141.10 Appendix a - IT Security Checklist

PublishedonOfficeoftheChiefInformationOfficer()

HomePolicies141 -Securing InformationTechnologyAssets141.10 -Securing InformationTechnologyAssetsStandards141.10AppendixA-ITSecurityChecklist

Introduction

ToprotectITassetsanddatainaneffectivemanner,anagencymustidentifynecessarysecuritycontrolsintheplanningphaseofnewdevelopmentandmaintenanceefforts.Thesesecuritycontrolsmustbeaccountedforinprojectbudgetsandschedules. Businessandtechnicalleaderscaninfluenceasystem’sITsecurityrisks,correspondingcontrols,andcost.

Thisisaccomplishedbyplanningearlyforthetypeandsensitivityofdatainvolved,theprofilesofallowedusers,andthearchitectureoftheapplicationandITinfrastructure.

Purpose

ThisITSecurityChecklistprovidesastructuredanduniformmethodtohelpagencybusinessandtechnicalleaders:

1.UnderstandthecontrolsneededtocomplywiththeITsecuritystandardsbasedonthesystem’sdata,usersandarchitecture.

2.Finalizethecost,resource,andscheduleestimatesofthesecuritycontrolsforinclusioninagencybudgetsandschedules.

3.Anticipatetheuser’sexperiencetoobtainsecuritycredentialsandaccessthesystem.

4.Conductamanagementdiscussionontheabovetooptimizesystemvalue,cost,security,andtheuserexperience.

UsingtheITSecurityChecklist

ThisITSecurityChecklistisusedasrequiredinSection1.5(3)oftheITsecuritystandards.TheITSecurityChecklistiscompletedbyapplicabletechnicalgroupsintheagencyincludingtheITsecuritystaff.ItisdiscussedandagreeduponbythebusinesssponsorwiththeITsecurityandtechnologyleadership.

TheITSecurityChecklistcontainsthreesections:

Section1-AgencyandSystemCharacteristics

ThissectionidentifiesthemaincharacteristicsoftheagencyandsystemthataffectITsecurityriskandcorrespondingcontrols.

Section2–AgencywideITSecurityControlsThatProtecttheSystemUnderReview

ThissectionsurfacessecuritycontrolsthatprotectagencywideITinfrastructureandallsystems,asitpertainstothesystemunderreview.UpdateSection2whensignificantchangesaremadetotheAgency’sITinfrastructureororganizationalsecuritypractices.

Section3-SystemSpecificSecurityControls

Thissectionsurfacessecuritycontrolsthatprotectthespecificapplication,system,orITinfrastructureunderreview.CompleteSection3foreachapplication/systemintheplanningstagefornewdevelopmentandmaintenance.

AgenciesshalltakestepstoprovidesufficientcontrolsineveryITSecurityFunctionalArea.

