Transportation Security
|
Physical Security
|
Penetration Testing
|
Firewall Pro
|
Network Security
|
S.C.A.D.A.
|
H.I.P.A.A.
|
eBanking
|
Company Security Checklist | |
| ||
1. Management responsibilities | |
|
Nr | Question | Comment | Yes/No |
1 | Information Security Policy? Does it exist and has it been written and approved by management? | No Policy = No resources. | |
2 | Is there a process for scrutinizing the policy? | It is a living document and must be updated | |
3 | Is there an initiative from management to do a risk analysis? | What are the threats and the risk that they will be activated? | |
4 | Is there a management initiative to create a security plan? | To define how the targets and the intention in the policy document should be realized | |
5 | Is there a management initiative to create a security architecture? | The security architecture is a high level description of technical security functions and organizational needs to fulfil the security demands. | |
6 | Is there any management policy for external communication like the Internet? | Internet connections tend to grow uncontrolled | |
7 | Do all management staff know the contents and intentions of the policy? | ||
8 | Is the organization for Information Security work defined in the policy document? | ||
9 | Is there any Information Security training plan? | ||
10 |
Are Information Security topics a part of the introduction plan for new members of the staff?
|
2. Organization | |
|
Nr | Question | Comment | Yes/No |
1 | Is there an Information Security officer? | Someone must have the responsibility to put the management policy into practice. | |
2 | Does an Information Security Handbook exist? has it been approved by the management? | ||
3 | Is there an
organization and plan to train the staff regularly in security
matters? |
Information Security training is not a once-and-for-all training. | |
4 | Is there an organization for the 'Identification and Authorization system? | ||
5 | Is there an organization for contingency planning and handling? | ||
6 | Is there an organization plan for handling incidents? | The organization must be prepared for incidents | |
7 | Is the responsibility and authority defined in the organization plan, or in a job description document? | ||
8 | Does an
organization plan exist to explain the different staff
categories in the IT process? E.g. IT Security Manager,
Developers, Operators, Users etc. |
Different
categories need different training and handbooks in Information Security matters |
3. Personnel (Employees) | |
|
Nr | Question | Comment | Yes/No |
All | |||
1 | Are new members checked before employment? References, education, security clearance etc. | Must be done before. After it might be too late. | |
2 | Are new staff informed of secrecy regulations? | ||
3 | Do they sign a secrecy certificate? | ||
4 | Are 'key-persons'. identified? | Backup available for those? | |
5 | Does the staff get appropriate security training on a regular basis? | Information Security training is not a once-and-for-all training. | |
6 | Are all staff informed on the consequences of breaking the security regulations? | Security violation. | |
7 | Are there any routines for employees who leave? | There are many things to clean up in IT- systems to remove their authorities. | |
Systems Administration
Personnel | |||
8 | Are they informed on specific security regulations for Developers, Network Administrators etc.? | A 'root'-privilege does not imply they have authority to access of all data/information. | |
Users | |||
9 | Are there very short, written security instructions for users? | Maximum 1 page |
4. Personnel (Other) | |
|
Consultants
Service engineers
Other service staff (guard,
caretaker, cleaning service etc.)
Nr | Question | Comment | Yes/No |
1 | Are there written contracts/agreements with Third Party companies? | ||
2 | Are those personnel categories informed about security routines? | They should sign a document to acknowledge that they understand the rules. | |
3 | Are those personnel categories 'security checked'? | Security clearance | |
4 | Are the companies they work for (their employer) 'security checked'? | Security clearance | |
5 | Are 'key-persons' identified? | Backup available for those? | |
6 | Are those personnel categories informed of the consequences of breaking the security regulations? | ||
7 | Are there any routines for end of assignments? | There are many things to clean up in IT- systems to remove their authorities. |
5. Information classification | |
|
Nr | Question | Comment | Yes/No |
1 | Is there a system for information classification according to the appropriate level of availability? (E.G. open, confidential, secret). | To make it possible to apply the most effective security measures | |
2 | Does the classification system require encryption for any class or type of information? | ||
3 | Is there a classification checklist to make it easy for the user to determine information class? |
6. Software | |
|
Nr | Question | Comment | Yes/No |
1 | Are there any instructions for bringing outside software/data into the organization? | ||
2 | Are policy documents and security guidelines considered during developing systems? | Security features must be implemented from the beginning. | |
