a practitioner's approach for developing information security policy (166238322)
TRANSCRIPT
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166238322)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166238322 1/12
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166238322)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166238322 2/12
Page 2 of 12
Department: System Name or Description:
Department Head Signature (digital): to be signed once checklist is complete
Security Checklist Instructions All persons assessing checklist items must be added to the list below. When a line item is assessed, the assessor adds his or her initials along with an indication
of the degree of compliance: “yes” for full compliance, “no” for noncompliance, “part” for partial compliance. Where partial compliance is indicated, assessors
should describe the level of compliance using the space provided on the last page of this form.
Assessors: Supply initials followed by full name and department if different from above (e.g. “JQP – John Q. Public” or “MJG – Mary Glick – University Technology Services”)
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166238322)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166238322 3/12
Page 3 of 12
Section 1 – System Management 1.1 – Define ownership and appropriate use
Item Weight Initials/Compliance 1.1.1 [i]7.1.1
Assets
documented:
application
software
used
for
University
data
H 1.1.2 [i]7.1.1 Assets documented: university data identified by sensitivity and authoritative Data Steward H
1.1.3 [i]7.1.1 Assets documented: computer equipment H 1.1.4 [i]7.1.2 Ownership and responsibility for assets are documented and periodically reviewed M 1.1.5 [p]12.3.3 Personnel with access to assets are documented M 1.1.6 [p]12.3.4 Devices are labeled to indicate owner, contact info, and purpose L 1.1.7 [i]7.1.1 Assets documented: computing and communication services rec
1.2 –
Information
backup
Item Weight initials/compliance
1.2.1 [i]10.5.1 Backup copies of information and software are made M 1.2.2 [i]10.5.1 Backup copies of sensitive data are securely encrypted H 1.2.3 [i]10.5.1 Backup plan includes: define level of backup information, keep accurate records of backups made, plan
granularity (full/differential, frequency), keep backup media off site, protect backup media, test backup media,
test restore procedures
L
1.2.4 [p]9.5 Observe offsite storage facility to verify security and confirm annual review L 1.3 – Logging
Item Weight initials/compliance 1.3.1 System time is accurately synchronized (e.g. with NTP) M 1.3.2 Security‐relevant events are logged: user activity, critical system changes, critical data changes M 1.3.3 Daily review of logs by manual or automated means L 1.3.4 Keep logs for at least 3 months L 1.3.5 Keep logs for at least 12 months rec 1.3.6 Real
‐time
log
review
rec
1.3.7 [p]10.1 Establish process to link access to user id rec 1.3.8 [p]10.2.2 Establish audit trail for all actions of admin users rec 1.3.9 [p]10.2.7 Log creation and deletion of system objects rec
1.3.10 [p]10.3 Record these data for each event logged (where relevant): user id, event type, data and time,
success/failure, origination, identify affected items
rec 1.3.11 [p]10.7 Retain audit trails for at least 12 months rec
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166238322)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166238322 4/12
Page 4 of 12
1.4 – Password Management Item Weight initials/compliance
1.4.1 [i]11.2.3 Passwords must be stored encrypted or hashed H 1.4.2 [i]11.2.3 Vendor default passwords are changed as soon as practical H 1.4.3 [i]11.2.3
User
identity
is
verified
prior
to
processing
password
set/reset
H
1.4.4 [i]11.2.3 Users sign statement of password confidentiality M 1.4.5 [i]11.3.1 Users required to follow good security practices in selecting and using passwords M 1.4.6 [i]11.2.3 Any passwords provided to users must be complex and unique, must be communicated to user securely,
and must be changed by user on first login
M 1.4.7 [p]2.1 Change vendor default identifiers, such as SNMP community string, SSID, encryption keys M
1.5 – OS Secure Authentication Item Weight initials/compliance
1.5.1 [i]11.5.1 OS login process includes: no display of password during entry, no cleartext transmission of password H 1.5.2 [p]10.2.5 Logging of OS authentication success/failure M 1.5.3 [p]8.5.13,14 Lock out account after at most 6 consecutive unsuccessful login attempts. lock‐out for at least 30