Section1-Agency and SystemCharacteristics

Instructions:Thissectiondescribesthesystem-related information used tocharacterizethespecific ITapplication/systemandIToperationalenvironment.FortheITapplication/systemenvironmentunderreview,pleaseidentifythefollowing:
1.Application/SystemName:
2.Application/Systempurposeormission:
3.Howimportantisthesystemtotheuserorganization’smission.
4.Whatinformationisgeneratedby,consumedby,presentedby,processeson,storedin,andretrievedbythesystem?
5.Howimportantistheinformationtotheuserorganization’smission?
6.Wherespecificallyistheinformationprocessedandstored?(suchasadatacenter,laptop,etc.)
7.Whatisthepotentialnegativeimpactontheorganizationiftheinformationisdisclosedtounauthorizedpersonnel?
8.Usersofthesystem:(Mayincludetheidentificationoftherolesorclassesofuserssuchasbutnotlimitedto:
a.Administrator.
b.InternalUsers.
c.ExternalUsers.
9.Hardware:(suchasmainframe,server,etc.)
10.Software:(suchasoperatingsystem,RDBMS,JavaRuntimeengine,browser,etc.):
11.Systeminterfaces:
12.OperationalProtocols:(suchasTCP/IP,VOIP,SSL,etc)
13.PortUseRequirements:
14.PhysicalsecurityenvironmentoftheITsystem:
Instructions:Thissectionis designed to helpyoudeterminewhetheryouragencyhasahigh,medium,orlowrelianceon Information Technology(IT).
Scoring:verylow=0;low=1;medium=2;high=3;veryhigh=4
StateAgencyCharacteristicsANDRELIANCEONIT / SCORE
15.Annualbudgetoftheentireagency:Lessthan$10million=verylow
$10millionto$100million=low
$100millionto$250million=medium
$250millionto$500million=highMorethan$500million=veryhigh
16.Numberofemployees:Lessthan50employees=verylow50to100employees=low
100to1,000employees=medium
1,000to5,000employees=high
morethan5,000employees=veryhigh
17.DependenceuponinformationtechnologysystemsandtheInternettoofferservicestocustomer,outreachprograms,conductresearch,andsupportservices
18.Valueofagency’sintellectualpropertystoredortransmittedinelectronicform
19.Impactofmajorsystemdowntimeonoperations
20.Degreeofchangewithinagency(expansions,reorganizations,etc.)
21.Impacttoyouragency’soperationsfromanInternetoutage
22.Dependencyonmulti-siteoperations
23.Plansformulti-siteoperations(e.g.outsourcedbusinessfunctions,multiplelocations,newcollaborations)
24.PotentialimpacttonationalorcriticalITinfrastructureincaseofoutage,interruption,orcompromisetoyoursystems
25.Stakeholderandcustomersensitivitytosecurityandprivacy
26.Levelofregulationregardingsecurityandprivacy(e.g.HIPAA,FERPA,GLBA,Sarbanes-Oxley,PCIDSS,otherapplicable federalorstatelawsorregulations)
27.Negativeimpactonreputationofasecurityincident(negativepress,politicalpressure,etc.)
28.Extentofoperationsdependentuponthirdparties(contractors,businesspartners,suppliers)
29.Doesyouragencyhavebusinessprogramsinapoliticallysensitiveareathatmaymakeitatargetofaviolentphysicalorcyberattackfromanygroups?

Section2–Agency-wide ITSecurityControlsThatProtecttheSystemUnderReview

Instructions:Usethetablesbelowto analyzeagency ITdevelopmentandmaintenanceprojectsforcompliancewitheachfunctionalareaofthe ITsecuritystandards.IfasectionoftheStandardis notfully satisfied intheagencyorproject,listtheadditionalcontrol(s)necessaryto complyandtheassociatedcost,resources,andscheduleestimatesforeachcontrol.
UpdateSection2whensignificantchangesaremadeto theagency’s ITinfrastructureororganizationalsecuritypractices.
ForExample:
4.4SecureDataTransfer
Aretherequirements in thissectioncurrentlysatisfied forthisproject? / YesNoN/A
Additionalcontrolsandestimates:
1.EncryptCategory3data intransitto cities.
Cost:$5,000;Schedule:2weeks;Resources:1developer,1servercertificate
2.EncryptCategory4data intransitto thefederalgovernment.
Cost:$3,000;Schedule:1week;Resources:1developer,1servercertificate
EstimatedCost: / $8,000
3PhysicalandEnvironmentalProtection
3.1Facilities
Controlsrelatedtophysicalaccesstosystemsaswellassafeguardsagainstthreatstotheenvironmentinwhichthesystemoperates.
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
5NetworkSecurity
Controlsrelatedtothesystem/applicationsspecificconnectiontothenetwork.
5.1SecureSegmentation
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
5.2RestrictedServices
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
5.3ExternalConnections
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
5.4WirelessConnections
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
5.5SecurityPatchManagement
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
5.6SystemVulnerabilities
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
5.7MaliciousSoftwareProtection
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
5.8MobileComputing
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
8OperationsManagement
ControlsrelatedtoITfunctionsandprocessesthataffecttheongoingoperationsandmaintenanceofasystem.
8.1ChangeManagement
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
8.2AssetManagement
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
8.3MediaHandlingandDisposal
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
8.4DataandProgramBackup
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
9ElectronicCommerce
RelatedtotheriskofusingtheInternetandotherelectronictransactionstoconducttransactionsforstatebusinesswithotherpublicentities,citizens,andbusinesses.
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
11IncidentResponse
Controlsrelatedtotheeffectivenessofthedetection,isolation,eradication,andrecoveryphasesofsecurityincidents.
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:

