Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Transcription

1 Category Question Name Question Text C 1.1 Do all users and administrators have a unique ID and password? C Passwords are required to have ( # of ) characters: 5 or less Answer 10 or more C Password complexity forces (Choose all that apply): Alpha Numeric C Passwords can not be reused until after ( # of unique passwords ): ne Special Characters UpperCase LowerCase or more C Passwords must be changed every ( # of days ): t Required C Systems must not allow users to change their password more than once within a 24-hour period: C Invalid login locks the user after ( # of attempts ): Never Greater Than attempts 4-5 attempts 6 or more attempts C Set the minimum account lockout duration to: Must be reset by administrator C Policy states that users must not write, store or transmit passwords in plain text: C Passwords on network devices must be encrypted: C 1.2 Do any system users have access to company data? C Is there a formal procedure to control the creation and deletion of user IDs? 30 minutes or less minutes 60 minutes or more

2 C C Are accounts used by vendors for remote access and maintenance only enabled during the time needed and monitored while in use? Is there a formal process to authorize the creation of group, shared, or generic accounts/passwords? C2: Encryption C 2.1 Are strong cryptography and encryption techniques (at least 128 bit) such as Secure Sockets Layer (SSL), Point-to-Point Tunneling Protocol (PPTP), Internet Protocol (IPSEC) used to safeguard sensitive Company Information during transmission over public networks? C2: Encryption C Will company data be rendered unreadable if the use of encryption is mandated by law or regulation? C2: Encryption C Is company data rendered unreadable if company determines that encryption is necessary to secure it? C2: Encryption C Is an internal PKI used to protect company data at rest? C2: Encryption C Is there a requirement for key custodians to sign a form or acknowledge electronically specifying that they understand and accept their key-custodian responsibilities? C2: Encryption C For wireless networks transmitting comapny data, what encryption method is used for transmissions? Host Host Host Host Host Host Host Host Host C 3.1 C What Intrusion Detection Systems (IDS), Host-based Intrusion Detection Systems (HIDS), and/or Intrusion Prevention Systems (IPS) are used to monitor all network traffic associated with access, processing, storage, communication and/or transmission of Company Data? If above, does the installed IDS, HIDS or IPS protect all servers that contain company information? Wireless WEP WPA WPA2 Other ne HIDS NIDS C What does the IDS, HIDS, or IPS monitor? (Check all that apply): DMZ C 3.2 C C C C C Is there a formal documented process, including management approval, for approving and testing all external network connections and changes to the firewall configuration? Can a network diagram showing firewall, IDS, HIDS and / or IPS placement be provided upon request? Are there requirements for a firewall at each Internet connection and between any DMZ and the Intranet? Do firewall configuration standards contain a description of groups, roles, and responsibilities for logical management of network components? Do firewall configuration standards include justification and documentation of any available protocols besides HTTP and SSL, SSH, and VPN? Do firewall configuration standards include justification and documentation for any protocols allowed, such as FTP, etc., that IPS N/A Internal Network Other

3 Host Host Host Host Host Host Host Host Host Host Host Host Host Host Host Host Host Host C C C C C 3.3 C C C requires credentials be transmitted in clear text? Is a DMZ implemented to filter and screen all traffic, prohibiting direct routes for inbound and outbound traffic? Does, or will, the server that contains company data reside in the DMZ? Is outbound traffic restricted from Supplier systems hosting company data to IP addresses within the DMZ? Is Internet Protocol (IP) masquerading implemented to prevent internal addresses from being translated and revealed on the Internet? Such as Port Address Translation (PAT) or Network Address Translation (NAT)? Do all System Components and software have the latest vendorsupplied security patches? Are all critical applicable security patches installed within one month of release? Is there a documented process to identify newly discovered security vulnerabilities (e.g., subscribe to alert services freely available on the Internet)? Are standards documented and updated to address new vulnerability issues? C 3.4 Is antivirus software installed, enabled and maintained on all servers? C C Is antivirus software installed, enabled and maintained on all workstations? Is antivirus software installed, enabled and maintained on all gateways? C Are all anti-virus mechanisms capable of generating audit logs? C 3.5 C 3.6 C 3.7 C C C Are vendor-supplied defaults always changed before installing a system on the network (e.g., passwords, SNMP community strings, and elimination of unnecessary accounts.)? For wireless environments, which of the following default settings are changed? (Check all that apply) Are hardening standards documented and implemented for all systems and components. These standards should address all known security vulnerabilities and industry best practices? Is only one primary function implemented per server (e.g., web servers, database servers, and DNS should be implemented on separate servers)? Are all unnecessary and insecure services and protocols disabled and any potentially dangerous ones justified and documented as to appropriate use of the service (e.g., FTP is not used, or is encrypted via SSH or other technology)? Is all unnecessary functionality removed, such as scripts, drivers, features, subsystems, file systems (e.g., unnecessary web servers)? ne SSID Changed Broadcast of SSID disabled SNMP Community String Changed

