Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Desktop Applications and Workstations Audit

VIEWS: 583 PAGES: 17

									Desktop Applications and Workstation Security Audit
Company: Date:
Consolidated Widgets 11/3/2004

Important Note: The scoring in Sheet 3 - Vulnerability Questionnaire and Sheet 5 - Business Risk Quotient is out of 5. The higher the scores, the less secure the desktop applications and workstations. Conversely, low scores represent better security.

Worksheet Name

1
Business Impact Analysis
Used to identify the dollar impact that would occur with unethical actions/intentions with desktop applications and workstations.

2
Weightings
Determines the weighted scoring of categories within Sheet 3 Vulnerability Questionnaire .

3
Vulnerability Questionnaire
Designed to uncover the areas of greatest vulnerability that exist with desktop applications and workstations.

4
Probability Assessment
Determines the likelihood of a negative security event occurring in any of the 11 categories in Sheet 3 - Vulnerability Questionnaire .

5
Business Risk Quotient
Statement of desktop applications and workstation's condition of relative business risk.

6
Audit Results

7
Final Report
The Final Report automatically amasses and compiles all metrics both Current and Target as well as general recommendations for improvement.

Purpose

Follow the instructions given for each table.

Instructions

If desired, type in new weightings in the areas shaded in gray. Base these numbers on your company's specific circumstances. If not, default weightings are used.

Carefully read the questions in each category. Answer each to the best of your ability according to the current state of desktop application and workstation security.

Select a number that best represents the chance of a negative security event occurring in the 11 categories in Sheet 3 - Vulnerability Questionnaire . Enter a percentage for each category. Percentages are automatically exported into the "Probability" column of Sheet 5 Business Risk Quotient .

Illustrates how desktop applications and workstation's Current State (in blue) ranks against its ideal Target State (in red), both of which are derived from Sheet 5 - Business Risk Quotient . No intervention required. Note the Target State, Outputs from Sheets 1, which represents the 3, and 4 automatically minimum Business Risk calculate the Business Quotient level required to Risk Quotient. tackle desktop applications and workstations issues, according to its relative level of business risk. Business Risk Quotient None. numbers represent your Current State, which are then exported to Sheet 6 - Audit Results and Sheet 7 - Final Report .

Complete the specific tasks on the "Policy Amendment Recommendations" chart in order to improve security from its Current State to the Target State.

Business Impact Rating, which is exported to Sheet 5 - Business Risk Quotient .

New weightings are automatically updated in Sheet 3 - Vulnerability Questionnaire .

Outputs

Vulnerability Quotients for each category are automatically fed into the "Vulnerability" column in Sheet 5 - Business Risk Quotient .

None.

Desktop Applications and Workstation Business Impact Analysis
1. Questions:

Company: Date:

Consolidated Widgets 11/3/2004

Purpose
Used to identify the dollar impact that would occur with unethical actions/intentions with desktop applications and workstations.

Instructions
Follow the instructions given for each table.

Outputs
Business Impact Rating, which is exported to Sheet 5 - Business Risk Quotient .

Asset Name: Person Responsible for Asset:

Office XP Bob S.

1. Describe the functionality of this asset: Office XP and associated desktop applications are installed across most of the user base for the completion of basic productivity tasks. Saturation of Office XP is pretty much complete - a vulnerability for one PC is likely a vulnerability for all PCs.

2. List the Business Units that rely on desktop applications and workstations, describe what work is performed, and then use the drop-down list in the third column to identify their reliance on desktop applications and workstations as either ‘High,’ ‘Medium,’ or ‘Low’: Business Unit/Functional Group Administration Occasional use for in-office letter composition Sales/Marketing Heavy reliance on the Excel-A/R softare interface Accounting Minimal to no reliance on Office XP IT Minimal to no reliance on Office XP Manufacturing Low Low High Medium Work Performed Day-to-day productivity tasks High Criticality to Work

3. Choose a timeframe from the list below that best describes the impact on the organization, should there be an interruption of service to desktop applications and workstations. The organization would feel a significant impact within: Timeframe
Less than 4 hours of interrupted service. (This Asset is Vital) 4-8 hours of interrupted service. (This Asset is Critical) 8-24 hours of interrupted service. (This Asset is Essential) 1-3 days of interrupted service. (This Asset is Important) 3-5 days of interrupted service. (This Asset is Non-Critical)

Check one only

4a. Determine which cost factors are associated with desktop applications and workstations in the Business Unit/Functional Group. Base the amounts on money lost per 24 hours of desktop applications and workstation downtime: Financial Cost Factors
Loss of Revenue

Definition
In most cases, the loss of revenue due to desktop application and workstation security breaches will cause a disruption in many areas of functionality across the company. The interruption of this functionality causes your organization to not be able to sell product, or fulfill orders. This could be the result of interruption in the shipping process or the services you offer as a result of lost or stolen documents, or secure information being given to a competitor. Scenarios could also include theft of proprietary material. The system is down, causing a production shift to stand around or „make work‟ to keep busy rather than doing whatever it is they were hired to do. Order entry staff can‟t take orders if the phones are down or their online systems aren‟t available. Production staff can‟t produce the product if the production line isn‟t functioning. Since staff still has to be paid, this time is considered a loss. This can occur as a result of extra communication that is required to inform customers of your inability to take orders. Or, it could be the result of extra effort/time required to complete a sale. Any interruption of service that delays the sales cycle would potentially increase the cost of sales. If extra shifts are added to make up for the downtime, operating costs are going to increase. Extra utility costs or paying your support staff to stay late and finish a process are two examples of how operating costs are likely to increase when a company goes into overtime to make a product they anticipated making during a single shift. they work. The result is the expected cost to produce the product being potentially 2.5 times higher than anticipated.