Section3-SystemSpecificSecurityControls

Instructions:Thissectionsurfacessecuritycontrolsthatprotectthespecificapplicationorsystemunderreview.CompleteSection3foreachapplication/systemintheplanningstagefornewdevelopmentandmaintenance.
4DataSecurity
Controlsrelatedtotheinherentvalueofthetypedatahandledbyasystem,anditspotentialforharmifcompromised.
4.1DataClassification–CheckbelowtheDataCategory(ies)relevanttotheinformationimpactedbythesystem.
Category1–Public:Publicinformationisinformationthatcanbeorcurrentlyisreleasedtothepublic.Itdoesnotneedprotectionfromunauthorizeddisclosure,butdoesneedintegrityandavailabilityprotectioncontrols.
Category2–Sensitive:Sensitiveinformationmaynotbespecificallyprotectedfromdisclosurebylawandisforofficialuseonly.Sensitiveinformationisgenerallynotreleasedtothepublicunlessspecificallyrequested.
Category3–Confidential:Confidentialinformationisinformationthatisspecificallyprotectedfromdisclosurebylaw. Itmayincludebutisnotlimitedto:
a.Personalinformationaboutindividuals,regardlessofhowthatinformationisobtained.
b.Informationconcerningemployeepayrollandpersonnelrecords.
c.InformationregardingITinfrastructureandsecurityofcomputerandtelecommunicationssystems.
Category4–Confidentialwithspecialhandling;Confidentialinformationrequiringspecialhandlingisinformationthatisspecificallyprotectedfromdisclosurebylawandforwhich:
a.Especiallystricthandlingrequirementsaredictated,suchasbystatutes,regulations,oragreements.
b.Seriousconsequencescouldarisefromunauthorizeddisclosure,suchasthreatstohealthandsafety,orlegalsanctions.
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
4.2DataSharing
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
4.3SecureManagementandEncryptionofData
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
4.4SecureDataTransfer
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
5NetworkSecurity
Controlsrelatedtothesystem/applicationsspecificconnectiontothenetwork.
5.1SecureSegmentation
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
6AccessSecurity
Controlsrelatedtouseraccountmanagementandlogicalaccesscontrols.
6.1AccessManagement
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
6.2PasswordRequirements
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
6.3Authentication
Describethelevelofauthenticationrequired,theanticipateduserexperienceandtheimpactoncustomerconvenience,andsystemusers:
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
DeclaretheAuthenticationType(s)usedbycheckingthebox(es)below:
Anonymous
Nospecificnetworkorapplicationlevelsecurityrequirements.
Type1-External
Accesstocategory1data,ifauthenticated(notanonymous),requiresauthenticationviatheSecureAccess®Washingtoninfrastructure(OCIOIdentityManagementUserAuthenticationStandards7/10/2008)withthefollowingcontrols:
RequiresUserIDandhardenedpasswordsasdefinedinSection6.2(4).
Passwordexpirationperiodnottoexceed24months.
Type2-External
Accesstocategory2dataorasinglecategory3recordbelongingtotheindividualrequiresauthenticationviatheSecureAccess®Washingtoninfrastructure(OCIOIdentityManagementUserAuthenticationStandards7/10/2008)withthefollowingcontrols:
RequiresUserIDandhardenedpasswordsasdefinedinSection6.2(4).
Passwordexpirationperiodnottoexceed24months.
Type3-External
Accesstocategory3dataorasinglecategory4recordbelongingtotheindividualrequiresauthenticationviatheSecureAccess®Washingtoninfrastructure(OCIOIdentityManagementUserAuthenticationStandards7/10/2008)withthefollowingcontrols:
RequireshardenedpasswordasdefinedinSection6.2(4).Passwordexpirationperiodnottoexceed13months.
Requiresmulti-factorauthenticationsupportedbySecureAccess® Washington.
Type4-External
