a practitioner's approach for developing information security policy (166238322)

7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166238322)

http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166238322 1/12



of 12

Department: System Name or Description:

Department Head Signature (digital): to be signed once checklist is complete

Security Checklist Instructions All persons assessing checklist items must be added to the list below. When a line item is assessed, the assessor adds his or her initials along with an indication

of the degree of compliance: “yes” for full compliance, “no” for noncompliance, “part” for partial compliance. Where partial compliance is indicated, assessors

should describe the level of compliance using the space provided on the last page of this form.

Assessors: Supply initials followed by full name and department if different from above (e.g. “JQP – John Q. Public” or “MJG – Mary Glick – University Technology Services”)



of 12

Section 1 – System Management 1.1 – Define ownership and appropriate use

Item Weight Initials/Compliance 1.1.1 [i]7.1.1

Assets

documented:

application

software

used

for

University

data

H 1.1.2 [i]7.1.1 Assets documented: university data identified by sensitivity and authoritative Data Steward H

1.1.3 [i]7.1.1 Assets documented: computer equipment H 1.1.4 [i]7.1.2 Ownership and responsibility for assets are documented and periodically reviewed M 1.1.5 [p]12.3.3 Personnel with access to assets are documented M 1.1.6 [p]12.3.4 Devices are labeled to indicate owner, contact info, and purpose L 1.1.7 [i]7.1.1 Assets documented: computing and communication services rec

1.2 –

Information

backup

Item Weight initials/compliance

1.2.1 [i]10.5.1 Backup copies of information and software are made M 1.2.2 [i]10.5.1 Backup copies of sensitive data are securely encrypted H 1.2.3 [i]10.5.1 Backup plan includes: define level of backup information, keep accurate records of backups made, plan

granularity (full/differential, frequency), keep backup media off site, protect backup media, test backup media,

test restore procedures

L

1.2.4 [p]9.5 Observe offsite storage facility to verify security and confirm annual review L 1.3 – Logging

Item Weight initials/compliance 1.3.1 System time is accurately synchronized (e.g. with NTP) M 1.3.2 Security‐relevant events are logged: user activity, critical system changes, critical data changes M 1.3.3 Daily review of logs by manual or automated means L 1.3.4 Keep logs for at least 3 months L 1.3.5 Keep logs for at least 12 months rec 1.3.6 Real

‐time

log

review

rec

1.3.7 [p]10.1 Establish process to link access to user id rec 1.3.8 [p]10.2.2 Establish audit trail for all actions of admin users rec 1.3.9 [p]10.2.7 Log creation and deletion of system objects rec

1.3.10 [p]10.3 Record these data for each event logged (where relevant): user id, event type, data and time,

success/failure, origination, identify affected items

rec 1.3.11 [p]10.7 Retain audit trails for at least 12 months rec



of 12

1.4 – Password Management Item Weight initials/compliance

1.4.1 [i]11.2.3 Passwords must be stored encrypted or hashed H 1.4.2 [i]11.2.3 Vendor default passwords are changed as soon as practical H 1.4.3 [i]11.2.3

User

identity

is

verified

prior

to

processing

password

set/reset

H

1.4.4 [i]11.2.3 Users sign statement of password confidentiality M 1.4.5 [i]11.3.1 Users required to follow good security practices in selecting and using passwords M 1.4.6 [i]11.2.3 Any passwords provided to users must be complex and unique, must be communicated to user securely,

and must be changed by user on first login

M 1.4.7 [p]2.1 Change vendor default identifiers, such as SNMP community string, SSID, encryption keys M

