Security Tool Kit System Checklist Departmental Servers and Enterprise Systems

Transcription

1 Security Tool Kit System Checklist Departmental Servers and Enterprise Systems INSTRUCTIONS System documentation specifically related to security controls of departmental servers and enterprise systems is an audit and National Institute of Standards in Technology (NIST) requirement. This checklist must be filled out and/or revalidated once a year by the system administrator and approved by the system owner. A separate checklist should be completed for each departmental server and/or enterprise system and be readily available. SYSTEM INFORMATION 1) GWU Division / Department Name: 2) What is the system s IP Address? 3) What is the system host name? 4) What is the system s MAC address? 5) Department / Division Contact Person: System Admin Contact Info: Application Admin Contact Info: User Admin Contact Info: 6) System Location/Address/Room Number/Physical Address 7) Is this system on the network? If not, describe why. 1

2 8) Does this system connect to the GWU network? 9) Does this system have access to the internet? 10) Does this system utilize dial-up access? 11) What is the GW Asset Tag Number on the system? 12) What is the manufacturers make, model and serial number of the system: 13) What is the computer s operating system version? 14) Is this machine considered a Single User Desktop, Enterprise Server, a Public Systems Desktop or a Public Systems Enterprise Server? 15) How does the system support the overall mission of the university? 16) Does this system support a specific service? If so, what service name? (ex: banner, ERP, accounting, etc.) 17) Is this system maintained by a system administrator or individual user? (if so provide, name, number and ) SYSTEM DATA CHARACTERISTICS 1) Does this system process, store, and/or transmit faculty or employee information such as social security numbers, employee numbers, and employment history, and/or personnel records as examples? Please describe. 2

3 2) Does this system process, store, and/or transmit university, student, faculty, employee, or contractor financial information budget, salary, income, financial aid, contract bidding fees as examples? Please describe. 3) Does this system process, store, and/or transmit medical history or medical records of students, faculty, employee, contractor, or agents of the university? Please describe. 4) Does this system process, store, and/or transmit student records and student academic history? Please describe. 5) Based on the Data Classification Policy where does this system fall based on the type of information on the system (Public, Official Use, Confidential) and the type of system itself (Desktop, Departmental Server, Enterprise System)? Please see the Data Classification Policy and Matrix for detailed information. System Security Settings and Environment 1) How does the system identify and authenticate each user? a. Windows Log on? b. Novell Log on? c. VPN Log on? d. Other? Please describe. 2) Describe the number of users who can log on to this system and give a brief description of who they are. 3) Is antivirus software installed on the system? a. Antivirus Manufacturer b. Version c. Real-time protection? 3

4 d. Firewall (personal or hardware?) Describe the ACLs: e. Additional security software 4) If antivirus software is installed on the system, how often are the definitions updated? 5) Are operating system patches updated regularly? 6) Are software patches updated regularly? 7) Has a security plan been developed for the system? 8) What physical access controls are there in place for the system? 9) Has the system functionality been formally documented? 10) Have the system users completed the on-line security and awareness training? 11) Is this system subject to change management procedures before a change is implemented? Explain 12) Is physical access to system restricted to those who require access to it? Please attach a User Access List. 13) Has the system been configured to provide the least privilege level of access necessary to perform job function? 4

5 14) If the hard drive in the system had to be replaced, is the data properly sanitized? 15) Is there a contingency and disaster recovery plan if the system were to lose functionality? a. Local Backups b. Network backups c. Failover Capabilities 16) How old could the files on this system be? 17) Is there any data on this system that falls under GLBA, HIPAA, or FERPA? 18) Are routine scans and/or audits performed against the system? 19) Is logging enabled on the system? List what services are logged and location of logfiles. Name additional 3 rd party utilities used to log data from this system. 20) How often do you review the system logs? 21) How do administrators access this system? 22) How do users access this system? 23) How do users get an account on this system? 24) Describe the reliability of the account deletion process. 5

6 25) Has the screen locking feature been enabled on the system? 26) Is the data stored and transmitted on the system encrypted? 27) List those applications which transmit information: 28) List all known open services: System Administrator Sign-off Name: Signature: Title: Date: System Owner Sign-off Name: Signature: Title: Date: 6