minutes
M 1.5.4 [i]11.5.1 OS login process includes: no display of system/application identifiers until logon successful, displays a
warning about unauthorized access, no help messages during logon, validate credentials only after all inputs are
received, display previous logon upon successful logon
L
1.5.5 [i]11.5.5 Inactive
session
timeout
L
1.6 – System Security Item Weight initials/compliance
1.6.1 OS and application security patches installed as soon as practical H 1.6.2 [p]6.3.1 Development stage data and accounts removed before production stage M 1.6.3 [p]2.2.3 Configure system security parameters to prevent misuse M 1.6.4 [i]12.4.1 Software installation controls include: updates performed only by trained administrators with
management authorization, rollback strategy, audit log of code changes
M 1.6.5 [i]12.4.1 Software installation controls include: OS limited to approved services, applications thoroughly tested,
configuration control system, retain previous versions of applications for all archived data versions
L 1.6.6 Limit scope of trust relationships between systems L 1.6.7 [i]12.4.2 Test data is selected carefully, protected, and controlled; avoid use of production data L 1.6.8 [p]2.2.4 Remove unnecessary services rec
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166238322)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166238322 5/12
Page 5 of 12
1.7 – Vulnerability Management Item Weight initials/compliance
1.7.1 [i]12.6 Vulnerability management: establish resources to identify vulnerabilities, identify risks to organization for
discovered vulnerabilities, address vulnerabilities according to plan
H 1.7.2 [i]12.6
Vulnerability
management:
establish
roles
for
vulnerability
management,
establish
timeline
to
respond
to
vulnerabilities, evaluate impact of vulnerability remediation before implementing, test remediation method
before installing in production
M 1.7.3 [p]11.2 Scan for vulnerabilities quarterly and after significant changes M 1.7.4 [p]11.3 Perform penetration testing yearly and after significant changes L
1.8 – Malicious Code Protections Item Weight initials/compliance
1.8.1 [i]10.4.1 Malicious
code
protections:
policy
prohibiting
use
of
unauthorized
software,
periodic
review
of
installed
software, installation of anti‐malware software, establish procedure for responding to malware detection
M 1.8.2 [i]10.4.1 Malicious code protections: policy restricting software sources, establish contingency plans for losses
due to malware infection, maintain awareness of malware threats
L 1.8.3 [p]5.2 Monitor correct function of anti‐malware software, and log its activity L
1.9 – Data Validation Item Weight initials/compliance
1.9.1 [i]12.2.1 input
data
validation:
evaluate
inputs
for
value
range,
valid
characters,
completeness,
data
length/volume limits H
1.9.2 [p]6.5 Design/test applications: avoid injection flaws, buffer overflow, directory traversal H 1.9.3 [p]6.5 Design/test applications: avoid insecure cryptographic storage, insecure communications, data leakage via
error messages, cross‐site scripting and forgery, unsecured URL access
M 1.9.4 [i]12.2.1 input data validation: establish procedures for responding to validation errors, establish procedures to
test plausibility of input data, define responsibilities of personnel involved in data entry, log all data entry
M 1.9.5 [i]12.2.4 output data validation: reconciliation controls, provide sufficient data to allow reader to verify accuracy M 1.9.6 [i]12.2.1
input
data
validation:
periodic
review
of
data,
inspecting
hardcopy
for
unauthorized
changes
L
1.9.7 [i]12.2.4 output data validation: includes test plausibility of output data values, establish procedures for
responding to validation errors, define responsibilities of personnel involved in data output, log data output
validation
L
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166238322)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166238322 6/12
Page 6 of 12
1.10 – Encryption Item Weight initials/compliance
1.10.1 [p]8.4 Passwords are encrypted during transmission or storage H 1.10.2 [p]2.3 Encrypt all administrative access H 1.10.3 [p]4.1
Data
are
encrypted
over
public
networks
H
1.10.4 [i]12.3.1 Data is encrypted in motion M 1.11 – Production Controls
Item Weight initials/compliance 1.11.1 [i]6.2.2 prior to customer access, these controls are addressed: asset protection, product or service is well
