End User Report Questions
1. Are passwords constructed in accordance with TAMU SAP 29.01.03.M1.14 Password-based Authentication? [Ref: 202.70(1) , 202.75(3)(D) , 29.01.03.M1.14]
2. Are requirements for password expiration determined in accordance with TAMU SAP 29.01.03.M1.14 Password-based Authentication? [Ref: 202.70(1) , 202.75(3)(D) , 29.01.03.M1.14]
3. Are all passwords treated as confidential, encrypted in storage, never transmitted as plain text, and changed immediately if confidentiality is in doubt? [Ref: 202.70(1) , 202.75(3)(D) , 29.01.03.M1.14]
4. Do individuals that control right-to-use privileges for systems attached to the network ensure only authorized persons are granted access? [Ref: 202.70(1) , 202.75(1) , 29.01.03.M1.12]
5. Are accounts locked out after no more than 7 failed login attempts, where possible? [Ref: 202.70(1), 202.75(1) , 29.01.03.M1.14]
6. For computing devices located in unattended areas, are password-protected screensavers or auto-logoff functions enabled? [Ref: 202.70(1) , 202.75(1) , 29.01.03.M1.14]
Physical Environment
7. Are portable computing and storage devices containing confidential information physically secured when unattended, using appropriate means? [Ref: 202.70(1) , 202.75(2)(A), 29.01.03.M1.16]
Platform Management
8. Where appropriate, are portable computing devices (A) patched and updated, (B) protected from malware, and (C) protected by a personal firewall? [Ref: 202.70(1) , 202.70(5), 29.01.03.M1.16]
9. Have security measures been implemented in a manner that will meet the requirements for confidentiality, integrity, and availability of the information being stored or processed? [Ref: 29.01.03.M1.20, 29.01.03.M1.20]
10. For susceptible platforms, is software to safeguard against malicious code (A) installed, (B) enabled, (C) functioning, (D) where possible, set to automatically update, (E) neither disabled nor bypassed, and (F) not altered in a manner that will reduce the effectiveness of the software, including the frequency of updates? [Ref: 202.70(1) , 202.70(5) , 29.01.03.M1.23]
11. Is all software appropriately licensed and does the unit possess proper documentation to validate licensing? [Ref: 202.70(3) , 29.01.03.M1.05]
12. If applications supporting peer-to-peer networking are used, are they configured to disallow automatic/unintended file sharing? In addition to P2P file sharing software, this includes but is not limited to Windows file sharing without password protection and other systems with unauthenticated and/or unrestricted uploading and/or downloading capabilities. [Ref: 202.70(1), 202.70(3), 29.01.03.M1.25]
Data Protection
13. Is encryption used when confidential or sensitive data is transmitted as an email message or through a web email program? [Ref: 202.70(1) , 202.75(4)(A) , 29.01.03.M1.31]
14. Is encryption used when confidential or sensitive data is transmitted (A) to or from a site not on the campus network or (B) over the Internet? [Ref: 202.70(1) , 202.75(4)(A) , 202.75(4)(B), 29.01.03.M1.31]
15. Are portable computing and storage devices containing confidential information protected by passwords or other means to prevent unauthorized access? [Ref: 202.70(1) , 202.75(2)(A) , 29.01.03.M1.16]
16. Is confidential information stored on portable computing or storage devices encrypted with an appropriate technique? [Ref: 202.70(1) , 202.75(2)(A) , 202.75(4)(C) , 29.01.03.M1.16]
17. When confidential information is accessed remotely by portable computing devices (e.g., dial-in, broadband, wireless), is encryption used to protect information in transit (e.g., SSL, secure FTP, VPN, WPA)? [Ref: 202.70(1) , 202.75(4)(A) , 29.01.03.M1.16 , 29.01.03.M1.30]
18. Are all data files scanned on an annual basis to determine if SSNs are present, where technologically feasible? [Ref: 202.70(1) , 202.75(2)(A) , 29.01.03.M1.29]
19. What scanning product or methodology is used? [Ref: 202.70(1) , 202.75(2)(A), 29.01.03.M1.29]
20. If SSNs are found during scanning, or known to be present, are they either (A) removed or (B) secured using appropriate risk mitigation measures (e.g., encryption) [Ref: 202.70(1), 202.75(4)(D) , 29.01.03.M1.29]
21. Have all SSNs to be retained and stored been reported via the process described in 29.01.03.M1.29? [Ref: 202.70(1) , 29.01.03.M1.29]
22. Have all SSNs to be retained and stored been approved, as per the process described in 29.01.03.M1.29? [Ref: 202.70(1) , 29.01.03.M1.29]