| No |
Question |
Comment |
Yes/No |
| 1 |
Information security policy? Does it exist
and has it been written and approved by management? |
No policy = No resources. |
|
| 2 |
Is there a process for scrutinising the policy?
|
It is a living document and must be updated |
|
| 3 |
Is there an initiative from management to do
a risk analysis? |
What are the threats and the risk that they
will be activated? |
|
| 4 |
Is there a management initiative to create
a security plan? |
To define how the targets and the intention
in the policy document should be realised |
|
| 5 |
Is there a management initiative to create
a security architecture? |
The security architecture is a high level description
of technical security functions and organizational needs to fulfil the security
demands. |
|
| 6 |
Is there any management policy for external
communication like the Internet? |
Internet connections tend to grow uncontrolled |
|
| 7 |
Do all management staff know the contents and
intentions of the policy? |
|
|
| 8 |
Is the organization for Information Security
work defined in the policy document? |
|
|
| 9 |
Is there any Information Security training
plan? |
|
|
| 10 |
Are Information Security topics a part of the introduction
plan for new members of the staff?
|
|
|
| No |
Question |
Comment |
Yes/No |
| 1 |
Is there an Information Security
officer? |
Someone must have the responsibility
to put the management policy into practice. |
|
| 2 |
Does an Information Security
handbook exist? has it been approved by the management? |
|
|
| 3 |
Is there an organization
and plan to train the staff regularly in security matters?
|
Information Security training
is not a once-and-for-all training. |
|
| 4 |
Is there an organization
for the 'Identification and Authorization' system? |
|
|
| 5 |
Is there an organization
for contingency planning and handling? |
|
|
| 6 |
Is there an organization
plan for handling incidents? |
The organization must be
prepared for incidents |
|
| 7 |
Is the responsibility and
authority defined in the organization plan, or in a job description document? |
|
|
| 8 |
Does an organization plan
exist to explain the different staff categories in the IT process? E.g.
IT Security Manager, Developers, Operators, Users etc.
|
Different categories need
different
training and handbooks in Information
Security matters |
|
| No |
Question |
Comment |
Yes/No |
|
All
|
| 1 |
Are new members checked before
employment? References, education, security clearance etc. |
Must be done before. After
it might be too late. |
|
| 2 |
Are new staff informed of
secrecy regulations? |
|
|
| 3 |
Do they sign a secrecy certificate? |
|
|
| 4 |
Are 'key-persons'. identified? |
Backup available for those? |
|
| 5 |
Does the staff get appropriate
security training on a regular basis? |
Information Security training
is not a once-and-for-all training. |
|
| 6 |
Are all staff informed on
the consequences of breaking the security regulations? |
Security violation. |
|
| 7 |
Are there any routines for
employees who leave? |
There are many things to
clean up in IT- systems to remove their authorities. |
|
|
Systems Administration Personnel
|
| 8 |
Are they informed on specific
security regulations for Developers, Network Administrators etc.? |
A 'root'-privilege does not
imply they have authority to access of all data/information. |
|
|
Users
|
| 9 |
Are there very short, written security instructions
for users? |
Maximum 1 page |
|
| No |
Question |
Comment |
Yes/No |
| 1 |
Are there written contracts/agreements with
Third Party companies? |
|
|
| 2 |
Are those personnel categories informed about
security routines? |
They should sign a document to acknowledge
that they understand the rules. |
|
| 3 |
Are those personnel categories 'security checked'?
|
Security clearance |
|
| 4 |
Are the companies they work for (their employer)
'security checked'? |
Security clearance |
|
| 5 |
Are 'key-persons' identified? |
Backup available for those? |
|
| 6 |
Are those personnel categories informed of
the consequences of breaking the security regulations? |
|
|
| 7 |
Are there any routines for end of assignments?