Enter Estimated Dollar Costs From These Factors

$5,000.00

Loss of Productivity

$20,000.00

Increased Cost of Sales Increased Operating Costs

$0.00

$2,500.00

Increased Labor Costs If the production staff has to stay overtime to produce the product, they are likely going to cost time and a half for the second shift

$0.00

Remediation Costs

If customers are lost, there will need to be an increased effort to regain sales from new accounts. This will cost additional resource time from all areas of the business, in particular marketing and sales. This may also entail startup costs after an interruption of service. Manual „workarounds‟ are obviously less efficient than using an automated system. When the workflow is temporarily slowed, staff become less effective and less efficient. This slowdown can be measured by the percentage of loss associated with their performance. Staff, whose operating cost is $1000 per hour, would incur a loss of $500 per hour if they lost 50% of their efficiency due to an interruption of service. Depending on the nature of the interruption and its impact outside your organization, legal costs could be a serious factor.

$0.00

Loss of Efficiency

$0.00 $0.00 $27,500.00

Legal Costs

Subtotal

4b. Determine which cost factors are associated with an interruption of service in the Business Unit/Functional Group: Goodwill Cost Factors
Reduced Customer Service Production Delays

Definition
These might include reduced or terminated levels of service, information that is unavailable when customers call, customers unable to access information on the Web site, etc. These could be hard to estimate in most cases. This could have a ripple effect throughout the organization. If you expected to produce 800 widgets today, but were unable to do so, your production schedule is now one day behind schedule. If another order was to be produced the following day, that order is now delayed as the current order is finished. The impact associated with this is difficult to measure. Depending on the relationship with the customer, it could be either very minimal or cause the customer to find another supplier. There are a number of threats that could have a huge impact on the business in this regard. A security breach that the customers feel was avoidable could cost your organization dearly. A virus that found its way to a customer‟s network and was traced back to your organization could damage a relationship with that customer, particularly if the industry in which you work is highly sensitive.

Enter Estimated Dollar Costs From These Factors

$7,500.00

$0.00

Reduced Consumer Confidence

$5,000.00 $12,500.00

Subtotal

5. Total Financial Impact Total Dollar Impact Daily Revenue Daily Impact $40,000.00 $104,166.00 38.4%

6. The total financial impact is shown beside its corresponding rating. This is the Business Impact rating for desktop applications and workstations. This rating has been automatically exported to the "Business Impact" column on Sheet 5 - Business Risk Quotient:

Daily Impact
0% to 9.9% 10% to 19.9% 20% to 29.9% 30% to 39.9% 40% to 49.9% 50% to 59.9% 60% to 69.9% 70% to 79.9% 80% to 89.9% 90% to 99.9% Over 100%

Definition
Zero impact Negligible impact Minor impact Some impact Moderate impact Considerable impact Strong impact Heavy impact Very heavy impact Critical impact Massive impact

Rating 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0

Financial Impact

38.4%

Desktop Applications and Workstation Weightings
Company: Date: Consolidated Widgets 11/3/2004

Purpose
Determines the weighted scoring of categories within Sheet 3 - Vulnerability Questionnaire .

Instructions
If desired, type in new weightings in the areas shaded in gray. Base these numbers on your company's specific circumstances. If not, default weightings are used.

Outputs
New weightings are automatically updated in Sheet 3 - Vulnerability Questionnaire .

Your Weighting 1 2 3 4 5 6 7 8 9 10 11 Application Policies Enforcement Purchasing Post Purchase Virus Checks Copying Installation Maintenance Record Keeping Workstation Asset Protection Protection of Confidentiality Total 9.09% 9.09% 9.09% 9.09% 9.09% 9.09% 9.09% 9.09% 9.09% 9.09% 9.09% 100%

Default Weight 9.09% 9.09% 9.09% 9.09% 9.09% 9.09% 9.09% 9.09% 9.09% 9.09% 9.09% 100%

Desktop Applications and Workstation Vulnerability Questionnaire
1. Questions: Carefully read the questions below in each category.

Company: Date:

Consolidated Widgets 11/3/2004

Purpose
This tool is meant to uncover the areas of greatest vulnerability that exist with desktop applications and workstation.

Outputs
Vulnerability Quotients for each category are automatically fed into the "Vulnerability" column on Sheet 5 - Business Risk Quotient .

Instructions and Definitions
Weight: Represents the percentage of each question as a portion of the category total. Each category has its own weight in relation to the Questionnaire's overall score. Score: This tool calculates weighting and scoring automatically. Refer to the bottom of each category (shaded in gray) to view your score for that area.

Questions: Carefully read the questions in each category. Answer each to the best of your ability according to the current state of this asset‟s security. Responses: To answer the questions, click once on the corresponding “Response” cell. Click on the arrow and select an answer from the drop-down menu. "Yes" answers add to your mark in the "Score" column. "No" answers will generate suggested action points in the "Recommendations" column. "N/A" answers (not applicable) are discounted from the audit, and the "Weight" column will automatically adjust to reflect their omission. Recommendations: Recommendations for corrective measures are automatically generated based on your response. These recommendations will form the basis of your security strategy. Comments: Enter your own comments, qualifications, observations, or any additional notes you have to make regarding particular questions or categories. Results: Look under “Final Score” at the end of this spreadsheet (shaded in yellow) to view your total score for all categories and your Maturity Score. Again, these numbers are automatically calculated. Analysis: Consult the Ranking Chart at the end of the Questionnaire to determine what your scores for the rest of the audit mean. The lower your score, the better your security. High scores represent an increasingly poor state of security for this asset. The "Explanations" provide a top-level state of security for their corresponding score, while the "General Recommendations" column provides advice on how to move up to the next level.

Security Categories

1. Application Policies
Question # Weight
11.1%

Score
0.0%

Question
Are there approved software policies in place? Is staff restricted from taking copies of software home to install when doing so is a violation of the copyright? Is staff restricted from loaning or giving software to non-employees? Are employees restricted from installing or downloading software on company-owned equipment? Is justification required before installing any new software? Are individuals prohibited from installing personally owned software on company equipment? If privately owned software is permitted, do employees have to provide the software license and ensure copyright infringement will not occur? Are employees prohibited from installing or downloading software from unknown and unapproved sources? Is in-house developed software treated in accordance with established policies?