3 | Are security requirements included in the demand specification when buying or developing systems? | The requirements must be included from the beginning. | |
4 | Are system tests and development separated from production systems? | Avoid compilers and editors in production systems. | |
5 | Are security-related patches from developers and/or vendors implemented as soon as possible? | Routines for this must exist. | |
6 | Is a security validation approval done before introducing new software? Individual users should not be allowed to introduce new software. | New software might create new holes in the system. | |
7 | Is there a routine for installing a new operating system? | This is the most critical software and all configuration parameters must be checked before rebooting. | |
8 | Is it a classified operating system? | According to ITSEC, TCSEC, Common Criteria | |
9 | Are security options in the operating system activated? | ||
10 | Are there any routines to change all security related default parameters in the operating system? | ||
11 | Is it the same type of routine for application software? | To change defaults and to set security parameters. | |
12 | Are additional (e.g. hacks) and self-developed software well documented? | ||
13 | Are there any routines to request all patches that are needed to preserve the security? | To prevent hacking possibilities. | |
14 | Are 'system-tools' protected? | Software to administer and service the system. | |
15 | Are the use of 'system-tools' restricted to just a few persons? | ||
16 | Is all use of 'system-tools' logged? | ||
17 | Is anti-virus software installed and activated? | ||
18 | Do the users know how to handle viruses? | ||
19 | Are there any extended controls of software downloaded from WAN such as Internet? | ||
20 | Are the users informed about software licenses, as to what extent they are allowed to copy them and use them in other equipment? If they are allowed to use them for private use at home etc.? | ||
21 | Is loading of new software regulated? | ||
22 | Is critical software backed up and stored in another safe place? | ||
23 | Is critical software protected by checksums. | ||
24 | Is all software from well-known sources? | Special notice on encryption software |
7. Hardware | |
|
Nr | Question | Comment | Yes/No |
1 | Are there any instructions for bringing equipment outside the organization? | ||
2 | Are there instructions on how to discard equipment? | ||
3 | Is it made clear that the equipment is for business use only and not for private use by the user? | ||
4 | Are policy documents and security guidelines considered during introduction of new equipment? | ||
5 | Are security requirements included in the demand specification when buying or changing equipment? | The requirements must be included from the beginning. | |
6 | Is a security validation made before introducing new hardware? | New hardware might create new holes in the system. | |
7 | Is there a person responsible for each workstation/personal computer? |
8. Documentation | |
|
Nr | Question | Comment | Yes/No |
1 | Is the management policy document printed and distributed to all members of staff and subsequently to new members? | ||
2 | Is there an Information Security handbook? | ||
3 | Are systems and manual routines well documented? | To prevent the dependence on key- persons. | |
4 |
Are there documents describing:
Are they up to date? |
||
5 |
Do handbooks for each staff category exist?
|
||
6 | Are there any written rules defining responsibility and authority for each staff category? | ||
7 | Are system documents stored in a safe place? | ||
8 | Is the access to the system documents restricted? |
9. Computer media | |
|
Nr | Question | Comment | Yes/No |
1 | Are there any routines for labelling media? | ||
2 | Are all media listed in an inventory? | ||
3 | Are media handed over with receipts? | ||
4 | Is the existence of media checked on a regular base? | Media in the inventory list. | |
5 | Are there any routines to handle missing media? | ||
6 | Are there any routines for archiving media? | ||
7 | Are there any routines for transporting media? | ||
8 | Are there any routines for destroying media? | ||
9 | Are there any routines for how to handle media during service? | Don't leave media unattended during service and don't let media with secret information leave your organization |
10. Identification and Authorization | |
|
Nr | Question | Comment | Yes/No |
Identification/Authorization | |||
1 | Is there an Identification/Authorization system that controls both users and resources? | Should be. | |
2 | Is the system built on 'something you know and something you have'? | A system with both password/PIN and something the users have (Smart- card/Biometrics) is preferable. | |
3 | Does the system include logging and alarm functions? | Preferable. Necessary to be able to trace incidents and to get quick alerts. | |
4 | Is there an organization to administer the Identification/Authorization system? | Shouldn't be the computer department. | |
5 | Does the system include access control to resources/objects? | ||
6 | Is it quality tested on password/PIN? | Don't allow too short PW/PIN codes or codes with just alphabetic or numeric characters. | |
