It risk Assessment Document
Date conversion 28.01.2017 Size 52.02 Kb.
Who are the system administrator(s)?
List the system administrator’s duties and responsibilities.
Is there a backup administrator?
What skills requirements and development exists for administrator(s)?
What is the relationship between system administrator and security admin?
What types of background checks are conducted on IT employees? Is this conducted with HR? Do IT employees sign confidentiality agreements?
For Security/Compliance Administration versus system administration- is it the same people/procedures?
What are the technical staff termination procedures/deprovisioning procedures?
1. What types of Build Guides are in Use?
Do they include both servers and workstation?
Do security configuration checklists exist for both servers and workstations?
2. Are automated build, deployment, checking procedures in use?
3. What are the practices and training for configuring equipment?
4. Are unnecessary services and ports turned off?
5. Are default usernames and admin passwords changed?
6. Is there strong authentication, if so, elaborate.
7. Do application and db admins have restrictions or limits on system rights?
8. Are backups are routine and encrypted?
9. Is there a server inventory?
10. Is there an inventory of devices?
Does a list of all vendors with access rights exist?
What processes are in place to sponsor vendors (Each vendor must be owned by a designated individual- Sys or app admin)?
Are individuated access control lists in place?
Do vendors follow config/change management procedures?
Are vendor access logs by individual reviewed annually?
Do vendors have system rights?
Do vendors have constraints on physical access to systems? Does this include escorts?
Are remote communications encrypted?
Do Maintenance Plans exist for:
What are the automated patch management procedures?
What are the automated AV management procedures?
Do Monthly checks exist for lagging servers (patch/AV) or at risk devices?
What are the exception tracking procedures?
Are there limitations to remote access (specific ports, authentication, remote device security, and encryption)?
What are the “break glass” access procedures?
Is there a prohibition on shared access accounts?
Are there written standards for escalating maintenance changes to change control process?
Is there an inventory of monitoring, log management, and alerting tools?
What procedures exist to monitor patch management and AV management?
Are server configuration integrity checks run on a routine basis? What is the timeframe?
What type of routine server vulnerability monitoring- such as Nessus- exists?
Does a process that includes performance monitoring of servers with documented alert triggers and escalation procedures exist?
Are security logs maintained for 60 days?
7. Do logs contain :
Successful and unsuccessful access attempts
or services accessed
Network addresses/ports and protocols
Activation of security tools
8. What type of intrusion detection exists?
Are there procedures in place for Post intrusion prevention triggers and alerts based on anomalies in security logs?
Is a risk assessment conducted and are security controls documented according to risk?
Are new applications and services are reviewed for security risk?
Does staff have designated individuals for addressing user security questions and issues?
Are security policies and standards reviewed biannually and are additional security controls deployed as needed?
Does IT staff discourage users from using unencrypted USB drives or other mobile media?
Do the password policies for users conform to standards?
Are there more stringent password settings for system administrators- such as multifactor authentication or 15 character passwords?
Are there prohibitions against unencrypted laptops or personal electronic devices?
Are the procedures for terminating user accounts are coordinated with HR and enterprise systems? What is the timeframe for removing user accounts? What is the timeframe for terminating admin accounts? Are admin accounts annually recertified?
1. Does a documented change management procedure exist?
2. Is the IT staff briefed on change management processes biannually?
3. Are stakeholders identified and communications prior to change requests?
4. Are change requests reviewed and communicated with appropriate IT and business units?
5. Are problematic changes are reviewed? Do informal cm processes for root causes and lesson learned exist?
6. Are vendors, business partners, and other entities expected to follow CM processes?
7. Do CM procedures require documented testing plans?
8. Do processes include coordination, test dev, and prod data and systems as part of testing plan?
9. Are there prohibitions on testing on production systems? Is testing on prod data discouraged, limited and documented?
Do documented procedures exist for identifying and classifying problems (e.g. usability or interfaces)? What are the procedures?
Do customers and partners have channel for communicating problems?
What are the documented procedures for escalating problems and events to incidents?
Are incident handlers identified based on type and scope of incidents?
Does an incident policy and procedure exist, and is it documented?
Are incident post mortems are conducted? Are remediation actions planned and deployed?
End Of life-
Is there an inventory of applications and services near EOL?
Do migration plans for EOL systems including maintenance and support exist?
What data migration plans for EOL including formats, structures exist?
Are device disposal procedures followed with respect specifically environmental and confidentiality controls?
Are all server hard drives wiped or destroyed? What type of documentation exists for the destruction?
Is there a process is in place to destroy Workstation hard drives?
Do contractual or procedural controls for digital media disposition (e.g. photocopiers, printers, PED, etc) exist?
What types of routine communications on EOL and disposal to affected units exist?
Physical Security and Devices-
Is there a software package for monitoring system and/or user activity? What is it? What does it monitor?
What is the extent of vendor support (i.e., on-site, off-site, warranty coverage, extended hours, and system maintenance agreements)?
3. What security controls exist for data centers?
What security controls are in place for network closets?
4. Is authorization required for access to sensitive areas? Are there logs for visitors to data centers that include – date time, name, organization represented, and authorizing employee?
Are access rights reviewed annually?
5. Are Critical facilities out of public site and not be mapped for public access? Is video monitoring should be routinely reviewed?
Is there a DR plan? Does it include the inventory of hardware and software assets?
What is the date of the last DR test?
Does the DR plan include a Recovery Time Objective (RTO), and a Recovery Point Objective?
Is the DR plan coordinated with the Hopkins DR plan?
Is the DR plan linked to the BCP plan(s)?
Does the network policy include the acceptable use of network services? Network authorization procedures?
What type of network segmentation exists?
Is NAT or PAT in use?
Where are the firewalls located?
Is there a formal firewall policy in place? Is it reviewed against the IDS and IPS?
Is there filtering between the DMZ and the production network?
Are there testing processes in place for Web applications (such as SQL injection, XSS)?
What processes monitor database activity?
What policies are in place for email? Are there email checks on the gateway?
What restrictions are in place for numbers of email sent (assists in preventing spam)?
Are there procedures for internal or external penetration testing of the infrastructure?
Is remote administrative access limited to certain IP addresses?
Are users trained in acceptable use procedures? If yes, explain the process.
What type of encryption exists on the wireless network?
Is there a wireless guest network?
Is there a process to monitor for unauthorized WAP’s?
The database is protected by copyright ©ininet.org 2016