Accesstocategory4informationrequiresmulti-factorauthenticationviatheSecureAccess®WashingtonorTransact™Washingtoninfrastructure(OCIOIdentityManagementUserAuthenticationStandards7/10/2008)withthefollowingcontrols:
Requirestwo-factorauthenticationusinghardwareorsoftwaretokensordigitalcertificates.
Requiresthattheindividualprovethroughasecure,encryptedauthenticationprotocolthattheindividualcontrolsthetokenbyfirstunlockingthetokenwithapassword,PINorbiometricandinasecureauthenticationprotocoltoestablishtwofactorsofauthenticationusingahardwareorsoftwaretokenordigitalcertificate.
Type5-External
EmployeeandcontractoraccesstoagencyresourcesortheSGNviacommonremoteaccessmethodsrequirestwo-factorauthenticationwiththefollowingcontrols:
Requiresthattheindividualprovethroughasecure,encryptedauthenticationprotocolthattheindividualcontrolsahardwareorsoftwaretokenbyfirstunlockingthetokenwithapassword,PINorbiometricandinasecureauthenticationprotocoltoestablishtwofactorsof authentication.
Type6-External
AuthenticatedaccessthatdoesnotmeetthecriteriaoutlinedintheOCIOIdentityManagementUserAuthenticationStandards7/10/2008requiresthefollowingminimumcontrols:
RequiresahardenedpasswordasdefinedinSection6.2(4)orstrongerauthentication.
Passwordexpirationnottoexceed120days.
AdditionalcontrolsdocumentedintheagencyITSecurityProgram
Type7–Internal
Accesstocategory4dataandbelowrequiresauthenticationviatheEnterpriseActiveDirectoryinfrastructure(OCIOIdentityManagementUserAuthenticationStandards7/10/2008)withthefollowingcontrols:
RequiresUserIDandhardenedpasswordsasdefinedinSection6.2(5).
Passwordexpirationperiodnottoexceed120days.
Type8-Internal
Accesstosystemadministrationfunctionsrequiresthefollowingcontrols:
Requiresadiscreteaccountusedonlyforinteractivesystemadministrationfunctions.
Wherepasswordsareemployedasanauthenticationfactor:RequiresahardenedpasswordasdefinedinSection6.2(5)withanextendedpasswordlengthof16characters.Passwordexpirationperiodnottoexceed60days.
Type9-Internal
Accountsusedforsystemservice,daemonorapplicationexecution(serviceaccounts)requiredocumentationintheagencysecurityprogramandthefollowingcontrols:
Requiresadiscreteaccountusedonlyforthedefinedprivilegedfunctions,andneverusedbyanindividual.
RequiresahardenedpasswordasdefinedinSection6.2(5)withanextendedpasswordlengthof20characters.
Passwordexpirationrequirementsmustbedocumentedintheagencysecurityprogram.
Theprincipleofleastprivilegemustbeemployedwhendeterminingaccessrequirementsfortheaccount.
Type10–Internal
AuthenticatedaccessthatdoesnotmeetthecriteriaoutlinedintheOCIOIdentityManagementUserAuthenticationStandards7/10/2008requiresthefollowingminimumcontrols:
RequiresahardenedpasswordasdefinedinSection6.2(5)orstrongerauthentication.
Passwordexpirationnottoexceed120days.
AdditionalcontrolsdocumentedintheagencyITSecurityProgram.
6.4RemoteAccess
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
7ApplicationSecurity
Controlsrelatedtothedesign,development,deployment,andongoingmaintenanceofapplications.
7.1PlanningandAnalysis
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
7.2ApplicationDevelopment
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
7.3ApplicationMaintenance
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
7.4VulnerabilityPrevention
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
7.5ApplicationServiceProviders
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
10SecurityMonitoringandLogging
Controlsrelatedtomonitoringprocessesandmechanismsforassessingongoingcompliancewithsecurityrequirements,aswellascaptureofdataforreconstructionofsecurity-relevantevents.
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
10.3IntrusionDetectionandPrevention
Aretherequirementsinthissectioncurrentlysatisfiedforthisproject? / YesNoN/A
Additionalcontrolsandestimates:
EstimatedCost:
TotalEstimatedCost:

Source URL: - 0