1.5 – OS Secure Authentication Item Weight initials/compliance

1.5.1 [i]11.5.1 OS login process includes: no display of password during entry, no cleartext transmission of password H 1.5.2 [p]10.2.5 Logging of OS authentication success/failure M 1.5.3 [p]8.5.13,14 Lock out account after at most 6 consecutive unsuccessful login attempts. lock‐out for at least 30

minutes

M 1.5.4 [i]11.5.1 OS login process includes: no display of system/application identifiers until logon successful, displays a

warning about unauthorized access, no help messages during logon, validate credentials only after all inputs are

received, display previous logon upon successful logon

L

1.5.5 [i]11.5.5 Inactive

session

timeout

L

1.6 – System Security Item Weight initials/compliance

1.6.1 OS and application security patches installed as soon as practical H 1.6.2 [p]6.3.1 Development stage data and accounts removed before production stage M 1.6.3 [p]2.2.3 Configure system security parameters to prevent misuse M 1.6.4 [i]12.4.1 Software installation controls include: updates performed only by trained administrators with

management authorization, rollback strategy, audit log of code changes

M 1.6.5 [i]12.4.1 Software installation controls include: OS limited to approved services, applications thoroughly tested,

configuration control system, retain previous versions of applications for all archived data versions

L 1.6.6 Limit scope of trust relationships between systems L 1.6.7 [i]12.4.2 Test data is selected carefully, protected, and controlled; avoid use of production data L 1.6.8 [p]2.2.4 Remove unnecessary services rec



of 12

1.7 – Vulnerability Management Item Weight initials/compliance

1.7.1 [i]12.6 Vulnerability management: establish resources to identify vulnerabilities, identify risks to organization for

discovered vulnerabilities, address vulnerabilities according to plan

H 1.7.2 [i]12.6

Vulnerability

management:

establish

roles

for

vulnerability

management,

establish

timeline

to

respond

to

vulnerabilities, evaluate impact of vulnerability remediation before implementing, test remediation method

before installing in production

M 1.7.3 [p]11.2 Scan for vulnerabilities quarterly and after significant changes M 1.7.4 [p]11.3 Perform penetration testing yearly and after significant changes L

1.8 – Malicious Code Protections Item Weight initials/compliance

1.8.1 [i]10.4.1 Malicious

code

protections:

policy

prohibiting

use

of

unauthorized

software,

periodic

review

of

installed

software, installation of anti‐malware software, establish procedure for responding to malware detection

M 1.8.2 [i]10.4.1 Malicious code protections: policy restricting software sources, establish contingency plans for losses

due to malware infection, maintain awareness of malware threats

L 1.8.3 [p]5.2 Monitor correct function of anti‐malware software, and log its activity L

1.9 – Data Validation Item Weight initials/compliance

1.9.1 [i]12.2.1 input

data

validation:

evaluate

inputs

for

value

range,

valid

characters,

completeness,

data

length/volume limits H

1.9.2 [p]6.5 Design/test applications: avoid injection flaws, buffer overflow, directory traversal H 1.9.3 [p]6.5 Design/test applications: avoid insecure cryptographic storage, insecure communications, data leakage via

error messages, cross‐site scripting and forgery, unsecured URL access

M 1.9.4 [i]12.2.1 input data validation: establish procedures for responding to validation errors, establish procedures to

test plausibility of input data, define responsibilities of personnel involved in data entry, log all data entry

M 1.9.5 [i]12.2.4 output data validation: reconciliation controls, provide sufficient data to allow reader to verify accuracy M 1.9.6 [i]12.2.1

input

data

validation:

periodic

review

of

data,

inspecting

hardcopy

for

unauthorized

changes

L

1.9.7 [i]12.2.4 output data validation: includes test plausibility of output data values, establish procedures for

responding to validation errors, define responsibilities of personnel involved in data output, log data output

validation

L



of 12

1.10 – Encryption Item Weight initials/compliance

1.10.1 [p]8.4 Passwords are encrypted during transmission or storage H 1.10.2 [p]2.3 Encrypt all administrative access H 1.10.3 [p]4.1