4 C4: Physical C 4.1 Which of the following facility entry controls used to control and monitor physical access to the building perimeter? (check all that apply) C4: Physical C Which of the following facility entry controls used to control and monitor physical access to the data center perimeter? (check all that apply) C4: Physical C Which of the following facility entry controls used to control and monitor physical access to all media, electronic and paper, containing company Information in an area and/or containers? (check all that apply) C4: Physical C 4.2 Is physical access to wireless access points and gateways restricted? C4: Physical C Are documented procedures developed to help all personnel distinguish between employees and visitors, especially in areas where company Information is accessible? C4: Physical C Are cameras used to monitor sensitive areas? C4: Physical C How long are recordings maintained? N/A C5: Data Recovery C 5.1 Has a Disaster Recovery / Business Resumption plan been documented and tested? C5: Data Recovery C 5.2 Are media back-ups containing Company data stored in a secure offsite facility, either an alternate third-party or a commercial data storage facility? C5: Data Recovery C When media that contains Company data either leaves or returns from off-site vendor is it signed for by an authorized individual? C5: Data Recovery C Is the media sent via secured courier or a delivery mechanism that can be accurately tracked? C6: Information Disposal and Hardware Sanitization C 6.1 Is there a documented procedure in place to remove company data or information when it is: Contained in hardware at the end of its functional life Sent out for repair As referenced in the agreement Upon request Key Badge Biometric Keypad Guard Key Badge Biometric Keypad Guard Key Badge Biometric Keypad Guard Less than 60 days days Over 90 days C7: Change Control C 7.1 Is a documented SDLC in place, based upon industry best practices (such as OWASP) that includes information security? C7: Change Control C Are there separate development/test and production environments with

5 access control in place to enforce the separation? C7: Change Control C Is there a separation of duties between those personnel assigned to the development/test environments and those assigned to the production environment? C7: Change Control C Is company data used for testing or development - i.e. anywhere outside of a production environment? AS 8.1 AS 8.2 AS Are application(s) that store or transmit company data externally available through the Internet? Do application(s) use strong Industry Standard cryptography and encryption techniques (force at least 128 bit) to safeguard company data in transit in the internal network? Do application(s) use strong Industry Standard cryptography and encryption techniques (force at least 128 bit) to safeguard company data (SSN, Credit Card Number, Drivers License Number) at rest? AS 8.3 Are proprietary (non-industry standard) encryption algorithms used? AS If proprietary encryption algorithms are used have their strength and integrity been certified by an authorized evaluation agency? AS 8.4 Are Applications Developed Internally? AS 8.5 Are application(s) independently evaluated or certified? AS 8.6 AS AS AS AS AS 8.7 Has the application code been reviewed for security flaws and backdoors? Has server side input validation been implemented in the application(s)? Where applicable, are key session identifiers encrypted - e.g. account IDs, etc within the web application? Are there any userids, application ids or passwords stored either within source code or in any form within html source code? Are there any comments within HTML source that can potentailly reveal any architectural details associated with server side programming logic or databases (e.g. stored procedures, table names etc)? Are externally facing web application(s) protected by a web application firewall (WAF)? AS 8.8 Do all application users have a unique ID and password? AS Application passwords are required to have ( # of ) characters: 5 or less or more AS Application password complexity forces (Choose all that apply): Alpha Numeric Special Characters UpperCase LowerCase

6 AS Application passwords can not be reused until after ( # of unique passwords ): ne or more AS Application passwords must be changed every ( # of days ): t Required AS Do applications allow users to change their password more than once within a 24-hour period? AS Invalid login locks the application user after ( # of attempts ): Never Greater Than attempts 4-5 attempts 6 or more attempts AS What is the minimum application account lockout duration? Must be reset by administrator AS 8.9 Do application(s) use wild card SSL server certificates? AS 8.10 Are controls in place to prevent changes to the application from being made in an unauthorized manner? AS 8.11 Are audit trails enabled within the application(s)? AS 8.12 AS 8.13 AS 8.14 AS 8.15 Do application(s) mask SSN, Credit Card Number and Drivers License Number data when displayed on screen? Is there any type of data export of sensitive company data feature in the application(s)? If the application utilizes passwords stored in databases, are they stored as one-way encrypted hash values? Have Role Based Access Control mechanisms been incorporated to ensure that the Principle of Least Privilege is complied with? 30 minutes or less minutes 60 minutes or more