Response
Yes 0

Recommendations

1 2 3 4 5 6 7 8 9
Total Category Weight

11.1%

0.0%

Yes

0 Ensure staff are restricted from giving licensed or company-developed software to clients, customers, friends, and others - Low Cost - Low Effort 0 Establish business case and written authorization prior to installing any new software, including shareware and freeware - Low Cost - Medium Effort Discourage employees from installing personally-owned software on company equipment unless prior approval is obtained by the IT department and/or management Low Cost - Low Effort Prior to authorizing personally owned software, ensure the employee provides the software license to ensure copyright infringement will not occur - Low Cost - Low Effort 0 Ensure in-house developed software is covered by the same policies as commercial desktop productivity software - Low Cost - Low Effort

11.1%

11.1%

No

11.1%

0.0%

Yes

11.1%

11.1%

No

11.1%

11.1%

No

11.1%

11.1%

No

11.1%

0.0%

Yes

11.1%

11.1%

No

100.0% 9.1%

55.6% 5.1% 2.78

Vulnerability Quotient

2. Enforcement
Question # Weight
33.3%

Score
33.3%

Question
Are all provisions of license agreements followed? Are periodic audits conducted to ensure software policies are being followed? Is staff held accountable for violation of any policies or copyrights?

Response
No

Recommendations
Ensure all provisions of the license agreements issued with software are followed - Low Cost - Medium Effort Conduct periodic audits to ensure software policies are being followed - Low Cost Medium Effort 0

10 11 12
Total Category Weight

33.3%

33.3%

No

33.3%

0.0%

Yes

100.0% 9.1%

66.7% 6.1% 3.33

Vulnerability Quotient

3. Purchasing
Question # Weight
11.1%

Score
11.1%

Question
Is the purchase of software regulated?

Response
No

Recommendations
If feasible, ensure software, support, and services are obtained only through an approved procurement process - Low Cost - Medium Effort Before purchasing software, conduct an extensive search of available software or applications which meet each particular need - Low Cost - Medium Effort 0 Ensure procurement documents contain a requirement that vendors have anti-viral procedures in place to ensure their supplied media is uncontaminated by malicious software - Low Cost - Medium Effort Where possible, ensure vendors demonstrate their software on stand-alone hardware Low Cost - Low Effort 0

13 14 15 16 17 18 19 20

11.1%

11.1%

Before purchasing new software, is extensive research conducted? To guard against viruses, are machine-readable software and data files obtained only from reliable sources? Do procurement documents contain a requirement that the vendor have anti-viral procedures in place to ensure their media is uncontaminated by malicious software? Are vendors required to demonstrate their software on stand-alone hardware? Has the vendor been thoroughly researched (software sold, other clients, reputation)? Has the application been on the market for long?

No

11.1%

0.0%

Yes

11.1%

11.1%

No

11.1%

11.1%

No

11.1%

0.0%

Yes

0.0%

0.0%

N/A

0

11.1%

0.0%

Have previous versions been relatively free of patches and/or upgrades?

Yes

0

21 22
Total Category Weight

11.1%

11.1%

Is there readily available technical support for the product?

No

Consider that the new product is as yet untested in the marketplace, or a new company just in the market; this is a reliability issue - Low Cost - Low Effort 0

11.1%

0.0%

Is a list of pre-authorized and restricted software maintained?

Yes

100.0% 9.1%

55.6% 5.1% 2.78

Vulnerability Quotient

4. Post Purchase
Question # Weight
25.0%

Score
25.0%

Question
Is a license or other proof of ownership on file for each piece of software?

Response
No

Recommendations
Ensure that licenses and proof of ownership are on file for each piece of software - Low Cost - Low Effort Ensure licenses, software manuals, and procurement documentation are stored in a secure location (i.e. closed locked cabinet) - Low Cost - Low Effort 0 Ensure sensitive and/or critical items are clearly identified and stored with appropriate access controls in place - Medium Cost - Medium Effort

23 24 25 26
Total Category Weight

25.0%

25.0%

Is software documentation stored in a secure location?

No

25.0%

0.0%

Are current copies of critical application software kept and secured? Are sensitive and/or critical items stored with appropriate access controls in place?

Yes

25.0%

25.0%

No

100.0% 9.1%

75.0% 6.8% 3.75

Vulnerability Quotient

5. Virus Checks
Question # Weight
25.0%

Score
25.0%

Question
Is all media scanned with virus detection software prior to initial use? Is sealed, off-the-shelf software also checked for viruses prior to installation? Are new applications tested for viruses on a PC that is not connected to the corporate network? When testing new software, is guest access used?

Response
No

Recommendations
Ensure all PC machine-readable media, regardless of source, are scanned for malware before initial use and connection to the network - Low Cost - Medium Effort Scan all proprietary software for viruses, even when sealed in 'shrink-wrapped' plastic Low Cost - Medium Effort Ensure new applications are tested for viruses on a PC that is not connected to the corporate network - Medium Cost - Medium Effort When testing new software, use guest-level access and permissions so important files cannot be modified - Low Cost - Low Effort

27 28 29 30
Total Category Weight

25.0%

25.0%

No

25.0%

25.0%

No

25.0%

25.0%

No

100.0% 9.1%

100.0% 9.1% 5.00

Vulnerability Quotient

6. Copying
Question # Weight
11.1%

Score
0.0%

Question
Is a backup copy made of all new software?

Response
Yes 0

Recommendations

31 32 33 34 35 36 37 38 39
Total Category Weight

11.1%

11.1%

Prior to making backup copies, are the originals write-protected? If a vendor has not provided pre-approval of backup copies, do employees get vendor approval before creating additional copies? Is only the permitted number of copies made of copyrighted software? If the license is for multiple users, is only the authorized number of copies made? Are only new media used for copying software for backup storage and distribution? Is the distribution for software controlled via log book/personnel? Is a standalone computer system used when preparing copies for distribution? When copying software for backup or distribution, are open access workstations avoided?

