Best Practices For Department Server and Enterprise System Checklist

Transcription

1 Best Practices For Department Server and Enterprise System Checklist INSTRUCTIONS Information Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT) resources against Information related threats such as hacker attacks, worms, viruses, and other malicious activities. The Best Practices for Department Server and Enterprise System Checklist will be used to determine if an organizational unit of The George Washington University is using standard Information Best Practices to secure their Departmental Servers and Enterprise Systems. To use this checklist, review each individual Department Server Best Practice Requirement and each Enterprise System Best Practice Requirement listed to the right of each category in the first column (Physical, Administration, Operating System, Database, Network, Anti-Virus, and Documentation). Place a check mark in the Check if Complete column for each best practice requirement met in the Department Server Best Practice column and/or a check mark in the Check if Complete column for each best practice requirement met in the Enterprise System Best Practice column. If you are not able to comply with the requirement, please provide a business case justification in the Justification for Non-Completion column. Best Practice Requirements For Department Servers and Enterprise Systems Check if Complete Department Server Best Practice Requirement Check if Complete Enterprise System Best Practice Requirement Justification for Non-Completion Physical Have entry and exit to equipment and wiring closets been restricted to unauthorized personnel? Have entry and exit to equipment and wiring closets been restricted to unauthorized personnel? Physically lock equipment to a stationary durable device such as an office desk or inside a computer cabinet. Physically lock equipment to a stationary durable device such as an office desk or inside a computer cabinet. Page 1 of 8

2 Ensure the temperature in the room is appropriate for the equipment (check user guide for equipment). Ensure the temperature in the room is appropriate for the equipment (check user guide for equipment). Attach devices to an Uninterruptible Power Supply Device (UPS) and/or surge protector. Ensure that fire, smoke, and heat detectors are installed to protect people and equipment. Attach devices to an Uninterruptible Power Supply Device (UPS) and/or surge protector. Ensure that fire, smoke, and heat detectors are installed to protect people and equipment. Administration Apply software patches to all software programs on the system when available subject to the change management process. Apply operating system patches on the system when available subject to the change management process. Ensure the system is protected by a properly configured firewall. Ensure the system is protected by updated anti-virus software. Establish accounts for each individual user and grant the appropriate level of access necessary to perform job. Apply software patches to all software programs on the system when available subject to the change management process. Apply operating system patches on the system when available subject to the change management process. Ensure the system is protected by a properly configured firewall. Ensure the system is protected by updated anti-virus software. Establish accounts for each individual user and grant the appropriate level of access necessary to perform job. Page 2 of 8

3 Ensure that each user is authenticated before access is granted. Have process in place to clean up accounts once the user no longer requires access to the database. Enable auditing and logging features on the system to capture pertinent information pertaining to all user activities. Have a security assessment performed on the system, including penetration testing. Install host-based security tools such as Intrusion Detection and File Integrity Checkers for information that contain mission critical data and/or confidential data. Disable all unnecessary services on system. Ensure that each user is authenticated before access is granted. Have process in place to clean up accounts once the user no longer requires access to the database. Enable auditing and logging features on the system to capture pertinent information pertaining to all user activities. Have a security assessment performed on the system, including penetration testing. Install host-based security tools such as Intrusion Detection and File Integrity Checkers for information that contain mission critical data and/or confidential data. Disable all unnecessary services on system. Operating System Use Minimum Configuration Benchmarks from the Center for Internet (supported by NSA, DISA, DHS, and NIST and security experts from more than 100 other organizations). Use Minimum Configuration Benchmarks from the Center for Internet (supported by NSA, DISA, DHS, and NIST and security experts from more than 100 other organizations). Page 3 of 8

4 Database There are currently minimum security configurations for 14 types of systems. There are also tools available to test systems against the benchmarks - Have a security assessment performed on the system that will contain the database. Establish accounts for each individual user and grant the appropriate level of access necessary to perform job. Ensure that each user is authenticated before access is granted. Have process in place to clean up accounts once the user no longer requires access to the database. Update patches, subject to change management process, on the system as they become available and after patches have been tested in a nonproduction environment Encrypt information stored in the database. There are currently minimum security configurations for 14 types of systems. There are also tools available to test systems against the benchmarks - Have a security assessment performed on the system that will contain the database. Establish accounts for each individual user and grant the appropriate level of access necessary to perform job. Ensure that each user is authenticated before access is granted. Have process in place to clean up accounts once the user no longer requires access to the database. Update patches, subject to change management process, on the system as they become available and after patches have been tested in a non-production environment Encrypt information stored in the database. Page 4 of 8

5 Enable auditing and logging features on the system to capture pertinent information pertaining to all user activities. Enable auditing and logging features on the system to capture pertinent information pertaining to all user activities. Network Monitor network for malicious and/or abnormal activity Apply patches to network devices, operating systems, and software on network subject to change management process. Monitor network for malicious and/or abnormal activity Apply patches to network devices, operating systems, and software on network subject to change management process. Encrypt transmissions that contain sensitive and/or confidential information. Regularly review logs from network devices such as VPN, Routers, IDS, IPS, and Firewalls for suspicious activity. Update IDS/IPS signatures regularly Ensure strong passwords are set and changed regularly on routers. Remove default passwords from all networking devices. Disable all unnecessary services on network devices. Encrypt transmissions that contain sensitive and/or confidential information. Regularly review logs from network devices such as VPN, Routers, IDS, IPS, and Firewalls for suspicious activity. Update IDS/IPS signatures regularly Ensure strong passwords are set and changed regularly on routers. Remove default passwords from all networking devices. Disable all unnecessary services on network devices. Page 5 of 8

6 Use stronger more secure protocols to security network devices such as SSH instead of telnet. Use stronger more secure protocols to security network devices such as SSH instead of telnet. Anti-Virus Have a security assessment performed at least annually on network devices such as routers and firewall. Download Anti-Virus software program and instructions from Have a security assessment performed at least annually on network devices such as routers and firewall. Download Anti-Virus software program and instructions from Update Anti-Virus Definitions regularly. Update Anti-Virus Definitions regularly. Scan system regularly for virus, worm, and Trojan activity. Scan system regularly for virus, worm, and Trojan activity. Documentation Document description of systems software and hardware. Document contingency plan for system in the event the system becomes unavailable. Document and maintain backup procedures for system. Document description of systems software and hardware. Document contingency plan for system in the event the system becomes unavailable. Document and maintain backup procedures for system. Page 6 of 8

7 Keep user manuals from vendors for systems that were pre-built or develop documentation on systems that have been developed in house. Keep software license catalog of system software and applications on hand. Keep risk and security assessments for system on hand. Keep user manuals from vendors for systems that were pre-built or develop documentation on systems that have been developed in house. Keep software license catalog of system software and applications on hand. Keep risk and security assessments for system on hand. BEST PRACTICE CHECKLIST SIGN-OFF 1) I have reviewed the Department Server and/or the Enterprise System against this Best Practice checklist. 2) Best Practice requirements that could not be met for a business justifiable reason has been documented in the Justification for Non- Completion column of this document. System Administrator Sign-off Name: Signature: System Owner Sign-off Name: Signature: Page 7 of 8

8 Title: Date: Title: Date: Page 8 of 8