Info. Systems Security Assessment

Physical Security

1. Is the server protected from environmental damage (fire, water, etc.)?

Ø     Ideal Answer: YES. All servers must be housed in such a way as to protect against fire, water, and other environmental hazards. Example: servers must be in close proximity to a chemical extinguisher, CO2 extinguisher, or equipped with a sprinkler system in case of a fire.

2. Is access to server, hubs and routers, and wiring areas adequately controlled?

Ø     Ideal Answer: YES. Servers, hubs, routers, and wiring areas should only be accessible to authorized personnel to reduce the risk of intrusion.

3. Are passwords encrypted during transmission from the workstations to the servers and communications outside your network?

Ø     Ideal Answer: YES. Password encryption for all transmissions is critical in reducing security exposures. By encrypting transmissions, you reduce the risk of an outside user crossing transmission lines and hacking into sensitive information on your server.

4. Is the server also used as a PC/Workstation?

Ø     Ideal Answer: NO. A server should not be used for dual purposes. There's a high risk of accidental loss of data if a server is used for dual purposes.

5. If some workstations are used to display sensitive information, are these workstations located in areas that will not allow unauthorized viewing of the information?

Ø     Ideal Answer: YES. It is important to strategically locate workstations in a way that prevents unauthorized individuals from viewing sensitive information.

Logical Security  

 

6. Administrator Accounts and Access  

 

A. Do only those individuals that have administrative responsibilities for the network have "administrator" right and privileges to the system?

Ø     Ideal Answer: YES. Only those employees who are responsible for maintenance on the system should have "administrator" privileges. As a gerneal rule, "administrator" status is limited to the primary support person and a backup.

B. Do administrators have a second account on the server/LAN for day-to-day activities?

Ø     Ideal Answer: YES. Administrators should have at least one separate common account for their day-to-day activities (e.g. email, calendar, applications, etc.). This will prevent unnecessary contact with the server under the "administrator" account and reduce the risk of accidental loss of data.

7. User accounts and access  

 

A. Are there established procedures in place to authorize users to access the system and applications?

Ø     Ideal Answer: YES. A written authorization form must be completed, reviewed, and also approved by the application owner before a user is given access.

B. Do you periodically verify your authorized user lists?

Ø     Ideal Answer: YES. The administrator and personnel should review authorized user lists at least quarterly.

C. Do you inform users of the rights and responsibilities regarding the computers, data and data security, passwords, copyrights?

Ø     Ideal Answer: YES. A written policy outlining user rights responsibilities, security, confidentiality, etc. must be presented, reviewed, and signed by the user at the time of authorization.

8. User Account Passwords and logon ID’s  

 

A. Are users required to sign any document acknowledging their privileges and responsibilities relating to the LAN and their LAN account and authorizations?

Ø     Ideal Answer: YES. In the event of abuse, a signed statement is evidence an individual was made aware of the rules and responsibilities that go with data access.

B. Are passwords non-printing, non-displaying, or keyed onto obliterated spaces?

Ø     Ideal Answer: YES. This reduces the risk of stolen passwords.

C. Are passwords established in a way to ensure they are nonstandard and unique?

Ø     Ideal Answer: YES. All user passwords must be unique to reduce the risk of unauthorized individuals cracking passwords to gain user access. There are multiple programs that are free on the Internet that are used to crack common passwords.

D. Is the minimum length of passwords at least 5 characters?

Ø     Ideal Answer: YES. Preferably, an alphanumeric password with a length of 6 to 8 characters is most common.

E. Are passwords periodically changed?

Ø     Ideal Answer: YES. All passwords must be changed on a periodic basis to prevent others from cracking passwords and using them without the permission. The frequency of a required password change should be based upon the sensitivity of the data and the level of user authorization (e.g. "supervisor").

F. Are group logon I.D.'s utilized?

Ø     Ideal Answer: NO. The use of a group logon I.D. makes it impossible to assign responsibility to an individual for any action assignable to that I.D.

G. Are there controls over duplicate logons (duplicate logons are those that allow a user to log in to multiple workstations at the same time)?

Ø     Ideal Answer: YES. While some departments or labs find duplicate logons beneficial for functionality, it increases the risk of unauthorized users being logged-on without detection. Ideally, a control should be in place to limit one user I.D. logged-on at any given time.

H. Do you promptly cancel user access for individuals who have been terminated or assigned other duties?

Ø     Ideal Answer: YES. Once an employee has been terminated or assigned other duties, a personnel procedure should trigger a notification to the administrator to delete or change that user's access.