No

Prior to making backup copies and to prevent inadvertent destruction, write-protect original diskettes or use similar safeguards - Low Cost - Low Effort If a vendor has not provided pre-approval of backup copies, ensure employees get vendor approval before creating additional copies - Low Cost - Low Effort 0 If licensed for multiple users, ensure only the authorized number of copies are made by assigning installation duties to IT personnel - Low Cost - Medium Effort 0

11.1%

11.1%

No

11.1%

0.0%

Yes

11.1%

11.1%

No

11.1%

0.0%

Yes

11.1%

0.0%

Yes

0 Where possible, use a network-isolated computer system when preparing copies for distribution - Low Cost - Low Effort When copying software for back up or distribution, avoid using open access workstations (i.e. training rooms, user laboratories etc.) - Low Cost - Low Effort

11.1%

11.1%

No

11.1%

11.1%

No

100.0% 9.1%

55.6% 5.1% 2.78

Vulnerability Quotient

7. Installation
Question # Weight
16.7%

Score
0.0%

Question
When feasible, are only trained and authorized staff permitted to install and support software? Are controls established for local area networks that prevent anyone except authorized staff from loading software on file servers? Is application software separated from system software?

Response
Yes 0

Recommendations

40 41 42 43 44 45
Total Category Weight

16.7%

16.7%

No

Establish software loading controls on LANs and file servers (i.e. no uploading to FTP servers) - Low Cost - Medium Effort If possible, separate system software and install application software on different partitions or different physical drives - Medium Cost - Medium Effort 0 Ensure that purchased software that is downloaded is stored on a separate server or partition - Low Cost - Low Effort Immediately before installing, consider double-checking that the software is properly licensed whether from the vendor or under the genral pubic license - Low Cost Medium Effort

16.7%

16.7%

No

16.7%

0.0%

Are operating system files and other executable files read-only? Is downloadable software kept on a separate drive or partition from system and critical application files? Immediately before installing, is a double-check conducted to ensure the software is properly licensed?

Yes

16.7%

16.7%

No

16.7%

16.7%

No

100.0% 9.1%

66.7% 6.1% 3.33

Vulnerability Quotient

8. Maintenance
Question # Weight Score Question Response Recommendations

46 47 48 49 50 51 52 53 54 55 56
Total Category Weight

9.1%

0.0%

Are all vendor instructions followed carefully? Are the original diskettes used when restoring damaged software applications? Are any vendor recommended changes or security fixes implemented as soon as possible after official receipt? Are vendor patches tested? Prior to implementation or making changes, is there a procedure in place that permits backing out and returning to a stable state? Prior to implementing or making changes, are hours and days of operation considered? Are new, substantially modified, and/or sensitive applications thoroughly tested prior to implementation? Is software tested in a proper quality-assurance environment before deployment? Post implementation, are the user functions and required administrative, technical, and physical safeguards verified as being present and operationally adequate? When upgrades to software are purchased, are old versions disposed of properly in accordance with the licensing agreement? Are end users trained and monitored in regards to the viral dangers of downloading free or shared programs, games, and demonstration programs?

Yes

0

9.1%

0.0%

Yes

0 Ensure vendor patches and/or security fixes are implemented as soon as possible after official receipt - Low Cost - Medium Effort Test all vendor patches in an isolated test environment before rollout - Low Cost - High Effort Prior to implementing new software or making changes, ensure there is a procedure in place that permits backing out and returning to a stable state - Low Cost - Low Effort 0

9.1%

9.1%

No

9.1%

9.1%

No

9.1%

9.1%

No

9.1%

0.0%

Yes

9.1%

0.0%

Yes

0 Ensure testing is completed in a sufficient number of quality-assurance environments before releasing it into production or general use - Medium Cost - Medium Effort Post implementation, ensure that the user functions and required administrative, technical, and physical safeguards are verified as being present and operationally adequate - Low Cost - Medium Effort Ensure that obsolete software versions are disposed of in accordance with the licensing agreement - Low Cost - Low Effort 0

9.1%

9.1%

No

9.1%

9.1%

No

9.1%

9.1%

No

9.1%

0.0%

Yes

100.0% 9.1%

54.5% 5.0% 2.73

Vulnerability Quotient

9. Record Keeping
Question # Weight
33.3%

Score
33.3%

Question
Are written records of software installed on each machine maintained? If cost effective, is special-purpose software purchased to inventory and document all software on all PCs? Is a software audit conducted to ensure only legal and approved software are installed and being used on an annual basis? Are all illegal copies of software deleted immediately?

Response
No

Recommendations
Maintain written records of software installed on each machine - Low Cost - Medium Effort 0 On an annual basis, compare the written inventory of software to each individual PC to ensure only legal and approved software are installed and being used - Low Cost Medium Effort 0

57 58 59 60
Total Category Weight

0.0%

0.0%

N/A

33.3%

33.3%

No

33.3%

0.0%

Yes

100.0% 9.1%

66.7% 6.1% 3.33

Vulnerability Quotient

10. Workstation Asset Protection
Question # Weight
5.3%

Score
5.3%

Question
Are outside doors secured at all times?

Response
No

Recommendations
Ensure outside doors are not propped open or otherwise compromised - Low Cost Low Effort 0 When unoccupied, keep office doors and first floor windows, fire escape windows, and security screens locked - Low Cost - Low Effort Where practical, use locking devices to anchor PCs and equipment directly to desks, floors, or walls - Medium Cost - Low Effort 0

61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79
Total Category Weight

5.3%

0.0%

Is adequate building and office security in place?

Yes

5.3%

5.3%

When unoccupied, are office doors and windows locked? Where practical, are locking devices used to anchor down PCs and equipment? Are removable media locked away?

No

5.3%

5.3%

No

5.3%

0.0%

Yes

5.3%

0.0%

Is only what is needed installed at workstations?

