Auditing Best Practices Worksheet by apx11728


More Info
									System Security Certification Worksheet
This worksheet must be completed for each System Security Certification. The worksheet is how the System Owner and System
Operator assert their compliance to security requirements.

It is the System Owner’s responsibility to read and understand all UW Medicine Information Security Policies pertaining to their
specific systems, servers and applications. These can be found at:

A. System Name and Purpose
 System Name

  System Purpose

B. System Owner and System Operator training dates
 Name                                                                   Role               Last SOSO Training Date
                                                                System Owner
                                                                System Operator

C. Component System Inventory
 Component/Server      Description                                                              Location

db160747-12bc-472c-91d5-9b9c7e7a8548.doc                                                                                  Page 1 of 4
D. Application Inventory
 Application                       Description                               Vendor        Department

E. Compliance with UW Medicine Information Security Policies
   Security  Summary                                       Describe method / specifics for compliance
             Software Licensing & Unauthorized Use
             Information and Information System            Confidentiality needs are: Low / Medium / High
             Classification – Confidentiality, Integrity & Integrity needs are:        Low / Medium / High
             Availability classification.                  Availability needs are:     Low / Medium / High
                                                           Confidential data includes: PHI / HR / Finance / PCI / FERPA
             Physical and Environmental Security -
   SEC-04    Physical, Access, Entry and Environmental
             Communications and Operations
           A     Least Privilege Access – Restrict System
                 and Application Administrator access.
           B     Remote Access Control Standard
                 Includes non UW Medicine system access
                 and data transmission standards.
           C     System and Maintenance Log Standard
                 Automatic system and manual maintenance
                 logging must be kept for all systems.
           D     Automatic Logoff Standard - Securing of
                 inactive sessions for PHI systems.
   SEC-05    Backup & Media Handling Standards – See
  SEC-05.01 Policies for summary.
  SEC-05.02 Wireless Networking Standard - Only
db160747-12bc-472c-91d5-9b9c7e7a8548.doc                                                                        Page 2 of 4
   Security       Summary                                               Describe method / specifics for compliance
                  applicable if system is using wireless
                  Encryption Standard – Standards for data
                  encryption in transmission and storage.
                  Minimum Information Security Standards
  SEC-05.04           - Workstation and Server
  SEC-05.05           - Networked Devices
              A       Supported OS - Use only OS with current
                      security update support.
              B       Security best practices - Follow industry
                      standard OS and application security
                      hardening practices.
              C       Password Hardening - Use strong
                      passwords for all system and application
              D       OS and Application Updates - Ensure all
                      major OS and application service packs,
                      patches, and updates are installed in a
                      timely manner.
              E       Block unnecessary or potentially
                      malicious network traffic - Use active
                      network filtering (i.e., firewalls) and disable
                      all unused system services.
              F       Protection against malicious software
                      Enable controls to prevent infection or
                      propagation of malicious software.
              G       Approved networking and IP address
                      assignments – Obtain appropriate IP
                      address through official authority.
              H       Logging and auditing - Ensure that OS
                      and Application logging is enabled and
                      reviewed on a regular basis.

db160747-12bc-472c-91d5-9b9c7e7a8548.doc                                                                             Page 3 of 4
   Security       Summary                                          Describe method / specifics for compliance
                  Identity and Access Management – User
                  access control and management
              A       User Registration – User authorization
                      and verification process.
              B       User Account Creation & Maintenance –
                      Account and role provisioning, records and
                      maintenance procedures.
              C       User Account De-activation - Workforce
                      separation or transfer procedures.
    SEC-07        Business Continuity and Disaster Recovery
              A       Data Backup Plan - See policy.
              B       Disaster Recovery Plan – See policy.
              C       Emergency Mode Plan – See policy.
              D       Testing and Revision of Plans – See

db160747-12bc-472c-91d5-9b9c7e7a8548.doc                                                                        Page 4 of 4

To top