Information Type

Information Type: Company-Wide Sample Format

STE - Strawman Security, Test, and Evaluation

This document is very detailed and when completed will provide a complete Security, Test and Evaluation of your company information security. For obvious reasons "Complete with Purchase" has been inserted in most of the document.

Method

A - ANALYSIS

I – INSPECTION

T - TEST

D - DEMO

Hardware Utilization

1.	Are operations monitored for compliance with schedule for:
	a.	Complete with Purchase	Y	N	NA	I
	b.	Complete with Purchase	Y	N	NA	I
	c.	Complete with Purchase	Y	N	NA	I
	d.	Complete with Purchase	Y	N	NA	I
	e.	Complete with Purchase	Y	N	NA	I
2.	Are all periods of downtime verified?		Y	N	NA	I
3.	Is a Standard Operating Procedure (SOP) manual used for configuring the system/network hardware for secure operations?		Y	N	NA	I
	a.	Complete with Purchase	Y	N	NA	A
	b.	Complete with Purchase	Y	N	NA	A
	c.	Complete with Purchase	Y	N	NA	A

Remote Terminals (Thin Clients - CITRIX)

4.	Complete with Purchase		Y	N	NA	I, D, T
	a.	Complete with Purchase	Y	N	NA	I
5.	Complete with Purchase		Y	N	NA	A, T
6.	Complete with Purchase		Y	N	NA	I, D
7.	Complete with Purchase		Y	N	NA	I
8.	Complete with Purchase		Y	N	NA	I
9.	Complete with Purchase		Y	N	NA	I
	a.	Complete with Purchase	Y	N	NA	I
	b.	Complete with Purchase	Y	N	NA	I
10.	Complete with Purchase		Y	N	NA	I
11.	Complete with Purchase		Y	N	NA	I
12.	Complete with Purchase		Y	N	NA	I, D, T
13.	Complete with Purchase		Y	N	NA	I
14.	Complete with Purchase		Y	N	NA	I
15.	Complete with Purchase		Y	N	NA	I
16.	Complete with Purchase		Y	N	NA	I, T

Access Control - Network

17.	Is access to programs and software systems restricted to a need-to-know basis by file passwords and file permissions?		Y	N	NA	I, D, T
	a.	Complete with Purchase	Y	N	NA
18.	Are data bases, files or data sets subjected to data integrity and/or segregation requirements, so that individual access is controllable?		Y	N	NA	I
19.	Complete with Purchase		Y	N	NA	I, T
20.	Complete with Purchase		Y	N	NA	I, D
	a.	Complete with Purchase	Y	N	NA	I, D
21.	Complete with Purchase		Y	N	NA	I
22.	Complete with Purchase		Y	N	NA	I
	a.	Complete with Purchase	Y	N	NA	I
23.	Are passwords or similar access controls changed or deleted for an individual user when:
	a.	Complete with Purchase	Y	N	NA	I
	b.	Complete with Purchase	Y	N	NA	I
	c.	Complete with Purchase	Y	N	NA	I
24.	Whenever more than one site is involved in a network, are other sites notified when one of the conditions in 23a., b., c. occur?		Y	N	NA	I
25.	Have persons using access controls been instructed on the regulations pertaining to their responsibilities of the security of ADP information?		Y	N	NA	I
26.	Complete with Purchase		Y	N	NA	I
27.	Complete with Purchase		Y	N	NA	I, T
28.	Complete with Purchase		Y	N	NA	I, T
29.	Complete with Purchase		Y	N	NA	I
30.	Where applicable, is a network access revalidation performed at least annually?		Y	N	NA	I
31.	Complete with Purchase		Y	N	NA	I, D, T
32.	Do local procedures require that a system access and activity be monitored (audit trail)?		Y	N	NA	I, D, T
	a.	Complete with Purchase	Y	N	NA	I, D, T
	b.	Complete with Purchase	Y	N	NA	I, T
33.	Complete with Purchase		Y	N	NA	I
34.	Can passwords be seen during log-in?		Y	N	NA	I, T
35.	Complete with Purchase		Y	N	NA	I, T
	a.	Complete with Purchase	Y	N	NA	I
	b.	Complete with Purchase	Y	N	NA	I
36.	Is the operating system software protected and controlled against unauthorized modification?		Y	N	NA	I
37.	Complete with Purchase		Y	N	NA	I, T
	a.	Complete with Purchase	Y	N	NA	I, T
	b.	Complete with Purchase	Y	N	NA	I
	c.	Complete with Purchase	Y	N	NA	I, T

ADP Products

38.	Complete with Purchase		Y	N	NA	I
39.	Complete with Purchase		Y	N	NA	I
40.	Complete with Purchase		Y	N	NA	I
41.	Complete with Purchase		Y	N	NA	I
42.	Complete with Purchase		Y	N	NA	I, T
43.	Complete with Purchase		Y	N	NA	I
44.	Do policies make the user responsible for reporting all security discrepancies or incidents to the CFM, CSO, CIO, CFO, CEO or their designated representative?		Y	N	NA	I, A
45.	Complete with Purchase		Y	N	NA	I
46.	Complete with Purchase		Y	N	NA	I
47.	When privileged instructions (supervisory, master mode, or control state instructions) are used:		Y	N	NA	I
	a.	Complete with Purchase	Y	N	NA	I, T
	b.	Complete with Purchase	Y	N	NA	I
48.	Complete with Purchase		Y	N	NA	I
49.	Complete with Purchase		Y	N	NA	I

