Security Checklist

Value of affected assets should be assigned to each of the applicable vulnerabilities:

• Operational Vulnerabilities
• Poor Awareness
• Common Sense and Common Knowledge
• Social Engineering
• Accidents and carelessness
• Policies and Procedures that create security vulnerabilities
• Predictability
• Procedures in Practice
• Public Relations
• Help wanted Ads
• Internet Usage
• Credit card and Travel records
• Telephone Records and Conversations
• Casual Conversations
• Supplier Records
• Personal Aggrandizement
• Working outside the office
• Poor Incident Reporting Procedures
• Basic Human Weakness
• Too little information
• Contractual Relationship
• Same passwords on multiple systems
• Physical Vulnerabilities
• Apathetic or Poorly Informed Guards
• No Physical Access Controls
• Garbage
• Open Storage
• Copy Machines
• Electronic storage
• Neighbors
• Your Environment
• Equipment Size
• Poor Inventory Tracking
• Messy Desks
• Inboxes
• Participating in surveys
• Computers not logged out
• Computers with no password protection
• Password written down
• Lack of locks and their use
• Electrical system failure
• Placement of building and equipment
• Personnel Vulnerabilities
• Failure to validate claimed backgrounds
• Money, Ideology, Coercion or Ego (M.I.C.E.)
• Weak Management
• Poor Separation Procedures
• Isolation of Human resources
• Personal hardships
• Technical Vulnerabilities:
• Software Bugs
• Configuration Errors
• Poor or no Password
• Wireless Networks
• Modem Access
• Data Transmission
• Difficult-To-Detect System Modifications
• Spy ware
• Data storage
• TEMPEST
• Electromagnetic pulses
• Telephone taps
• Unencrypted off-site backup data
• Bugs

Cost should be assigned to each of the selected countermeasures:

• Operational Countermeasures
• Awareness Training
• Classifying Information
• Security Alert System
• Rewards for proper action
• Call back before disclosing sensitive information
• Verify the need for the information access
• Access rights review when changing position or responsibilities
• Verify Identities and Purposes
• Remove personal identifiers from Access Badges
• Nondisclosure Agreements
• Review Press Releases
• Strict guidelines to staff about disclosures
• Reporting of unusual contact especially interested in your work
• Monitoring Internet activity
• Minimize data storage
• Monitoring of Technical Vulnerabilities
• Security training
• Access privileges management
• Join Professional Organizations
• Separate telephone lines, from different telephone exchanges
• Verify identity for password reset request
• Limiting telephone Conversations Topics
• Limiting Cellular and Cordless Telephone Topics
• Limiting conversations away from work
• Security interactions with other departments
• Disabling computer accounts for contractors after contract completion
• Develop Disaster-Recovery and Incident-handling procedures
• Perform periodic Vulnerability Assessments with Penetration Testing
• Set password protection on customer accounts with service providers
• Limit disclosure of IT department employee contact information
• Use generic email addresses
• Minimize contact information for Domain Registrations
• Personnel Countermeasures
• Background Checks
• Employees Hotlines
• Coordination between HR and Information Systems Department
• Coordination between HR and the Security Department
• Tracking Information access
• Reviewing visitors
• Categorize Employees and Establish Roles
• Coordinate Termination
• Impose your requirements on Contracted Services
• Physical Countermeasures
• Protect sensitive information
• Loc Up all Controlled information
• Use password protected screen savers
• Apply clean desk policy
• Conduct facility Walk-Through
• Watch for strange postings
• Locking cables for equipment
• Place controls on copy machines
• Technical library control
• Post Security Reminders
• Make paper shredders widely available
• Escort visitors
• Lock Dumpsters
• Perimeter locks
• Log unusual accesses and removal of equipment
• Enforce use of access badges
• Use card access locks
• Lock network and phone cabinets
• Properly train guards
• Use security patrols
• Chose locations wisely
• Watch where you conduct business outside your facility
• Maintain proper fire suppression
• Adequate uninterruptible power supplies
• Technical Countermeasures
• Anti-virus software
• Firewalls
• Intrusion Detection Systems/Intrusion Prevention Systems
• Backups
• Vulnerability scanners
• War dialing
• Wireless security
• Automated patching, where applicable
• Manual patching, where necessary
• Adequate software testing
• Secure configuration baselines
• Multifactor authentication
• Single Sign-on software
• Audit Logs
• Mirrored Logs
• Bug and wiretap Sweeps
• Voice mailboxes to become disabled after successive invalid access attempts
• Encryption of date, on site
• Off-site backup data should be encrypted
• Dedicated network segment for visitors
• Propper discarding of removable media
• Off-line data storage

Cost of countermeasures should not exceed the value of assets protected by the mitigated vulnerabilities.

Copyright © 2007 InfoSecPro.com™
No material may be reproduced without written permission.