Data

are

encrypted

over

public

networks

H

1.10.4 [i]12.3.1 Data is encrypted in motion M 1.11 – Production Controls

Item Weight initials/compliance 1.11.1 [i]6.2.2 prior to customer access, these controls are addressed: asset protection, product or service is well

described, requirements and benefits for customers, access control policy, procedures for reporting and

investigation of inaccuracies and breaches, descriptions of all services, target level of service, disclose right to

monitor, disclose

liabilities

of

organization

and

customer,

disclose

legal

responsibilities,

disclose

intellectual

property rights

L

1.12 – Security Incident Reporting Item Weight initials/compliance

1.12.1 [p]12.9 Establish incident response plan including roles, response procedures, recovery/contingency procedures,

data backup/recovery processes, document legal reporting requirements

M 1.12.2 [i]13.1.1 Security incidents reported through appropriate command channels, including suitable feedback

mechanisms to

satisfy

those

reporting

incidents

and

incident

reporting

form

to

ensure

uniform

and

complete

collection of details

M

1.12.3 [p]12.5.3 Document incident response procedures M



of 12

Section 2 – Policy and Documentation 2.1 – Third Party Access

Item Weight initials/compliance 2.1.1

[i]6.2.1

Evaluate

3P

access

requirements:

enumerate

types

of

access

and

assess

the

sensitivity

of

data

to

be

accessed

M

2.1.4 [i]6.2.3 Terms included in 3P agreements: controls for asset protection, responsibilities regarding hardware and

software, access controls, incident reporting process, establish process for problem resolution

L 2.1.4 [i]6.2.3 Terms included in 3P agreements: information security policy, training in security issues, awareness of

information security responsibilities, provision for transfer of personnel, clear reporting structure and reporting

formats, clear process of change management, description of product or service to be provided, target level of

service, definition of performance criteria, disclose right to monitor, disclose right to audit, service continuity

requirements, liabilities

of

parties,

legal

responsibilities,

intellectual

property

rights,

involvement

with

subcontractors, conditions of renegotiation or termination

L

2.1.2 [i]6.2.1 Evaluate 3P access requirements: enumerate facilities a 3P is required to access, enumerate 3P personnel,

document controls for secure storage and exchange of data with 3P

rec 2.1.3 [i]6.2.1 Evaluate 3P access requirements: document controls to limit access, document how 3P personnel identity

can be verified, assess impact of loss of access by 3P, establish procedures for incident response involving 3P,

document legal requirements regarding 3P, document impact to stakeholders for use of 3P

rec

2.2 – Operational Procedure Item Weight initials/compliance

2.2.1 [i]10.1.1 Document operating procedures: processing and handling of information, backup, scheduling and

interdependency, handling of errors and exceptions, support contracts, special output and media handling,

restart and recovery procedures, management of audit trail and logging

L

2.2.2 [p]12.2 Document daily operational security procedures rec



of 12

2.3 – Access Control Policy Item Weight initials/compliance

2.3.1 [i]11.1.1 Access control policy: enumerate all data and risks L 2.3.2 [p]8.2 In addition to unique id, require at least one factor of authentication, e.g. password, hardware token,

biometric

H 2.3.3 [p]8.5.1 Control and audit creation, modification, and deletion of user credentials M 2.3.4 [p]8.5.10 Require passwords to contain at least 7 characters H 2.3.5 [p]8.5.11 Require passwords to contain alphabetic and numeric characters H 2.3.6 [i]11.1.1 Access control policy: security requirements of individual applications, data classifications and policies

for dissemination consistent across all systems, document legal requirements for data, document user profiles by

role, document management of access rights, segregate access control roles, require formal authorization of

access requests, periodic review of access controls, proper and timely removal of access rights

rec

2.3.7 [p]7.1

limit

access

rights

to

least

necessary

rec

2.3.8 [p]7.2 establish access controls for system components rec 2.4 – Regulatory Compliance

Item Weight initials/compliance 2.4.1 [i]15.1.1 Identify requirements of all applicable laws, contracts, and other regulation M 2.4.2 [i]15.2.1 Managers ensure compliance with all applicable security policies M