Yes

0 Consider various forms of locking devices: floppy, keyboard and power switch locks that disable the electronics, password-protected screen savers, etc. - Low Cost - Low Effort When not in use, lock computers, cell phones, and PDAs with a pass code - Low Cost Low Effort When away from desks for extended periods, ensure desks and cabinets are locked up Low Cost - Low Effort 0 Keep all personal effects in a locked container devoted to personal effects - Low Cost Low Effort Ensure all hardware is etched or marked with identification numbers - Low Cost Medium Effort 0 Establish personal accountability for the protection of IT resources within staff control or possession - Low Cost - Low Effort 0

5.3%

5.3%

Are various forms of locking devices considered for peripherals? When not in use, are computers, cell phones and PDAs locked with a pass code? When away from desks for extended periods, are desks and cabinets locked up? When away from desks for extended periods, are keys, passcards, briefcases, cell phones, PDAs, etc. taken along or locked up? Are all personal effects kept in a locked container devoted to personal effects? Is all hardware etched or marked with identification numbers? Is an inventory of workstation kept and compared to a master list annually? Is personal accountability established for the protection of IT resources within staff control or possession? Are security staff notified immediately if something goes missing? Does moving, disconnecting, or altering IT or telecommunications equipment require prior authorization? Do staff understand repair protocol so components are not taken under false pretenses? Are strangers and/or strange activity challenged? When returning from offsite visits, are diskettes, CDs, Zip disks, or electronic files run through virus checking software?

No

5.3%

5.3%

No

5.3%

5.3%

No

5.3%

0.0%

Yes

5.3%

5.3%

No

5.3%

5.3%

No

5.3%

0.0%

Yes

5.3%

5.3%

No

5.3%

0.0%

Yes

5.3%

0.0%

Yes

0

5.3%

0.0%

Yes

0 Establish procedures for querying strangers and/or strange activity within the facility Low Cost - Low Effort When returning from offsite visits, ensure diskettes, CDs, Zip disks, or electronic files are run through virus checking software - Low Cost - Low Effort

5.3%

5.3%

No

5.3%

5.3%

No

100.0% 9.1%

57.9% 5.3% 2.89

Vulnerability Quotient

11. Protection of Confidentiality
Question # Weight
7.1%

Score
7.1%

Question
Are strangers permitted to use computers? When leaving computers, are computers are either locked, turned off, or put into a password-protected screen saver mode? In areas where workstations are shared by two or more users, does each user log out after a session?

Response
No

Recommendations
Ensure strangers are not permitted to use computers without having signed a liability form - Low Cost - Low Effort When leaving computers, ensure computers are either locked, turned off, or put into a password-protected screen saver mode - Low Cost - Low Effort 0

80 81 82

7.1%

7.1%

No

0.0%

0.0%

N/A

83 84 85 86 87 88 89 90 91 92 93 94
Total Category Weight

7.1%

7.1%

Is CTRL+ALT+DEL always used even if login window already appears on the screen? Is sensitive data accessed from multiple workstations? Are monitors positioned or are screen filters used so the display can not be read by passersby? Are desks and furniture positioned so sensitive material is not visible from windows or hallways? Are passwords committed to memory? Are removable media kept locked up (floppy disks, CDs, zip disks, tape, etc.)? Are day planners, rolodexes, and notebooks locked up? Are disks and printouts labeled and stored according to their security level? Are folders arranged in file cabinets with differing security levels and the file cabinets locked when not in use? Are documents and media handled and disposed of appropriately to meet security requirements? Are cache files on computer and memory on devices, like printers, cleared regularly? Are conscientious work habits recognized and encouraged?

No

To prevent Trojan horse attacks, ensure staff always log on with CTRL+ALT+DEL even if login window already appears on the screen - Low Cost - Low Effort 0 Ensure monitors are positioned or screen filters used so the display cannot be read by passersby - Low Cost - Low Effort Position desks and furniture so sensitive material is not visible from windows or hallways - Low Cost - Low Effort 0

7.1%

0.0%

Yes

7.1%

7.1%

No

7.1%

7.1%

No

7.1%

0.0%

Yes

7.1%

0.0%

Yes

0 Ensure day planners, rolodexes, and notebooks are kept locked up rather than left out on the desk - Low Cost - Low Effort Ensure disks and printouts are labelled and stored in accordance with their relative level of security - Low Cost - Medium Effort Arrange folders in file cabinets with differing security levels and ensure that the file cabinets are locked when not in use - Low Cost - Low Effort 0

7.1%

7.1%

No

7.1%

7.1%

No

7.1%

7.1%

No

7.1%

0.0%

Yes

7.1%

0.0%

Yes

0 To reinforce rules, recognize and encourage safe conscientious work habits - Low Cost Low Effort

7.1%

7.1%

No

100.0% 9.1%

64.3% 5.8% 3.21

Vulnerability Quotient

Final Score

All Categories Average Quotient (out of 5)

65.3% 3.3

Range
Non-Existent/Not Performed

Explanation

General Recommendations
I. Address quick-fix security gaps immediately. II. Company can no longer fail to support security initiatives and best practices. III. Conduct gap analyses to isolate deficiencies in security practices. IV. Assign security responsibilities immediately.

Company has never performed this audit; AND/OR: Company has never (or in the last 24 months) performed a vulnerability scan for this asset; AND/OR:

5

There is no security reporting structure in place for this asset; AND/OR: Continuity of this asset is considered unworthy of the company‟s attention; AND/OR: There is no system in place for responding to an attack on this asset. V. [Enter further recommendations here] VI. [Enter further recommendations here]

Ad-Hoc or Performed Informally Company only responds reactively to security events; AND/OR: IT security is recognized as important, but is still not measured; AND/OR:

I. Create plans and processes for formal incident response procedures. II. Incorporate formal procedures into a guiding, company-wide security policy. III. Draft a set of security duties; incorporate them into the job description of the appropriate employee. IV. Consider how security, event, and log data will be captured and analyzed.