7 | Is it possible to reuse old passwords/PIN? | Shouldn't. | |
8 | Is it possible to use the user id as password/PIN? | Shouldn't. | |
9 | Are there any routines to change software default passwords? | Most software, including the operating system has a lot of defaults known by a lot of people. Must be changed. | |
10 | Is the number of log in attempts limited? | Should be to prevent hacking. | |
11 | Is the change of password/PIN compulsory after a certain number of days? | Should be. | |
12 | Is the system administrator password (root) changed frequently? | Should be. | |
13 | Does the system block an account if the password is not changed within the time limit or the account has been remained unused? | Should be. | |
14 | Is it possible for a user to change their own privileges? | Shouldn't. | |
15 | Is the password/PIN encrypted? (one way encryption) | Should never be transported or stored in an unencrypted way. | |
16 | Is the user authentication so called 'strong' authentication? | Preferable. | |
17 | Is the password/PIN individual? | Must be. |
11. System Security | |
|
Nr | Question | Comment | Yes/No |
1 | Is there a routine to ensure the correct date and time in all systems and are they synchronized? | ||
2 | Are there enhanced logging facilities in critical systems? |
12. Communication | |
|
Nr | Question | Comment | Yes/No |
Internal | |||
1 | Are there documented procedures for changing the network? | ||
2 | Are all changes to the network documented? | ||
3 | Is access to communication ports for service protected? | ||
4 | Is the network administrator privilege restricted to a few users? | ||
5 | Is all network hardware (HUB, Repeaters, Routers, Gateways etc.) well protected? | ||
6 | Is the software in the network hardware well protected? Use strong authentication for changing the software or configuration. | ||
7 | Is an IDS (Intrusion Detection System) installed? | To prevent 'insiders' from doing unauthorized things. Will not replace the need for a firewall. | |
External | |||
8 | Is a firewall installed? | ||
9 | Is there a routine for the administration of the firewall? | Setting up a firewall is not a once-and-for-all job. It must be updated constantly. | |
10 | Is the use of encryption considered? | Is there a trustworthy algorithm and key administration? | |
11 | Is access to communication ports for service protected? | ||
Are the safeguards (including
encryption when needed) considered
regarding: | |||
12 | |||
13 | - Telnet | Strong authentication | |
14 | - FTP | ||
15 | - PPP | ||
16 | - EDI | ||
17 | - SNMP | ||
18 | - DNS-services | ||
19 | - Routing | ||
20 | - WEB-sessions | ||
21 | - Java, Javascript | ||
22 | - ActiveX | ||
23 | - Finger | ||
24 | - Rlogin | ||
25 | - Cookies | ||
26 | Are closed user group used? | ||
27 | Are VPN (Virtual Private Networks) used? |
13. Logging | |
|
Nr | Question | Comment | Yes/No |
1 | Is the logging system documented? | ||
2 | Are the log files protected against unauthorized access? | ||
3 | Is the system configured in a way that the log must be turned on? | ||
What events are logged: | |||
4 | - Login | ||
5 | - Logout | ||
6 | - Failed login | ||
7 | - Exceptional behaviour | User not acting normaly. Might be sorted out via an IDS | |
8 | - Access violation | Unauthorized access to resources | |
9 | - Activities in the Identification and Authorization system? | New users, change of privileges, remove of users etc | |
10 | - Setting of date and time | ||
11 | - Introduction/removal of new hardware | ||
12 | - Introduction/removal of new software | ||
13 | - Introduction/removal of files | ||
14 | Are the log-files archived in a proper way? |
14. Back-up | |
|
Nr | Question | Comment | Yes/No |
1 | Are backups taken on a regular basis? | ||
2 | Are backups stored and archived in safe place? | According to unauthorized access and 'climate' (fire, water etc.) | |
3 | Are the backup routines documented? | ||
4 | Are the backups labelled? | ||
5 | Is encryption of backups considered for secret information? |
15. Physical Protection | |
|
Nr | Question | Comment | Yes/No |
1 | Are all premises protected? | ||
2 | Are computers and network components placed in an access-protected area? | ||
3 | Is all system documentation safeguarded? | ||
4 | Are communication lines protected? | ||
5 | Is there an admission and leaving control system with a log? | ||
6 | Are the premises divided in different zones? | To restrict access | |
7 | Is there an up to date list with authorized people? |
16. Incident handling | |
|
Nr | Question | Comment | Yes/No |
1 | Is there a plan for how to handle incidents? | ||
2 | Do you know how to contact the law enforcement entity responsible for computer crime? |
17. Contingency planning | |
|
Nr | Question | Comment | Yes/No |
1 | Is there a contingency plan? How to recover the system after an incident |
--------------------------------------------------->
Transportation Security
|
Physical Security
|
Penetration Testing
|
Firewall Pro
|
Network Security
|
S.C.A.D.A.
|
H.I.P.A.A.
|
eBanking
|
Company Security Checklist | |
Copyright © 2007 InfoSecPro.com™
No material may be reproduced without written permission.