Best Practices For Department Server and Enterprise System Checklist



Similar documents
Security Tool Kit System Checklist Departmental Servers and Enterprise Systems

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Client Security Risk Assessment Questionnaire

3. Are employees set as Administrator level on their workstations? a. Yes, if it is necessary for their work. b. Yes. c. No.

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Common Cyber Threats. Common cyber threats include:

Network Security Guidelines. e-governance

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Securing the Service Desk in the Cloud

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Security Policy JUNE 1, SalesNOW. Security Policy v v

74% 96 Action Items. Compliance

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Supplier Security Assessment Questionnaire

VIRGINIA STATE UNIVERSITY RISK ANALYSIS SURVEY INFORMATION TECHNOLOGY

Security aspects of e-tailing. Chapter 7

Supplier Information Security Addendum for GE Restricted Data

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Section 12 MUST BE COMPLETED BY: 4/22

PCI DSS Requirements - Security Controls and Processes

Information Technology Security Procedures

Payment Card Industry Self-Assessment Questionnaire

Payment Card Industry (PCI) Compliance. Management Guidelines

Server Protection Policy 1 1. Rationale 1.1. Compliance with this policy will help protect the privacy and integrity of data created by and relating

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

CISCO IOS NETWORK SECURITY (IINS)

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Consensus Policy Resource Community. Lab Security Policy

CHIS, Inc. Privacy General Guidelines

Information Blue Valley Schools FEBRUARY 2015

Basics of Internet Security

LogRhythm and PCI Compliance

Data Management Policies. Sage ERP Online

SonicWALL PCI 1.1 Implementation Guide

GFI White Paper PCI-DSS compliance and GFI Software products

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Procedure Title: TennDent HIPAA Security Awareness and Training

Critical Controls for Cyber Security.

PCI Requirements Coverage Summary Table

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:

Automation Suite for. 201 CMR Compliance

Security Controls What Works. Southside Virginia Community College: Security Awareness

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

ADM:49 DPS POLICY MANUAL Page 1 of 5

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE NETWORK RESOURCES POLICY

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

OCR LEVEL 3 CAMBRIDGE TECHNICAL

Stable and Secure Network Infrastructure Benchmarks

March

Guide to Vulnerability Management for Small Companies

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

H.I.P.A.A. Compliance Made Easy Products and Services

USM IT Security Council Guide for Security Event Logging. Version 1.1

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Office of Inspector General

PCI Requirements Coverage Summary Table

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

MCR Checklist for Automated Information Systems (Major Applications and General Support Systems)

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Retention & Destruction

Small Business IT Risk Assessment

How To Protect Ais From Harm

BMC s Security Strategy for ITSM in the SaaS Environment

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN

IT Security Standard: Computing Devices

F G F O A A N N U A L C O N F E R E N C E

Introduction to Cyber Security / Information Security

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

Overcoming PCI Compliance Challenges

United States Trustee Program s Wireless LAN Security Checklist

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Vulnerability Audit: Why a Vulnerability Scan Isn t Enough. White Paper

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

Cybersecurity Health Check At A Glance

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

OSU INSTITUTE OF TECHNOLOGY POLICY & PROCEDURES

Introduction. PCI DSS Overview

CITY UNIVERSITY OF HONG KONG Network and Platform Security Standard

Office of Inspector General

Transcription:

