Information Security Policy Compliance Self Assessment Checklist

Information Security Policy Compliance Self-Assessment The following assessment provides a self-awareness and training tool for the locations to informally review their internal IT security setting. All locations should conduct an Information Systems Security Assessment to identify the location=s security of information and its vulnerabilities. This Self-Assessment is designed to be one method of identifying agency information technology areas that are vulnerable to intrusion from a trusted insider or outside source. An honest evaluation heightens the location=s awareness to security issues they may or may not have given thought to and also assists in the development and refinement of their information systems security plan. Sincere answers to the assessment provides the location with best practices to initiate proactive corrective actions to adequately protect: (1) assets from fraud and misuse, (2) sensitive information from inappropriate disclosure, and (3) critical operations from disruption. Information System Security $ Does the location have a system or network administrator assigned full time? $ Has the system or network administrator been trained for assigned duties? $ Has the system or network administrators received security training? $ Are systems tested for software vulnerabilities? $ Are usernames and passwords required? $ Do passwords have expiration dates? $ Do passwords have a minimum length? $ Are warning banners installed on all systems? $ Are backups stored securely? $ Is there a hardware and software configuration control process in place? $ Is someone assigned the responsibility for installing system patches? $ Are patches re-installed after a software update, as necessary? $ Are systems tested for software/security fixes? $ Does the system administrator download patch and service pack information? $ Are factory-installed passwords changed on new equipment immediately upon installation? Computer Software Piracy $ Are procedures in place to ensure that only authorized and properly licensed software is installed on individual PC=s and the network? $ Are software copyright laws enforced? $ Is all software inventoried? $ Are location personnel educated regarding copyrights, using licensed software? Orientation and Checkout $ Does the location address information security in New Employee Orientation Program? $ Does the location provide a security briefing to new employees and contractors, which explains information security responsibilities? $ Are checkout procedures in place so that employees turn in security-related ID=s and data when access is no longer required? Information Systems Virus protection. $ Does the location have virus-checking software installed and operational on servers and individual PC=s? $ Is virus software and signature files updated on a regular schedule? $ Are diskettes from outside sources scanned? $ Are downloaded software and files scanned? $ Are employees aware of reporting requirements in the a event of a virus? $ Are employees alerted to specific Virus threats, i.e. Melissa, Trojan Horse? Data Integrity/Modification/disclosure. $ Have your users identified data sensitivity? $ Is sensitive data protected from disclosure? $ Are data rights (read, write, world & etc.) enforced? $ Do you have procedures to revoke access? $ Is there proper protection for magnetic media? $ Are there sanitation procedures for when magnetic media is no longer required? $ When someone attempts to access data for which they do not have permission is it recorded? Network/Internet Security. $ Do you have any local policy or guidelines for agency networks? $ Are any Firewalls installed? $ Are rules set for firewall traffic allowed or disallowed? $ Is any Intrusion Detection Software installed? $ Are passwords required for network access? $ Is any encryption software installed for information identified as sensitive? $ Are dial-in services allowed? $ Have all modems been disconnected? Protection of IS resources. $ Is access to ADP equipment, facilities, and systems limited to authorized personnel only? What physical security measures are in place? $ Are employees aware on how to report missing, loss or stolen IS resources, if so to whom? $ Is access to building entrance controlled? $ Are personal identification badges required? $ Do you have a visitor control program? $ Is an inventory of computer equipment maintained/updated? $ Are office doors locked after normal working hours? $ Do you have any policy addressing Laptop security? Memorandum of Agreements (MOA)/Research Support Agreements (RSA) with USDA entities or other Organizations and Federal Agencies. $ Are respective agency security requirements defined? $ Is this document signed by all concerned? $ Is it clear who is responsible for network connections? $ $ $ $ $ Do any systems require contingency plans by the other organization? Are security points of contact identified? Are all shared resources identified? Is mission/function for connections clearly defined? Is the type of data identified in the MOA? (sensitive) Protection and Housekeeping Practices for two different environments. $ Personal Computer/Workstation environment. $ Are Workstations protected by surge protectors? $ Are fire extinguisher installed close by? $ Is office lighting adequate? $ Are employees required to log out when leaving workstation unattended? $ Computer, Server, IS equipment Room environment. $ Is emergency lighting provided? $ Are fire alarms in good working order? $ Is magnetic material stored properly? $ Are fire extinguishers installed in the area? $ Are periodic fire drills performed? $ Are emergency evacuation routes posted? $ Is an automatic fire suppression system installed? $ Is a emergency power off switch installed? $ Are overhead pipes or sprinkler system installed in the room? $ Is routine cleaning and trash removal performed during business hours? $ Is preventive maintenance performed routinely?