Transportation Security  | Physical Security  | Firewall Pro  | Network Security  | S.C.A.D.A.  | H.I.P.A.A.  | eBanking  | Kids' Password  
InfoSecPro.com


InfoSecPro.com is provider of Security Assessments for Federal, State and Local Governments.
Our staff of Professional Engineers (P.E.), Certified Information Systems Security Professional (CISSP), Microsoft Certified Systems Engineer (MCSE), Professional Traffic Operations Engineers (P.T.O.E.), and Cisco Certified Network Associates (CCNA) will provide the best, cost effective security solutions.

For Security Assesments contact us at:

InfoSecPro.com
PO Box: 291
Purchase, NY 10577-0291
732-763-2814
tibi@infosecpro.com
www.infosecpro.com

Security Checklist
Top


Value of affected assets should be assigned to each of the applicable vulnerabilities:

  • Operational Vulnerabilities
    • Poor Awareness
    • Common Sense and Common Knowledge
    • Social Engineering
    • Accidents and carelessness
    • Policies and Procedures that create security vulnerabilities
    • Predictability
    • Procedures in Practice
    • Public Relations
    • Help wanted Ads
    • Internet Usage
    • Credit card and Travel records
    • Telephone Records and Conversations
    • Casual Conversations
    • Supplier Records
    • Personal Aggrandizement
    • Working outside the office
    • Poor Incident Reporting Procedures
    • Basic Human Weakness
    • Too little information
    • Contractual Relationship
    • Same passwords on multiple systems

  • Physical Vulnerabilities
    • Apathetic or Poorly Informed Guards
    • No Physical Access Controls
    • Garbage
    • Open Storage
    • Copy Machines
    • Electronic storage
    • Neighbors
    • Your Environment
    • Equipment Size
    • Poor Inventory Tracking
    • Messy Desks
    • Inboxes
    • Participating in surveys
    • Computers not logged out
    • Computers with no password protection
    • Password written down
    • Lack of locks and their use
    • Electrical system failure
    • Placement of building and equipment

  • Personnel Vulnerabilities
    • Failure to validate claimed backgrounds
    • Money, Ideology, Coercion or Ego (M.I.C.E.)
    • Weak Management
    • Poor Separation Procedures
    • Isolation of Human resources
    • Personal hardships

  • Technical Vulnerabilities:
    • Software Bugs
    • Configuration Errors
    • Poor or no Password
    • Wireless Networks
    • Modem Access
    • Data Transmission
    • Difficult-To-Detect System Modifications
    • Spy ware
    • Data storage
    • TEMPEST
    • Electromagnetic pulses
    • Telephone taps
    • Unencrypted off-site backup data
    • Bugs

Cost should be assigned to each of the selected countermeasures:

  • Operational Countermeasures
    • Awareness Training
    • Classifying Information
    • Security Alert System
    • Rewards for proper action
    • Call back before disclosing sensitive information
    • Verify the need for the information access
    • Access rights review when changing position or responsibilities
    • Verify Identities and Purposes
    • Remove personal identifiers from Access Badges
    • Nondisclosure Agreements
    • Review Press Releases
    • Strict guidelines to staff about disclosures
    • Reporting of unusual contact especially interested in your work
    • Monitoring Internet activity
    • Minimize data storage
    • Monitoring of Technical Vulnerabilities
    • Security training
    • Access privileges management
    • Join Professional Organizations
    • Separate telephone lines, from different telephone exchanges
    • Verify identity for password reset request
    • Limiting telephone Conversations Topics
    • Limiting Cellular and Cordless Telephone Topics
    • Limiting conversations away from work
    • Security interactions with other departments
    • Disabling computer accounts for contractors after contract completion
    • Develop Disaster-Recovery and Incident-handling procedures
    • Perform periodic Vulnerability Assessments with Penetration Testing
    • Set password protection on customer accounts with service providers
    • Limit disclosure of IT department employee contact information
    • Use generic email addresses
    • Minimize contact information for Domain Registrations

  • Personnel Countermeasures
    • Background Checks
    • Employees Hotlines
    • Coordination between HR and Information Systems Department
    • Coordination between HR and the Security Department
    • Tracking Information access
    • Reviewing visitors
    • Categorize Employees and Establish Roles
    • Coordinate Termination
    • Impose your requirements on Contracted Services

  • Physical Countermeasures
    • Protect sensitive information
    • Loc Up all Controlled information
    • Use password protected screen savers
    • Apply clean desk policy
    • Conduct facility Walk-Through
    • Watch for strange postings
    • Locking cables for equipment
    • Place controls on copy machines
    • Technical library control
    • Post Security Reminders
    • Make paper shredders widely available
    • Escort visitors
    • Lock Dumpsters
    • Perimeter locks
    • Log unusual accesses and removal of equipment
    • Enforce use of access badges
    • Use card access locks
    • Lock network and phone cabinets
    • Properly train guards
    • Use security patrols
    • Chose locations wisely
    • Watch where you conduct business outside your facility
    • Maintain proper fire suppression
    • Adequate uninterruptible power supplies

  • Technical Countermeasures
    • Anti-virus software
    • Firewalls
    • Intrusion Detection Systems/Intrusion Prevention Systems
    • Backups
    • Vulnerability scanners
    • War dialing
    • Wireless security
    • Automated patching, where applicable
    • Manual patching, where necessary
    • Adequate software testing
    • Secure configuration baselines
    • Multifactor authentication
    • Single Sign-on software
    • Audit Logs
    • Mirrored Logs
    • Bug and wiretap Sweeps
    • Voice mailboxes to become disabled after successive invalid access attempts
    • Encryption of date, on site
    • Off-site backup data should be encrypted
    • Dedicated network segment for visitors
    • Propper discarding of removable media
    • Off-line data storage

Cost of countermeasures should not exceed the value of assets protected by the mitigated vulnerabilities.

       Transportation Security  | Physical Security  | Firewall Pro  | Network Security  | S.C.A.D.A.  | H.I.P.A.A.  | eBanking  

Copyright © 2007 InfoSecPro.com™
No material may be reproduced without written permission.