4.0 - 4.9

Security responsibilities and duties are ill-defined; AND/OR: Responses to security events made without guiding policy or procedure; AND/OR: V. [Enter further recommendations here] Responses to security events are unpredictable. VI. [Enter further recommendations here]

Planned, Tracked, and Repeatable Planned approaches to incident response have been considered, but not deployed; AND/OR: Security responsibilities and duties for this asset are assigned to someone without management authority; AND/OR:

I. Establish formal security procedures/ event handling processes for this asset. II. Establish plans for security training for IT Operating System. III. Start planning the switch to bring security asset management in-house. IV. Focus on proving to senior management how IT security investments directly impact the bottom line; ensure that proposals speak towards IT/business alignment. V. Ensure that the individual in charge of security is granted sufficient leeway to conduct his/her job duties without hindrance. VI. [Enter further recommendations here] VII. [Enter further recommendations here]

3.0 - 3.9

Security information for this asset is collected, but not analyzed; AND/OR: Response procedures are under development, but insufficiently resourced; AND/OR: Responses to security events still reactive, often using third-party products or services.

Defined Security procedures are in place for this asset; AND/OR: Incident response procedures are standardized and formalized; AND/OR: Incident response follows a defined process available through staff training; AND/OR:

I. Measure and perform security procedures/event handling against established benchmarking data. II. Collaborate with management and HR to assign security responsibilities and duties with greater clarity. III. Start considering security courses and accreditations for IT staff.

2.0 - 2.9

General security plan exists for asset, but is IT-focused, not business-focused; AND/OR: IV. Align security measures and purchases with business goals. Security responsibilities and duties for this asset are assigned, but not always enforced. V. [Enter further recommendations here] VI. [Enter further recommendations here]

Managed, Measured, and Controlled Security procedures and event handling are completed against industry benchmarks; AND/OR: Security responsibilities and duties for this asset are clearly defined, assigned, and enforced; AND/OR:

I. Continue to define security requirements and procedures for this asset. II. Work towards fully integrating the auditing of this asset with the company's overall security plan/policy. III. Assess feasibility and fit of automated software tools to address security incidents and/or logging. IV. Develop and maintain ongoing awareness and analysis of vulnerabilities specific to this asset. V. [Enter further recommendations here]

1.0 - 1.9

Security certifications are being/have been attained for this and similar assets; AND/OR: User identification and authorization are established and enforced; AND/OR: Security testing performed on this asset and improvements made where necessary.

VI. [Enter further recommendations here]

Optimized Security requirements for this asset are clearly defined, actively pursued, and incorporated with the company‟s overall IT security plan; AND/OR: Periodic security assessments for this asset are conducted; AND/OR:

I. Few recommendations; security practices are optimized at this point in time. II. Continue to update procedures as technologies progress and best practices dictate. Danger here lies in complacency. III. Remain vigilant, with an eye on continuous improvement. IV. [Enter further recommendations here] V. [Enter further recommendations here]

0.0 - 0.9

End users increasingly held responsible for the security of this asset (if applicable); AND/OR: Security incidents addressed with formal response procedures and automated tools; AND/OR: Information on new vulnerabilities is collected and analyzed, and proactive mitigation plans are implemented for continuous improvement.

Desktop Applications and Workstation Probability Assessment
Company: Date: Consolidated Widgets 11/3/2004

Purpose
Determines the likelihood of a negative security event occurring in any of the 11 categories in Sheet 3 Vulnerability Questionnaire .

Instructions
Select a number that best represents the chance of a negative security event occurring in the 11 categories (derived from Sheet 3 Vulnerability Questionnaire ) over the course of the next 6 to 12 months. Enter a percentage for each category.

Note: Probability assessments are very much a judgment call on your part, as it is extremely difficult to account for criteria such as your specific hardware and software, pre-existing security measures, the physical layout of your office, geographic location, and so on. In fact, some security will almost definitely occur given enough time. The following table lists the numerical value of event probabilities. 0 to 10% = Negligible or no chance of this event occurring 11 to 20% = Minor chance 21 to 30% = Some chance 31 to 40% = Fair chance 41 to 50% = Considerable chance 51 to 60% = Good chance 61 to 70% = Strong chance 71 to 80% = Very strong chance 81 to 90% = Critical likelihood 91 to 100% = Event is imminent

Desktop Applications and Workstation Event Probabilities: Enter a percentage value for each category
Application Policy Violation NonEnforcement Poor Purchasing Requirements Poor Post Purchasing Requirements Lack of Virus Checking Poor Copying Practices

70.0%

50.0%

20.0%

10.0%

50.0%

85.0%

Desktop Applications and Workstation Business Risk Quotient
Company: Date:
Purpose
Determines the likelihood of a negative security event occurring in any of the 11 categories in Sheet 3 Vulnerability Questionnaire .

Consolidated Widgets 11/3/2004
Instructions Outputs
Business Risk Quotient numbers represent your Current State, which are then exported to the Audit Results and Final Report sheets.

No intervention required. Outputs from Sheets 1, 3, and 4 automatically calculate the Business Risk Quotient. Any negative numbers are represented as zero.

Event
1. Application Policy Violation

Outcome(s)
Lack of established policies may result in promotion of an inefficient working environment or potential security threat.

Risk (Business Impact + [Vulnerability x Probability]) / 2 1.5 2.8 70.0%

BRQ 1.7

2. Non-Enforcement

Non-enforcement of the policies in place may give rise to lack of security practices, resulting in a possible security hole.

1.5

3.3

50.0%

1.6

3. Poor Purchasing Requirements

Poor purchasing requirements may result in ineffective security standards for applications being installed corporate wide.

1.5

2.8

20.0%

1.0

4. Poor Post Purchasing Requirements

Poor post purchasing practices leave information related to software scattered and difficult to find, leaving secure application software open to theft. Lack of virus checking will allow viruses to enter through the applications, corrupting the network and causing considerable damage to the company. Improper copying practices would lead to corrupted copies of applications or violations of the copying policies.

