbers are represented as zero. Insufficient Workstation Protection Poor Protection of Confidentiality Outcome(s) Lack of established policies may result in promotion of an inefficient working environment or potential security threat. Non-enforcement of the policies in place may give rise to lack of security practices, resulting in a possible security hole. Poor purchasing requirements may result in ineffective security standards for applications being installed corporate wide. Poor post purchasing practices leave information related to software scattered and difficult to find, leaving secure application software open to theft. Lack of virus checking will allow viruses to enter through the applications, corrupting the network and causing considerable damage to the company. Improper copying practices would lead to corrupted copies of applications or violations of the copying policies. Event Poor installation practices may result in improper permissions being put on application files and folders, or possible corruption of other critical applications. Weak maintenance practices may result in inefficiencies in version upgrades causing version problems across the network or improper re-installs. Improper record keeping will result in significant time required to create a list and track the applications. Upgrades to certain application versions will also be difficult in identifying where the applications are. Insufficient protection may result in theft and/or damage of workstations. Lack of proper protection will open up unauthorized viewing or stealing of secure information. 1.5 2.8 70.0% 1.5 2.8 20.0% 1.5 5.0 50.0% 1.7 (Business Impact + [Vulnerability x Probability]) /2 BRQ Risk 1.6 50.0% 3.3 1.5 1.0 1.5 3.8 10.0% 0.9 2.0 1.5 2.8 85.0% 1.9 1.5 3.3 50.0% 1.6 1.5 2.7 40.0% 1.3 1.5 3.3 35.0% 1.3 1.5 2.9 60.0% 1.6 Avg. BRQ Score 1.5 1.5 3.2 60.0% 1.7Quick Note on the Target State: The Current State figures represent the Business Risk Quotient scores themselves. Target State figures are calculated automatically from the Business Risk Quotient scores on Sheet 5 -Business Risk Quotient by subtracting 1.5 from the "Vulnerability" column (you will not see this calculation occur). This subtraction occurs because vulnerabilities can be controlled and mitigated, whereas probabilities and business impact usually cannot. Instructions Note the target state, which represents the minimum Business Risk Quotient level required to secure desktop applications and workstations according to its relative level of business risk. Outputs None. Illustrates how desktop applications and workstation's Current State (in blue) ranks against its ideal Target State (in red), both of which are derived from Sheet 5 -Business Risk Quotient. Purpose Desktop Applications and Workstation Audit Results Company: Consolidated Widgets Date: 11/3/2004 Desktop Applications and Workstation Security 012345 Application Policies Enforcement Purchasing Post Purchase Virus Checks Copying Installation Maintenance Record Keeping Workstation Asset Protection Protection of Confidentiality Target State Current StateCompany: Date: Current Scores 1. 1.7 2. 1.6 3. 1.0 4. 0.9 5. 2.0 6. 1.9 7. 1.6 8. 1.3 9. 1.3 10. 1.6 11. 1.7 1.5 Target Scores 1. 1.2 2. 1.2 3. 0.9 4. 0.9 5. 1.6 6. 1.3 7. 1.2 8. 1.0 9. 1.1 10. 1.2 11. 1.3 1.2 Desktop Applications and Workstation Final Report Target State Current State Desktop Applications and Workstation Current Business Risk Quotient by Category Policy Recommendations Record Keeping Virus Checks Copying Protection of Confidentiality Installation None. Virus Checks Copying Workstation Asset Protection Desktop Applications and Workstation Target Business Risk Quotient by Category General Recommendations Enforcement I. Continue to define security requirements and procedures for this asset. II. Work towards fully integrating the auditing of this asset with the company's overall security plan/policy. III. Assess feasibility and fit of automated software tools to address security incidents and/or logging. IV. Develop and maintain ongoing awareness and analysis of vulnerabilities specific to this asset. V. [Enter further recommendations here] VI. [Enter further recommendations here] Purpose The Final Report automatically amasses and compiles all metrics -both Current and Target -as well as general recommendations for improvement. A Quick Note on Prioritization: As mentioned previously, the lower your score, the better your security. Conversely, high scores represent an increasingly poorer state of security for this asset. When prioritizing areas for improvement, you may wish to address them in order of criticality (i.e. the highest scores first). However, certain factors specific to your organization -such as geographic location, facility layout, and so on -may dictate that you address areas of risk in a different order. Be sure to consult the Business Impact Analysis you conducted earlier to help you prioritize your security initiatives. Final Thought: Account for low probabilities as well as low impacts across multiple weak points. Your desktop applications and workstation could introduce many security flaws, but with low impacts and low probabilities. While this may make your scores look good, this doesn't mean that desktop applications and workstation security does not pose a risk. Instructions Complete the specific tasks on the "Policy Amendment Recommendations" chart in order to improve security from its Current State to the Target State. Outputs Explanation Application Policies Enforcement Purchasing Post Purchase Maintenance Managed, Measured, and Controlled Security procedures and event handling are completed against industry benchmarks; AND/OR: Security responsibilities and duties for this asset are clearly defined, assigned, and enforced; AND/OR: Security certifications are being/have