Magnetic Media

50.	Is there a procedure for accounting for all:
	a.	Fixed mass storage media (disk, core, system files)?	Y	N	NA	I, A
	b.	Removable mass storage media (disk, tape)?	Y	N	NA	I, A
51.	Complete with Purchase		Y	N	NA	I
52.	Complete with Purchase		Y	N	NA	I
53.	Complete with Purchase		Y	N	NA	I, T
54.	Complete with Purchase		Y	N	NA	I, A, D
55.	Complete with Purchase		Y	N	NA	I
56.	Complete with Purchase		Y	N	NA	I

Clearing and Declassification of company data

57.	Complete with Purchase	Y	N	NA	I, A, D
58.	Are the necessary programs, equipment, and procedures available and adequate for the clearing of Automatic Data Processing Equipment (ADPE)?	Y	N	NA	I, A, D
59.	Complete with Purchase	Y	N	NA	I
60.	Complete with Purchase	Y	N	NA	I
61.	Complete with Purchase	Y	N	NA	I

Application Programs

62.	Are programming changes and maintenance well controlled and documented?	Y	N	NA	I
63.	Complete with Purchase	Y	N	NA	I
64.	Complete with Purchase	Y	N	NA	I

Communications Security (COMSEC)

65.	Do all communications links meet... Complete with Purchase		Y	N	NA	I
66.	Is there a positive... Complete with Purchase		Y	N	NA	I, T
67.	Complete with Purchase		Y	N	NA	I
	a.	Complete with Purchase	Y	N	NA	I

Physical-Personnel Information Access Control

68.	Is access to the computer facility restricted to selected personnel who have a justifiable need to be there?		Y	N	NA	I
69.	Complete with Purchase		Y	N	NA	I
70.	Complete with Purchase		Y	N	NA	I
71.	Are escorts provided for maintenance personnel who are not appropriately cleared?		Y	N	NA	I
72.	Complete with Purchase		Y	N	NA	I
73.	Complete with Purchase		Y	N	NA	T
	a.	Complete with Purchase	Y	N	NA	I, D, T
74.	Complete with Purchase		Y	N	NA	I

People - Organization

75.	Have individuals been designated to be responsible for computer security?		Y	N	NA	I
76.	Complete with Purchase
	a.	Complete with Purchase	Y	N	NA	I
	b.	Complete with Purchase	Y	N	NA	I
77.	Are individuals in positions to commit errors or perpetrate irregularities not in a position which would enable them to conceal the errors or irregularities?		Y	N	NA	I
78.	Is there an active Education, Training and Awareness Program?		Y	N	NA	I
79.	Complete with Purchase		Y	N	NA	I
80.	Complete with Purchase		Y	N	NA	I
	a.	Complete with Purchase	Y	N	NA	I, T, D

Configuration Management

81.	Is the security hardware and software configuration recorded for:
	a.	Complete with Purchase	Y	N	NA	I
	b.	Complete with Purchase	Y	N	NA	I
82.	Is approval required for hardware and software configuration changes?		Y	N	NA	I

Network Security

83.	Complete with Purchase		Y	N	NA	I
84.	Complete with Purchase		Y	N	NA	I
	a.	Complete with Purchase	Y	N	NA	I
	b.	Complete with Purchase	Y	N	NA	I
85.	Complete with Purchase		Y	N	NA	I
86.	Complete with Purchase		Y	N	NA	I
87.	Complete with Purchase		Y	N	NA	I
88.	Did the Network Manager (NM) approve the initial connection and continued operation of remote terminals and workstations?		Y	N	NA	I
89.	Did the NM conduct a network risk analysis?		Y	N	NA	I
90	Complete with Purchase		Y	N	NA	I
91.	Complete with Purchase		Y	N	NA	I
92.	Does the NM recertify the adequacy of network security at least every three years or upon significant modification?		Y	N	NA	I
93.	Complete with Purchase		Y	N	NA	I
94.	Is all network security training documented?		Y	N	NA	I
95.	Complete with Purchase		Y	N	NA	I
96.	Complete with Purchase		Y	N	NA	I
97.	Is the Network Security Officer (NSO) appointed in writing for all remote areas NOT under the NSMs management control?		Y	N	NA	I
98.	Complete with Purchase		Y	N	NA	I, T
99.	Complete with Purchase		Y	N	NA	I

File Owner: Jim Tracy
Organization: INTEK
Phone: (314) 596-8750
E-mail: jimt@intek.net
Date Last Reviewed: NOV 2002

For the "Do it yourself folks" get the "Complete Security Planning Package". Get all three templates ready for your Information Technology experts to fill-in the blanks and answer the questions. Network Security Plan, Risk Analysis Assessment and Security Test and Evaluation,- $1,250.00 - Purchase any one template for $500.00 each.

BACK