|
There are many things to clean up in IT- systems
to remove their authorities. |
|
| No |
Question |
Comment |
Yes/No |
| 1 |
Are there any instructions for bringing outside
software/data into the organization? |
|
|
| 2 |
Are policy documents and security guidelines
considered during developing systems? |
Security features must be implemented from
the beginning. |
|
| 3 |
Are security requirements included in the demand
specification when buying or developing systems? |
The requirements must be included from the
beginning. |
|
| 4 |
Are system tests and development separated
from production systems? |
Avoid compilers and editors in production systems. |
|
| 5 |
Are security-related patches from developers
and/or vendors implemented as soon as possible? |
Routines for this must exist. |
|
| 6 |
Is a security validation approval done before
introducing new software? Individual users should not be allowed to introduce
new software. |
New software might create new holes in the
system. |
|
| 7 |
Is there a routine for installing a new operating
system? |
This is the most critical software and all
configuration parameters must be checked before rebooting. |
|
| 8 |
Is it a classified operating system? |
According to ITSEC, TCSEC, Common Criteria |
|
| 9 |
Are security options in the operating system
activated? |
|
|
| 10 |
Are there any routines to change all security
related default parameters in the operating system? |
|
|
| 11 |
Is it the same type of routine for application
software? |
To change defaults and to set security parameters. |
|
| 12 |
Are additional (e.g. hacks) and self-developed
software well documented? |
|
|
| 13 |
Are there any routines to request all patches
that are needed to preserve the security? |
To prevent hacking possibilities. |
|
| 14 |
Are 'system-tools' protected? |
Software to administer and service the system. |
|
| 15 |
Are the use of 'system-tools' restricted to
just a few persons? |
|
|
| 16 |
Is all use of 'system-tools' logged? |
|
|
| 17 |
Is anti-virus software installed and activated? |
|
|
| 18 |
Do the users know how to handle viruses? |
|
|
| 19 |
Are there any extended controls of software
downloaded from WAN such as Internet? |
|
|
| 20 |
Are the users informed about software licenses,
as to what extent they are allowed to copy them and use them in other equipment?
If they are allowed to use them for private use at home etc.? |
|
|
| 21 |
Is loading of new software regulated? |
|
|
| 22 |
Is critical software backed up and stored in
another safe place? |
|
|
| 23 |
Is critical software protected by checksums. |
|
|
| 24 |
Is all software from well-known sources? |
Special notice on encryption software |
|
| No |
Question |
Comment |
Yes/No |
| 1 |
Are there any instructions for bringing equipment
outside the organization? |
|
|
| 2 |
Are there instructions on how to discard equipment? |
|
|
| 3 |
Is it made clear that the equipment is for
business use only and not for private use by the user? |
|
|
| 4 |
Are policy documents and security guidelines
considered during introduction of new equipment? |
|
|
| 5 |
Are security requirements included in the demand
specification when buying or changing equipment? |
The requirements must be included from the
beginning. |
|
| 6 |
Is a security validation made before introducing
new hardware? |
New hardware might create new holes in the
system. |
|
| 7 |
Is there a person responsible for each workstation/personal
computer? |
|
|
| No |
Question |
Comment |
Yes/No |
| 1 |
Is the management policy document printed and
distributed to all members of staff and subsequently to new members? |
|
|
| 2 |
Is there an Information Security handbook? |
|
|
| 3 |
Are systems and manual routines well documented?
|
To prevent the dependence on key- persons. |
|
| 4 |
Are there documents describing:
- Hardware
- Software
- Applications
- Communication
Are they up to date?
|
|
|
| 5 |
Do handbooks for each staff category exist?
- Developer
- Administrators (network, database etc.)
- Users
- Helpdesk
- etc.
|
|
|
| 6 |
Are there any written rules defining responsibility
and authority for each staff category? |
|
|
| 7 |
Are system documents stored in a safe place? |
|
|
| 8 |
Is the access to the system documents restricted? |
|
|
| No |
Question |
Comment |
Yes/No |
| 1 |
Are there any routines for labelling media? |
|
|
| 2 |
Are all media listed in an inventory? |
|
|
| 3 |
Are media handed over with receipts? |
|
|
| 4 |
Is the existence of media checked on a regular
base? |
Media in the inventory list. |
|
| 5 |
Are there any routines to handle missing media? |
|
|
| 6 |
Are there any routines for archiving media? |
|
|
| 7 |
Are there any routines for transporting media? |
|
|
| 8 |
Are there any routines for destroying media? |
|
|
| 9 |
Are there any routines for how to handle media
during service? |
Don't leave media unattended during service
and don't let media with secret information leave your organization |
|
| No |
Question |
Comment |
Yes/No |
|
Identification/Authorisation
|
| 1 |
Is there an Identification/Authorisation system
that controls both users and resources? |
Should be. |
|
| 2 |
Is the system built on 'something you know
and something you have'? |
A system with both password/PIN and something
the users have (Smart- card/Biometrics) is preferable. |
|
| 3 |
Does the system include logging and alarm functions?