been attained for this and similar assets; AND/OR: User identification and authorization are established and enforced; AND/OR: Security testing performed on this asset and improvements made where necessary. Application Policies Installation Establish business case and written authorization prior to installing any new software, including shareware and freeware -Low Cost -Medium Effort 00 Post Purchase Workstation Asset Protection Policy Amendment Recommendations Maintenance Protection of Confidentiality Desktop Applications and Workstation Business Risk Quotient Average (Current) Ensure staff are restricted from giving licensed or company-developed software to clients, customers, friends, and others -Low Cost -Low Effort 0 Desktop Applications and workstation Business Risk Quotient Average (Target) Record Keeping PurchasingCategory 1. Application Policies Consolidated Widgets 11/3/2004Establish software loading controls on LANs and file servers (i.e. no uploading to FTP servers) -Low Cost -Medium Effort If possible, separate system software and install application software on different partitions or different physical drives -Medium Cost -Medium Effort 0Ensure that purchased software that is downloaded is stored on a separate server or partition -Low Cost -Low Effort Immediately before installing, consider double-checking that the software is properly licensed whether from the vendor or under the genral pubic license -Low Cost -Medium Effort Ensure testing is completed in a sufficient number of quality-assurance environments before releasing it into production or general use -Medium Cost -Medium Effort 0 9. Record Keeping Maintain written records of software installed on each machine -Low Cost -Medium Effort 0On an annual basis, compare the written inventory of software to each individual PC to ensure only legal and approved software are installed and being used -Low Cost -Medium Effort 0Ensure licenses, software manuals, and procurement documentation are stored in a secure location (i.e. closed locked cabinet) -Low Cost -Low Effort 0Ensure sensitive and/or critical items are clearly identified and stored with appropriate access controls in place -Medium Cost -Medium Effort Consider that the new product is as yet untested in the marketplace, or a new company just in the market; this is a reliability issue -Low Cost -Low Effort 0 4. Post Purchase Ensure that licenses and proof of ownership are on file for each piece of software -Low Cost -Low Effort 3. Purchasing 0Before purchasing software, conduct an extensive search of available software or applications which meet each particular need -Low Cost -Medium Effort If feasible, ensure software, support, and services are obtained only through an approved procurement process -Low Cost -Medium Effort Where possible, ensure vendors demonstrate their software on stand-alone hardware -Low Cost -Low Effort Ensure procurement documents contain a requirement that vendors have anti-viral procedures in place to ensure their supplied media is uncontaminated by malicious software -Low Cost -Medium Effort Scan all proprietary software for viruses, even when sealed in 'shrink-wrapped' plastic -Low Cost -Medium Effort Ensure new applications are tested for viruses on a PC that is not connected to the corporate network -Medium Cost -Medium Effort When testing new software, use guest-level access and permissions so important files cannot be modified -Low Cost -Low Effort 0Ensure in-house developed software is covered by the same policies as commercial desktop productivity software -Low Cost -Low Effort 0Ensure all provisions of the license agreements issued with software are followed -Low Cost -Medium Effort Conduct periodic audits to ensure software policies are being followed -Low Cost -Medium Effort 0000Where possible, use a network-isolated computer system when preparing copies for distribution -Low Cost -Low Effort 0If a vendor has not provided pre-approval of backup copies, ensure employees get vendor approval before creating additional copies -Low Cost -Low Effort Discourage employees from installing personally-owned software on company equipment unless prior approval is obtained by the IT department and/or management -Low Cost -Low Effort 0If licensed for multiple users, ensure only the authorized number of copies are made by assigning installation duties to IT personnel -Low Cost -Medium Effort 0 1. Application Policies Prior to authorizing personally owned software, ensure the employee provides the software license to ensure copyright infringement will not occur -Low Cost -Low Effort 0 5. Virus Checks Ensure all PC machine-readable media, regardless of source, are scanned for malware before initial use and connection to the network -Low Cost -Medium Effort 0 Enforcement 2. 0Prior to implementing new software or making changes, ensure there is a procedure in place that permits backing out and returning to a stable state -Low Cost -Low Effort Test all vendor patches in an isolated test environment before rollout -Low Cost -High Effort 6. Copying 7. Installation Ensure vendor patches and/or security fixes are implemented as soon as possible after official receipt -Low Cost -Medium Effort When copying software for back up or distribution, avoid using open access workstations (i.e. training rooms, user laboratories etc.) -Low Cost -Low Effort Prior to making backup copies and to prevent inadvertent destruction, write-protect original diskettes or use similar safeguards -Low Cost -Low Effort 8. Maintenance 0Post implementation, ensure that the user functions and required administrative, technical, and physical safeguards are verified as being present and operationally adequate -Low Cost -Medium Effort 0Ensure that obsolete software versions are disposed of in accordance with the licensing agreement -Low Cost -Low Effort