1.5

3.8

10.0%

0.9

5. Lack of Virus Checking

1.5

5.0

50.0%

2.0

6. Poor Copying Practices

1.5

2.8

85.0%

1.9

7. Poor Installation Practices

Poor installation practices may result in improper permissions being put on application files and folders, or possible corruption of other critical applications. Weak maintenance practices may result in inefficiencies in version upgrades causing version problems across the network or improper re-installs. Improper record keeping will result in significant time required to create a list and track the applications. Upgrades to certain application versions will also be difficult in identifying where the applications are.

1.5

3.3

50.0%

1.6

8. Weak Maintenance

1.5

2.7

40.0%

1.3

9. Spurious Record Keeping

1.5

3.3

35.0%

1.3

10. Insufficient Insufficient protection may result in theft and/or damage of Workstation Protection workstations.

1.5

2.9

60.0%

1.6

11. Poor Protection of Confidentiality

Lack of proper protection will open up unauthorized viewing or stealing of secure information.

1.5

3.2

60.0%

1.7

Avg. BRQ Score

1.5

Desktop Applications and Workstation Audit Results
Company: Date: Consolidated Widgets 11/3/2004

Purpose
Illustrates how desktop applications and workstation's Current State (in blue) ranks against its ideal Target State (in red), both of which are derived from Sheet 5 - Business Risk Quotient.

Instructions
Note the target state, which represents the minimum None. Business Risk Quotient level required to secure desktop applications and workstations according to its relative level of business risk.

Outputs

Quick Note on the Target State: The Current State figures represent the Business Risk Quotient scores themselves. Target State figures are calculated automatically from the Business Risk Quotient scores on Sheet 5 - Business Risk Quotient by subtracting 1.5 from the "Vulnerability" column (you will not see this calculation occur). This subtraction occurs because vulnerabilities can be controlled and mitigated, whereas probabilities and business impact usually cannot.

Desktop Applications and Workstation Security
Application Policies

5
Protection of Confidentiality

4 3

Enforcement

Workstation Asset Protection

2 1 0

Purchasing

Record Keeping

Post Purchase

Maintenance Installation Copying

Virus Checks

Target State

Current State

Desktop Applications and Workstation Final Report
Company: Date:
Purpose

Consolidated Widgets 11/3/2004
Instructions Outputs

The Final Report automatically amasses and compiles all Complete the specific tasks on the None. metrics - both Current and Target - as well as general "Policy Amendment Recommendations" recommendations for improvement. chart in order to improve security from its Current State to the Target State.

A Quick Note on Prioritization: As mentioned previously, the lower your score, the better your security. Conversely, high scores represent an increasingly poorer state of security for this asset. When prioritizing areas for improvement, you may wish to address them in order of criticality (i.e. the highest scores first). However, certain factors specific to your organization - such as geographic location, facility layout, and so on - may dictate that you address areas of risk in a different order. Be sure to consult the Business Impact Analysis you conducted earlier to help you prioritize your security initiatives.

Final Thought: Account for low probabilities as well as low impacts across multiple weak points. Your desktop applications and workstation could introduce many security flaws, but with low impacts and low probabilities. While this may make your scores look good, this doesn't mean that desktop applications and workstation security does not pose a risk.

Current State
Desktop Applications and Workstation Current Business Risk Quotient by Category 1. Application Policies 2. 3. 4. 5. 6. 7. 8. Enforcement Purchasing Post Purchase Virus Checks Copying Installation Maintenance Current Scores 1.7 1.6 1.0 0.9 2.0 1.9 1.6 1.3 1.3 1.6 1.7
User identification and authorization are established and enforced; AND/OR: Security testing performed on this asset and improvements made where necessary. Security responsibilities and duties for this asset are clearly defined, assigned, and enforced; AND/OR: Security certifications are being/have been attained for this and similar assets; AND/OR:

Explanation
Managed, Measured, and Controlled Security procedures and event handling are completed against industry benchmarks; AND/OR:

9. Record Keeping 10. Workstation Asset Protection 11. Protection of Confidentiality

Desktop Applications and Workstation Business Risk Quotient Average (Current)

1.5

Target State
Desktop Applications and Workstation Target Business Risk Quotient by Category 1. 2. 3. 4. 5. 6. 7. 8. 9. Application Policies Enforcement Purchasing Post Purchase Virus Checks Copying Installation Maintenance Record Keeping Target Scores 1.2 1.2 0.9 0.9 1.6 1.3 1.2 1.0 1.1 1.2 1.3
VI. [Enter further recommendations here] III. Assess feasibility and fit of automated software tools to address security incidents and/or logging. IV. Develop and maintain ongoing awareness and analysis of vulnerabilities specific to this asset. V. [Enter further recommendations here]

General Recommendations
I. Continue to define security requirements and procedures for this asset. II. Work towards fully integrating the auditing of this asset with the company's overall security plan/policy.

10. Workstation Asset Protection 11. Protection of Confidentiality

Desktop Applications and workstation Business Risk Quotient Average (Target)

1.2

Policy Amendment Recommendations
Category Policy Recommendations
0 0 Ensure staff are restricted from giving licensed or company-developed software to clients, customers, friends, and others - Low Cost - Low Effort

1.

Application Policies

0

1.