9. Is there automatic user sign-off/log-off?

Ø     Ideal Answer: YES. All servers and user machines should automatically log the user off a secured system after a specific time of inactivity has elapsed. If a user leaves an unattended workstation while logged-on, anyone with access to the workstation could cause serious damage to the system or data.

10. Are passwords protected when accessing the server via dialing in off-site?

Ø     Ideal Answer: YES. Password encryption should be used for all dial-in access. By encrypting dial-in transmissions, you reduce the risk of an outside user tapping transmission lines and hacking into sensitive information on your server.

11. Are there controls in place to prevent repeated attempts (failures) to access the system?

Ø     Ideal Answer: YES. Controls should be in place to lock out a user after a set number of failed log-on attempts. As a general practice, only three attempts are allowed. This control reduces the risk of hackers using a computer program for repeated attempts to gain access.

12. After getting locked out by failing consecutive log-on attempts to the system, is the administrator required to re-authorize access?

Ø     Ideal Answer: YES. This control provides better security than an automatic "time-out" reset, and provides more timely access to the user.

13. Is there time of day restrictions for users to access the system?

Ø     Ideal Answer: YES. Authorized users must have access to the system containing sensitive information only during normal working hours (unless approved). This control further reduces the opportunity hackers have to gain access into the system during non-working hours.

14. Are access violations and logs reviewed on a periodic basis?

Ø     Ideal Answer: YES. The administrator should review the access violation logs for suspicious activity. Reviewing this on a regular basis can alert the administrator of possible hacking attempts and react accordingly.

Backup and Operations Continuation Plan  

 

15. Are backups of data performed regularly?

Ø     Ideal Answer: YES. Full backups should be routinely performed based upon the data volume and the difficulty of data reconstruction. In general, nightly backup minimizes the risk of data loss. This routine control will prevent any loss of data if a temporary interruption should occur.

16. Are backups of departmentally authored programs performed?

Ø     Ideal Answer: YES. Non-commercial program backups should also be periodically performed.

17. If backups are being performed, then

 

A. Do you have written backup procedures for programs and/or data?

Ø     Ideal Answer: YES. These routine backup procedures should be documented and easily accessible to employees in the event of a temporary interruption or staffing changes.

B. Is a copy of backup media maintained offsite for programs and/or data?

Ø     Ideal Answer: YES. An offsite (secondary) location must be used for backup media storage. In the event of a fire, natural disaster, vandalism or a theft at the primary business location, this will prevent loss of both on-line and backup data.

C. Are backup copies, which are maintained offsite and at the primary office, protected against unauthorized access?

Ø     Ideal Answer: YES. As with data stored at the primary office location, offsite backups should be protected against unauthorized users.

D. Has the use of backup files been tested?

Ø     Ideal Answer: YES. Backup files aren't worth maintaining if they can not restore the original data. Testing the backup files will ensure backup file integrity should the primary files get destroyed.

19. Do you have an operations continuation plan?

Ø     Ideal Answer: YES. All computer operations must have a continuation plan. This plan should be in writing so it is available to staff in the event of an emergency. In addition, training in the execution of the plan should be included and practiced.

Virus Protection

 

20. Do you have a memory resident virus protection program on your computers and are they periodically updated?

Ø     Ideal Answer: YES. All computers must have a memory resident virus protection program loaded and updated on a periodic basis. These programs help prevent your computer from getting infected with a destructive computer virus.

Software

 

21. Does your division/department have a software use policy for users? A software use policy is one in which the users are informed that they are only to use authorized software installed on their workstation. This policy includes a statement on what to do if the user has software (demos, trial versions, freeware, shareware, etc.) that they want to use on their workstation.

Ø     Ideal Answer: YES. All divisions/departments must have a software use policy, to provide guidance to users in areas of appropriate use, computer responsibility, foreign software, security, etc.

22. Protection of software copyrights:

 

A. Is a software inventory maintained and periodically updated?

Ø     Ideal Answer: YES. A periodic software inventory is vital in identifying any unauthorized or missing software. Maintenance of this inventory is essential in documenting authorized software additions, upgrades, or deletions.

B. Is there an established procedure to ensure compliance with licensing agreements?

Ø     Ideal Answer: YES. A control must be in place to ensure no unauthorized licensing agreements are entered into without proper approval. The administrator's co-signature on all hardware/software purchases would reduce the risk of unauthorized agreements.