|
Preferable. Necessary to be able to trace incidents
and to get quick alerts. |
|
| 4 |
Is there an organization to administer the
Identification/Authorisation system? |
Shouldn't be the computer department. |
|
| 5 |
Does the system include access control to resources/objects?
|
|
|
| 6 |
Is it quality tested on password/PIN? |
Don't allow too short passwords/PIN codes or
codes with just alphabetic or numeric characters. |
|
| 7 |
Is it possible to reuse old passwords/PIN?
|
Shouldn't be. |
|
| 8 |
Is it possible to use the user ID as password/PIN?
|
Shouldn't be. |
|
| 9 |
Are there any routines to change software default
passwords? |
Most software, including the operating system
has a lot of defaults known by a lot of people. Must be changed. |
|
| 10 |
Is the number of log in attempts limited? |
Should be to prevent hacking. |
|
| 11 |
Is the change of password/PIN compulsory after
a certain number of days? |
Should be. |
|
| 12 |
Is the system administrator password (root)
changed frequently? |
Should be. |
|
| 13 |
Does the system block an account if the password
is not changed within the time limit or the account has been remained unused?
|
Should be. |
|
| 14 |
Is it possible for a user to change their own
privileges? |
Shouldn't be. |
|
| 15 |
Is the password/PIN encrypted? (one way encryption)
|
Should never be transported or stored in an
unencrypted way. |
|
| 16 |
Is the user authentication so called 'strong'
authentication? |
Preferable. |
|
| 17 |
Is the password/PIN individual? |
Must be. |
|
| No |
Question |
Comment |
Yes/No |
|
Internal
|
| 1 |
Are there documented procedures
for changing the network? |
|
|
| 2 |
Are all changes to the network
documented? |
|
|
| 3 |
Is access to communication
ports for service protected? |
|
|
| 4 |
Is the network administrator
privilege restricted to a few users? |
|
|
| 5 |
Is all network hardware (HUB,
Repeaters, Routers, Gateways etc.) well protected? |
|
|
| 6 |
Is the software in the network
hardware well protected? Use strong authentication for changing the software
or configuration. |
|
|
| 7 |
Is an IDS (Intrusion Detection
System) installed? |
To prevent 'insiders' from
doing unauthorised things. Will not replace the need for a firewall. |
|
|
External
|
| 8 |
Is a firewall installed? |
|
|
| 9 |
Is there a routine for the
administration of the firewall? |
Setting up a firewall is
not a once-and-for-all job. It must be updated constantly. |
|
| 10 |
Is the use of encryption
considered? |
Is there a trustworthy algorithm
and key administration? |
|
| 11 |
Is access to communication
ports for service protected? |
|
|
|
Are the safeguards (including encryption
when needed) considered regarding:
|
| 12 |
- E-mail |
|
|
| 13 |
- Telnet |
Strong authentication |
|
| 14 |
- FTP |
|
|
| 15 |
- PPP |
|
|
| 16 |
- EDI |
|
|
| 17 |
- SNMP |
|
|
| 18 |
- DNS-services |
|
|
| 19 |
- Routing |
|
|
| 20 |
- Web-sessions |
|
|
| 21 |
- Java, Javascript |
|
|
| 22 |
- ActiveX |
|
|
| 23 |
- Finger |
|
|
| 24 |
- Rlogin |
|
|
| 25 |
- Cookies |
|
|
| 26 |
Are closed user group used? |
|
|
| 27 |
Are VPN (Virtual Private Networks) used? |
|
|
| No |
Question |
Comment |
Yes/No |
| 1 |
Is the logging system documented? |
|
|
| 2 |
Are the log files protected
against unauthorised access? |
|
|
| 3 |
Is the system configured
in a way that the log must be turned on? |
|
|
| What events are logged: |
| 4 |
- Login |
|
|
| 5 |
- Logout |
|
|
| 6 |
- Failed login |
|
|
| 7 |
- Exceptional behaviour |
User not acting normaly. Might be sorted out
via an IDS |
|
| 8 |
- Access violation |
Unauthorised access to resources |
|
| 9 |
- Activities in the Identification and Authorisation
system? |
New users, change of privileges, remove of
users etc |
|
| 10 |
- Setting of date and time |
|
|
| 11 |
- Introduction/removal of new hardware |
|
|
| 12 |
- Introduction/removal of new software |
|
|
| 13 |
- Introduction/removal of files |
|
|
| 14 |
Are the log-files archived in a proper way? |
|
|