described, requirements and benefits for customers, access control policy, procedures for reporting and
investigation of inaccuracies and breaches, descriptions of all services, target level of service, disclose right to
monitor, disclose
liabilities
of
organization
and
customer,
disclose
legal
responsibilities,
disclose
intellectual
property rights
L
1.12 – Security Incident Reporting Item Weight initials/compliance
1.12.1 [p]12.9 Establish incident response plan including roles, response procedures, recovery/contingency procedures,
data backup/recovery processes, document legal reporting requirements
M 1.12.2 [i]13.1.1 Security incidents reported through appropriate command channels, including suitable feedback
mechanisms to
satisfy
those
reporting
incidents
and
incident
reporting
form
to
ensure
uniform
and
complete
collection of details
M
1.12.3 [p]12.5.3 Document incident response procedures M
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166238322)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166238322 7/12
Page 7 of 12
Section 2 – Policy and Documentation 2.1 – Third Party Access
Item Weight initials/compliance 2.1.1
[i]6.2.1
Evaluate
3P
access
requirements:
enumerate
types
of
access
and
assess
the
sensitivity
of
data
to
be
accessed
M
2.1.4 [i]6.2.3 Terms included in 3P agreements: controls for asset protection, responsibilities regarding hardware and
software, access controls, incident reporting process, establish process for problem resolution
L 2.1.4 [i]6.2.3 Terms included in 3P agreements: information security policy, training in security issues, awareness of
information security responsibilities, provision for transfer of personnel, clear reporting structure and reporting
formats, clear process of change management, description of product or service to be provided, target level of
service, definition of performance criteria, disclose right to monitor, disclose right to audit, service continuity
requirements, liabilities
of
parties,
legal
responsibilities,
intellectual
property
rights,
involvement
with
subcontractors, conditions of renegotiation or termination
L
2.1.2 [i]6.2.1 Evaluate 3P access requirements: enumerate facilities a 3P is required to access, enumerate 3P personnel,
document controls for secure storage and exchange of data with 3P
rec 2.1.3 [i]6.2.1 Evaluate 3P access requirements: document controls to limit access, document how 3P personnel identity
can be verified, assess impact of loss of access by 3P, establish procedures for incident response involving 3P,
document legal requirements regarding 3P, document impact to stakeholders for use of 3P
rec
2.2 – Operational Procedure Item Weight initials/compliance
2.2.1 [i]10.1.1 Document operating procedures: processing and handling of information, backup, scheduling and
interdependency, handling of errors and exceptions, support contracts, special output and media handling,
restart and recovery procedures, management of audit trail and logging
L
2.2.2 [p]12.2 Document daily operational security procedures rec
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166238322)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166238322 8/12
Page 8 of 12
2.3 – Access Control Policy Item Weight initials/compliance
2.3.1 [i]11.1.1 Access control policy: enumerate all data and risks L 2.3.2 [p]8.2 In addition to unique id, require at least one factor of authentication, e.g. password, hardware token,
biometric
H 2.3.3 [p]8.5.1 Control and audit creation, modification, and deletion of user credentials M 2.3.4 [p]8.5.10 Require passwords to contain at least 7 characters H 2.3.5 [p]8.5.11 Require passwords to contain alphabetic and numeric characters H 2.3.6 [i]11.1.1 Access control policy: security requirements of individual applications, data classifications and policies
for dissemination consistent across all systems, document legal requirements for data, document user profiles by
role, document management of access rights, segregate access control roles, require formal authorization of
access requests, periodic review of access controls, proper and timely removal of access rights
rec
2.3.7 [p]7.1
limit
access
rights
to
least
necessary
rec
2.3.8 [p]7.2 establish access controls for system components rec 2.4 – Regulatory Compliance
Item Weight initials/compliance 2.4.1 [i]15.1.1 Identify requirements of all applicable laws, contracts, and other regulation M 2.4.2 [i]15.2.1 Managers ensure compliance with all applicable security policies M
2.5 –
User
Registration
and
Deregistration