Application Policies

Establish business case and written authorization prior to installing any new software, including shareware and freeware - Low Cost - Medium Effort Discourage employees from installing personally-owned software on company equipment unless prior approval is obtained by the IT department and/or management - Low Cost - Low Effort Prior to authorizing personally owned software, ensure the employee provides the software license to ensure copyright infringement will not occur - Low Cost - Low Effort 0 Ensure in-house developed software is covered by the same policies as commercial desktop productivity software - Low Cost - Low Effort Ensure all provisions of the license agreements issued with software are followed - Low Cost - Medium Effort Conduct periodic audits to ensure software policies are being followed - Low Cost - Medium Effort 0 If feasible, ensure software, support, and services are obtained only through an approved procurement process - Low Cost - Medium Effort Before purchasing software, conduct an extensive search of available software or applications which meet each particular need - Low Cost - Medium Effort 0 Ensure procurement documents contain a requirement that vendors have anti-viral procedures in place to ensure their supplied media is uncontaminated by malicious software - Low Cost - Medium Effort Where possible, ensure vendors demonstrate their software on stand-alone hardware - Low Cost - Low Effort 0 0 0 Consider that the new product is as yet untested in the marketplace, or a new company just in the market; this is a reliability issue - Low Cost - Low Effort 0 Ensure that licenses and proof of ownership are on file for each piece of software - Low Cost - Low Effort Ensure licenses, software manuals, and procurement documentation are stored in a secure location (i.e. closed locked cabinet) - Low Cost - Low Effort

2.

Enforcement

3.

Purchasing

4.

Post Purchase

0 Ensure sensitive and/or critical items are clearly identified and stored with appropriate access controls in place - Medium Cost - Medium Effort Ensure all PC machine-readable media, regardless of source, are scanned for malware before initial use and connection to the network - Low Cost - Medium Effort Scan all proprietary software for viruses, even when sealed in 'shrink-wrapped' plastic - Low Cost - Medium Effort Ensure new applications are tested for viruses on a PC that is not connected to the corporate network - Medium Cost - Medium Effort When testing new software, use guest-level access and permissions so important files cannot be modified - Low Cost - Low Effort 0 Prior to making backup copies and to prevent inadvertent destruction, write-protect original diskettes or use similar safeguards - Low Cost - Low Effort If a vendor has not provided pre-approval of backup copies, ensure employees get vendor approval before creating additional copies - Low Cost - Low Effort 0 If licensed for multiple users, ensure only the authorized number of copies are made by assigning installation duties to IT personnel - Low Cost - Medium Effort

5.

Virus Checks

6.

Copying

0 0 Where possible, use a network-isolated computer system when preparing copies for distribution - Low Cost - Low Effort When copying software for back up or distribution, avoid using open access workstations (i.e. training rooms, user laboratories etc.) - Low Cost - Low Effort 0 Establish software loading controls on LANs and file servers (i.e. no uploading to FTP servers) - Low Cost - Medium Effort If possible, separate system software and install application software on different partitions or different physical drives - Medium Cost - Medium Effort 0 Ensure that purchased software that is downloaded is stored on a separate server or partition - Low Cost - Low Effort Immediately before installing, consider double-checking that the software is properly licensed whether from the vendor or under the genral pubic license - Low Cost - Medium Effort 0 0 Ensure vendor patches and/or security fixes are implemented as soon as possible after official receipt - Low Cost - Medium Effort Test all vendor patches in an isolated test environment before rollout - Low Cost - High Effort Prior to implementing new software or making changes, ensure there is a procedure in place that permits backing out and returning to a stable state - Low Cost - Low Effort

7.

Installation

8.

Maintenance

0 0 Ensure testing is completed in a sufficient number of quality-assurance environments before releasing it into production or general use - Medium Cost - Medium Effort Post implementation, ensure that the user functions and required administrative, technical, and physical safeguards are verified as being present and operationally adequate - Low Cost Medium Effort Ensure that obsolete software versions are disposed of in accordance with the licensing agreement - Low Cost - Low Effort 0 Maintain written records of software installed on each machine - Low Cost - Medium Effort 0

9.

Record Keeping

On an annual basis, compare the written inventory of software to each individual PC to ensure only legal and approved software are installed and being used - Low Cost - Medium Effort 0

Explanation

rolled

handling are completed against industry benchmarks; AND/OR:

uties for this asset are clearly defined, assigned, and enforced; AND/OR:

g/have been attained for this and similar assets; AND/OR:

ation are established and enforced; AND/OR:

his asset and improvements made where necessary.

General Recommendations

equirements and procedures for this asset.

ng the auditing of this asset with the company's overall security plan/policy.

automated software tools to address security incidents and/or logging.

ing awareness and analysis of vulnerabilities specific to this asset.

ons here]

ions here]

mmendations

stomers, friends, and others - Low Cost - Low Effort

ng shareware and freeware - Low Cost - Medium Effort ess prior approval is obtained by the IT department and/or management - Low Cost - Low

cense to ensure copyright infringement will not occur - Low Cost - Low Effort

productivity software - Low Cost - Low Effort

- Medium Effort Effort

curement process - Low Cost - Medium Effort s which meet each particular need - Low Cost - Medium Effort

es in place to ensure their supplied media is uncontaminated by malicious software - Low

Cost - Low Effort

n the market; this is a reliability issue - Low Cost - Low Effort

- Low Effort ocation (i.e. closed locked cabinet) - Low Cost - Low Effort

s controls in place - Medium Cost - Medium Effort

e initial use and connection to the network - Low Cost - Medium Effort Cost - Medium Effort network - Medium Cost - Medium Effort t be modified - Low Cost - Low Effort

iskettes or use similar safeguards - Low Cost - Low Effort proval before creating additional copies - Low Cost - Low Effort

ning installation duties to IT personnel - Low Cost - Medium Effort

ion - Low Cost - Low Effort . training rooms, user laboratories etc.) - Low Cost - Low Effort

s) - Low Cost - Medium Effort r different physical drives - Medium Cost - Medium Effort

n - Low Cost - Low Effort whether from the vendor or under the genral pubic license - Low Cost - Medium Effort

al receipt - Low Cost - Medium Effort

that permits backing out and returning to a stable state - Low Cost - Low Effort

releasing it into production or general use - Medium Cost - Medium Effort nd physical safeguards are verified as being present and operationally adequate - Low Cost -

ement - Low Cost - Low Effort

e only legal and approved software are installed and being used - Low Cost - Medium Effort


								
To top