2.5 –

User

Registration

and

Deregistration

Item Weight initials/compliance

2.5.1 [i]11.2.1 User registration: unique user id, verify access authorization with system owner, give user written

statement of access rights, immediate removal or blocking of access when job duties no longer require it,

periodic audit of user ids and access rights

M

2.5.2 [p]7.1.3 Formal documented approval of user access and level of privileges by appropriate system manager L 2.5.3 [i]11.2.1 User registration: level of access matches business needs, user signs statement of access conditions,

ensure authorization process is complete before access is granted, formal record of all registered users

rec



of 12

Section 3 – Unauthorized Access Prevention 3.1 – Physical Controls

Item Weight initials/compliance 3.1.1

[i]9.1.1

Locked

cabinet

or

room

H

3.1.2 [p]9.1.2 Restrict physical access to network jacks M 3.1.3 [p]9.1.3 Restrict physical access to wireless hardware M 3.1.4 [p]9.1.1 Video camera or other auditable access record L

3.2 – Sanitization of Equipment Item Weight initials/compliance

3.2.1 [i]9.2.6 Storage media securely erased or destroyed prior to disposal H 3.2.2 [p]9.10.1

Shred

or

incinerate

hardcopy

of

data

H

3.3 – Protection of Media Item Weight initials/compliance

3.3.1 [i]10.7.1 Management of removable media: prior to disposal, removable media are securely erased or destroyed H 3.3.2 [p]9.6 Physically secure hardcopy of data H 3.3.3 [i]10.7.1 Management of removable media includes removable media are securely erased or destroyed,

authorization required for removal of media from premises, media stored in physically secured location, consider

expected lifetime

of

media

when

designing

retention

plan,

maintain

records

of

removable

media,

removable

media drives only enabled if needed

rec

3.3.4 [p]9.9.1 Conduct annual physical audit of removable media rec 3.4 – Mobile Security

Item Weight initials/compliance 3.4.1 [i]11.7.1 Establish formal policy for information security as regards mobile computing L 3.4.2 [i]11.7.2 Establish formal policy for working from remote locations, including physical security of remote site,

communications security

requirements,

consider

risk

of

unauthorized

physical

access,

establish

policy

on

use

of

privately owned equipment, require anti‐malware and firewall

rec

Section 4 – Networking 4.1 – Network Management Controls

Item Weight initials/compliance 4.1.1 [i]11.4.2 Require authentication for remote access H 4.1.2 [i]11.4.5 Segregate network segments by services, users, or system function rec



of 12

4.2 – Restriction of Network Access Item Weight initials/compliance

4.2.1 [i]11.4.6 Restrict access to network segments based on business need M 4.3 – Isolation of Services and Data

Item Weight initials/compliance 4.3.1 [i]11.6.2 Sensitive systems use isolated resources H 4.3.2 [p]2.2.1 Servers are dedicated to single services (e.g. web server, db server) H 4.3.3 University data stored, received, or processed by this system is not shared with any other system unless that

system also undergoes a security assessment and receives Data Steward approval.

H 4.4 –Network Security

Item Weight initials/compliance 4.4.1 [p]11.4 Use intrusion detection/prevention systems M 4.4.2 [i]10.6.1 Network management: establish controls to secure sensitive data traffic, log activity as necessary to

record security‐relevant events

L 4.4.3 [i]10.6.1 Network management: network management responsibilities separated from computer management,

establish responsibilities for management of remote equipment, ensure network is configured to perform

optimally and consistently

L

4.4.4 [p]1.1.6 Review firewall and router rule sets every 6 months rec 4.4.5 [p]6.6

Review

public

‐facing

web

interfaces

at

least

annually,

to

find

vulnerabilities

rec

For Assessor Comments, use the space provided on the next page.



of 12

Assessor Comments Use the space below to comment on compliance issues. For each comment, list the checklist subsection number.

a practitioner's approach for developing information security policy (166238322)

Documents