Item Weight initials/compliance
2.5.1 [i]11.2.1 User registration: unique user id, verify access authorization with system owner, give user written
statement of access rights, immediate removal or blocking of access when job duties no longer require it,
periodic audit of user ids and access rights
M
2.5.2 [p]7.1.3 Formal documented approval of user access and level of privileges by appropriate system manager L 2.5.3 [i]11.2.1 User registration: level of access matches business needs, user signs statement of access conditions,
ensure authorization process is complete before access is granted, formal record of all registered users
rec
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166238322)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166238322 9/12
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166238322)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166238322 10/12
Page 10 of 12
Section 3 – Unauthorized Access Prevention 3.1 – Physical Controls
Item Weight initials/compliance 3.1.1
[i]9.1.1
Locked
cabinet
or
room
H
3.1.2 [p]9.1.2 Restrict physical access to network jacks M 3.1.3 [p]9.1.3 Restrict physical access to wireless hardware M 3.1.4 [p]9.1.1 Video camera or other auditable access record L
3.2 – Sanitization of Equipment Item Weight initials/compliance
3.2.1 [i]9.2.6 Storage media securely erased or destroyed prior to disposal H 3.2.2 [p]9.10.1
Shred
or
incinerate
hardcopy
of
data
H
3.3 – Protection of Media Item Weight initials/compliance
3.3.1 [i]10.7.1 Management of removable media: prior to disposal, removable media are securely erased or destroyed H 3.3.2 [p]9.6 Physically secure hardcopy of data H 3.3.3 [i]10.7.1 Management of removable media includes removable media are securely erased or destroyed,
authorization required for removal of media from premises, media stored in physically secured location, consider
expected lifetime
of
media
when
designing
retention
plan,
maintain
records
of
removable
media,
removable
media drives only enabled if needed
rec
3.3.4 [p]9.9.1 Conduct annual physical audit of removable media rec 3.4 – Mobile Security
Item Weight initials/compliance 3.4.1 [i]11.7.1 Establish formal policy for information security as regards mobile computing L 3.4.2 [i]11.7.2 Establish formal policy for working from remote locations, including physical security of remote site,
communications security
requirements,
consider
risk
of
unauthorized
physical
access,
establish
policy
on
use
of
privately owned equipment, require anti‐malware and firewall
rec
Section 4 – Networking 4.1 – Network Management Controls
Item Weight initials/compliance 4.1.1 [i]11.4.2 Require authentication for remote access H 4.1.2 [i]11.4.5 Segregate network segments by services, users, or system function rec
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166238322)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166238322 11/12
Page 11 of 12
4.2 – Restriction of Network Access Item Weight initials/compliance
4.2.1 [i]11.4.6 Restrict access to network segments based on business need M 4.3 – Isolation of Services and Data
Item Weight initials/compliance 4.3.1 [i]11.6.2 Sensitive systems use isolated resources H 4.3.2 [p]2.2.1 Servers are dedicated to single services (e.g. web server, db server) H 4.3.3 University data stored, received, or processed by this system is not shared with any other system unless that
system also undergoes a security assessment and receives Data Steward approval.
H 4.4 –Network Security
Item Weight initials/compliance 4.4.1 [p]11.4 Use intrusion detection/prevention systems M 4.4.2 [i]10.6.1 Network management: establish controls to secure sensitive data traffic, log activity as necessary to
record security‐relevant events
L 4.4.3 [i]10.6.1 Network management: network management responsibilities separated from computer management,
establish responsibilities for management of remote equipment, ensure network is configured to perform
optimally and consistently
L
4.4.4 [p]1.1.6 Review firewall and router rule sets every 6 months rec 4.4.5 [p]6.6
Review
public
‐facing
web
interfaces
at
least
annually,
to
find
vulnerabilities
rec
For Assessor Comments, use the space provided on the next page.
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166238322)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166238322 12/12
Page 12 of 12
Assessor Comments Use the space below to comment on compliance issues. For each comment, list the checklist subsection number.