Send me a Quote
Information Type: Company-Wide Sample Format

This checklist is to be used in lieu of other methods for risk analysis of networked, or multi-user, computer systems that will process company sensitive information. Most questions are structured to elicit a 'yes' answer; a 'no' response usually indicates an inadequate or questionable level of security. 'NO' responses in the final risk analysis document do not necessarily mean your system cannot or will not be approved. However, if any 'NO' response cannot be eliminated, please do the following:

a. Call your Assurance Protection Office (APO) discuss the importance or security impact of a specific 'NO' answer.

b. Legibly annotate the checklist immediately below each question explaining why you believe that the 'NO' answer will not seriously affect the security posture of the system. If additional space is required please provide this information on a separate piece of paper. Please be sure to reference the question you are explaining.

Items preceded by "(C2)" indicates an item that must be true if the system is to achieve C2 Certification. C2 is a level of security for all Government entities mandated by DOD DIR 5200.28 for all MULTI-USER COMPUTER SYSTEMS.  Your company may or may not want to comply to Government standards.

1. Are the Computer System Manager (CSM), Computer
System Security Officer (CSSO), and Network Manager (NM)
Aware of their responsibilities? Have they... Complete with Purchase Y N NA

2. Have a Computer System Security Officer (CSSO) and
Network Security Officer (NSO) been appointed in writing
by the using organization to be responsible for the
security of this system? Y N NA

3. Are the CSSO and NSO trained and familiar with the security
plans and procedures? Y N NA

4. Do the security procedures... Complete with Purchase Y N NA

5. Do the communications-computer system security
procedures and security training programs cover the
security needs of all persons accessing the network
computer system? Y N NA

6. Complete with Purchase Y N NA

7. As a result of this assessment, has a contingency plan
been developed? Y N NA

8. Complete with Purchase Y N NA

9. Is the Network Architecture properly documented? Y N NA

10. Complete with Purchase

1. What methods are employed to restrict entry to the
network/computer facility or office (Check Y for methods used)?

a. Complete with Purchase Y N NA

b. Complete with Purchase Y N NA

c. Complete with Purchase Y N NA

d. Complete with Purchase Y N NA

e. Complete with Purchase Y N NA

f. Electronic badge system? Y N NA

g. Complete with Purchase Y N NA

h. Complete with Purchase Y N NA

i. Complete with Purchase Y N NA

(1) Complete with Purchase Y N NA

(2) Complete with Purchase Y N NA

(3) Complete with Purchase Y N NA

2. Are restricted and controlled area boundaries posted with Y N NA
signs?

3. Complete with Purchase Y N NA

4. Complete with PurchaseY N NA

5. How is access to remote terminals and servers
controlled (check Y)? Y N NA

a. Complete with Purchase Y N NA

b. Complete with Purchase Y N NA

c. Complete with Purchase Y N NA

d. Complete with Purchase Y N NA

e. Complete with Purchase Y N NA

f. Access point guard? Y N NA

g. Complete with Purchase Y N NA

h. Access list? Y N NA

i. Complete with Purchase Y N NA

j. Complete with Purchase Y N NA

6. Is the equipment arranged to prevent unauthorized
viewing of sensitive company information through
windows, doorways, over partitions, etc.? Y N NA

7. Complete with Purchase Y N NA

8. Complete with PurchaseY N NA

9. Complete with Purchase Y N NA

10. Is the structural security of the facility or office
deficient? Complete with Purchase Y N NA

11. Are magnetic storage media and libraries protected? Y N NA

12. Complete with Purchase Y N NA

13. Complete with Purchase Y N NA

14. Is access to the system's patch panel controlled? Y N NA

1. Complete with Purchase Y N NA

2. Will visitors be monitored while in the immediate
terminal and/or system/network area? Y N NA

3. Complete with Purchase Y N NA

4. When employees or functional users are relieved of duty
or moved to another job:

a. Complete with Purchase Y N NA

b. Complete with Purchase Y N NA

c. Complete with Purchase Y N NA

5. Complete with Purchase Y N NA

1. Is there a designated central point for receiving and
disseminating sensitive data? Y N NA

2. Complete with Purchase Y N NA

3. Complete with Purchase Y N NA

4. Has someone been designated an accountable custodian for
disseminating and destroying sensitive data? Y N NA

5. Complete with PurchaseY N NA

6. Complete with Purchase Y N NA

7. Complete with Purchase Y N NA

8. Complete with Purchase Y N NA

9. Complete with PurchaseY N NA

10. Do your policies make the customer responsible for:

a. Complete with PurchaseY N NA

b. Complete with PurchaseY N NA

11. Are sensitive/critical tapes and disks degaussed or
purged when no longer required by the user? Y N NA

12. Complete with Purchase Y N NA

13. Complete with Purchase Y N NA

14. Complete with Purchase Y N NA

15. Complete with Purchase Y N NA

1. Has the sensitivity of... Complete with Purchase Y N NA

2. Does security protection... Complete with Purchase Y N NA

3. Are network configuration changes... Complete with Purchase Y N NA

4. Complete with Purchase Y N NA

5. Complete with Purchase Y N NA

6. Complete with PurchaseY N NA

7. Complete with Purchase Y N NA

8. Complete with Purchase Y N NA

a. Complete with Purchase Y N NA

9. Complete with Purchase Y N NA

10. Are Dial-in accesses controlled as follows:

a. Complete with Purchase Y N NA

b. Complete with Purchase Y N NA

c. Complete with Purchase Y N NA

d. Complete with Purchase Y N NA

1. Are modifications and updates... Complete with Purchase Y N NA

2. Complete with Purchase Y N NA

3. Is the Network Operating System and components properly
backed up prior to any modifications? Y N NA

4. Do you control access to data files:

a. Complete with Purchase Y N NA

b. Complete with Purchase Y N NA

c. Complete with Purchase Y N NA

5. If the multi-user system processes sensitive
company information, does the system provide... Complete with Purchase Y N NA

6. Complete with Purchase Y N NA

7. Does the system provide controls to limit
propagation of access rights? Y N NA

8. Complete with Purchase Y N NA

9. Does the system provide a domain for its own
execution that... Complete with Purchase Y N NA

10. (C2) Complete with Purchase Y N NA

11. Do you use automated audit trails to monitor:

a. (C2) Complete with PurchaseY N NA

b. (C2) Complete with Purchase Y N NA

c. Complete with Purchase Y N NA

d. (C2) Terminal ID, user ID, time and date, records
accessed? Y N NA

e. (C2) Complete with Purchase Y N NA

f. Complete with Purchase Y N NA

g. (C2) Complete with Purchase Y N NA

h. Complete with Purchase Y N NA

12. Is the number of people who have access to audit trail
information kept to a minimum? Y N NA

13. (C2) Complete with Purchase Y N NA

14. (C2) Are audit files protected to ensure only
authorized access by the CSO? Y N NA

15. Complete with Purchase Y N NA

Complete with Purchase Y N NA

16. Are audit trails... Complete with Purchase Y N NA

17. (C2) Are initial passwords... Complete with Purchase Y N NA

18. (C2) Are passwords... Complete with Purchase, Y N NA

Identification and Authentication?

a. Are passwords at least eight characters in length? Y N NA

b. Complete with Purchase Y N NA

c. Complete with Purchase Y N NA

d. Are automated passwords changed at least
semiannually? Y N NA

e. Complete with Purchase Y N NA

f. Are users able to... Complete with Purchase Y N NA

19. Does the host system detect... Complete with Purchase Y N NA

20. Complete with Purchase Y N NA

21. Does the CSO receive system configuration
change notices? Y N NA

22. (C2) Has the ST & E included a search for obvious
flaws that would permit unauthorized access to the audit
or authentication data? Y N NA

23. Is the first display a user sees... Complete with Purchase Y N NA

24. Do Network Protocols... Complete with Purchase Y N NA

25. Complete with Purchase Y N NA

26. Does Network software provide... Complete with Purchase Y N NA

27. Is Network software able to... Complete with Purchase Y N NA

1. Does the network have hardware...Complete with Purchase Y N NA

a. Complete with Purchase Y N NA

b. Complete with Purchase Y N NA

c. Complete with Purchase Y N NA

2. Is the system adequately protected from... Complete with Purchase : Y N NA

a. Complete with Purchase Y N NA

b. Complete with Purchase Y N NA

c. Complete with Purchase Y N NA

d. Complete with Purchase Y N NA

3. Is there backup power available for:

a. Complete with Purchase Y N NA

b. Complete with Purchase Y N NA

c. Complete with Purchase Y N NA

d. Complete with Purchase Y N NA

4. Does the computer room use an approved fire
suppression system? What type _______________________ Y N NA

5. Does this geographic area have a history of:

a. Floods Y N NA

b. Earthquakes Y N NA

c. Hurricanes Y N NA

d. Tornadoes Y N NA

6. Are fire resistant/non combustible materials used for:

a. Buildings Y N NA

b. Complete with Purchase Y N NA

c. Complete with PurchaseY N NA

d. Complete with PurchaseY N NA

7. Complete with Purchase Y N NA

8. Complete with Purchase Y N NA

9. Does adequate... Complete with Purchase:

a. Complete with Purchase Y N NA

b. Complete with Purchase Y N NA

c. Complete with Purchase Y N NA

10. Complete with Purchase Y N NA

11. If dial-in diagnostics are used , are they disconnected
when not in use? Y N NA

12. Complete with Purchase Y N NA

13. Complete with Purchase Y N NA

1. Has the Computer System Manager... Complete with Purchase Y N NA

2. Do the procedures address each of the following areas:

a. Responsibilities of... Complete with Purchase Y N NA

b. Access controls (i.e. use and protection of passwords,
file access)? Y N NA

c. Complete with Purchase Y N NA

d. Complete with Purchase Y N NA

e. Complete with Purchase Y N NA

f. Maintaining system and configuration control? Y N NA

g. Complete with Purchase Y N NA

h. Complete with Purchase Y N NA

i. Virus checking software on PCs? Y N NA

j. Authorized software. Is this verified at least annually? Y N NA

3. Have these procedures... Complete with Purchase Y N NA

4. Have all users read and certified that
they understand the established security procedures? Y N NA

5. Complete with Purchase Y N NA

6. Does Network Security Policy define... Complete with Purchase Y N NA

7. Are Security Procedures enforced? Y N NA

1. (C2) Does each Workstation/PC on the LAN... Complete with Purchase Y N NA

2. (C2) Are network procedures established to periodically
test the proper functioning of... Complete with Purchase Y N NA

3. (C2) Has a ST&E...Complete with Purchase. This would
provide the required C2 Security Testing requirement. Y N NA

4. (C2) Have the users been... Complete with Purchase Y N NA

5. (C2) Has a Security... Complete with Purchase  Y N NA

SIGN_______________________________________DATE_______________________

NAME__________________________________Organization________________

For the "Do it yourself folks" get the "Complete Security Planning Package".  Get all three templates ready for your Information Technology experts to fill-in the blanks and answer the questions.  Network Security Plan, Risk Analysis Assessment and Security Test and Evaluation,- $1,250.00 - Purchase any one template for $500.00 each.

BACK