Best Practices For Department Server and Enterprise System Checklist INSTRUCTIONS Information Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT) resources against Information related threats such as hacker attacks, worms, viruses, and other malicious activities. The Best Practices for Department Server and Enterprise System Checklist will be used to determine if an organizational unit of The George Washington University is using standard Information Best Practices to secure their Departmental Servers and Enterprise Systems. To use this checklist, review each individual Department Server Best Practice Requirement and each Enterprise System Best Practice Requirement listed to the right of each category in the first column (Physical, Administration, Operating System, Database, Network, Anti-Virus, and Documentation). Place a check mark in the Check if Complete column for each best practice requirement met in the Department Server Best Practice column and/or a check mark in the Check if Complete column for each best practice requirement met in the Enterprise System Best Practice column. If you are not able to comply with the requirement, please provide a business case justification in the Justification for Non-Completion column. Best Practice Requirements For Department Servers and Enterprise Systems Check if Complete Department Server Best Practice Requirement Check if Complete Enterprise System Best Practice Requirement Justification for Non-Completion Physical Have entry and exit to equipment and wiring closets been restricted to unauthorized personnel? Have entry and exit to equipment and wiring closets been restricted to unauthorized personnel? Physically lock equipment to a stationary durable device such as an office desk or inside a computer cabinet. Physically lock equipment to a stationary durable device such as an office desk or inside a computer cabinet. Page 1 of 8

Ensure the temperature in the room is appropriate for the equipment (check user guide for equipment). Ensure the temperature in the room is appropriate for the equipment (check user guide for equipment). Attach devices to an Uninterruptible Power Supply Device (UPS) and/or surge protector. Ensure that fire, smoke, and heat detectors are installed to protect people and equipment. Attach devices to an Uninterruptible Power Supply Device (UPS) and/or surge protector. Ensure that fire, smoke, and heat detectors are installed to protect people and equipment. Administration Apply software patches to all software programs on the system when available subject to the change management process. Apply operating system patches on the system when available subject to the change management process. Ensure the system is protected by a properly configured firewall. Ensure the system is protected by updated anti-virus software. Establish accounts for each individual user and grant the appropriate level of access necessary to perform job. Apply software patches to all software programs on the system when available subject to the change management process. Apply operating system patches on the system when available subject to the change management process. Ensure the system is protected by a properly configured firewall. Ensure the system is protected by updated anti-virus software. Establish accounts for each individual user and grant the appropriate level of access necessary to perform job. Page 2 of 8

Ensure that each user is authenticated before access is granted. Have process in place to clean up accounts once the user no longer requires access to the database. Enable auditing and logging features on the system to capture pertinent information pertaining to all user activities. Have a security assessment performed on the system, including penetration testing. Install host-based security tools such as Intrusion Detection and File Integrity Checkers for information that contain mission critical data and/or confidential data. Disable all unnecessary services on system. Ensure that each user is authenticated before access is granted. Have process in place to clean up accounts once the user no longer requires access to the database. Enable auditing and logging features on the system to capture pertinent information pertaining to all user activities. Have a security assessment performed on the system, including penetration testing. Install host-based security tools such as Intrusion Detection and File Integrity Checkers for information that contain mission critical data and/or confidential data. Disable all unnecessary services on system. Operating System Use Minimum Configuration Benchmarks from the Center for Internet (supported by NSA, DISA, DHS, and NIST and security experts from more than 100 other organizations). Use Minimum Configuration Benchmarks from the Center for Internet (supported by NSA, DISA, DHS, and NIST and security experts from more than 100 other organizations). Page 3 of 8

Database There are currently minimum security configurations for 14 types of systems. There are also tools available to test systems against the benchmarks - http://www.cisecurity.org/index.html Have a security assessment performed on the system that will contain the database. Establish accounts for each individual user and grant the appropriate level of access necessary to perform job. Ensure that each user is authenticated before access is granted. Have process in place to clean up accounts once the user no longer requires access to the database. Update patches, subject to change management process, on the system as they become available and after patches have been tested in a nonproduction environment Encrypt information stored in the database. There are currently minimum security configurations for 14 types of systems. There are also tools available to test systems against the benchmarks - http://www.cisecurity.org/index.html Have a security assessment performed on the system that will contain the database. Establish accounts for each individual user and grant the appropriate level of access necessary to perform job. Ensure that each user is authenticated before access is granted. Have process in place to clean up accounts once the user no longer requires access to the database. Update patches, subject to change management process, on the system as they become available and after patches have been tested in a non-production environment Encrypt information stored in the database. Page 4 of 8

Enable auditing and logging features on the system to capture pertinent information pertaining to all user activities. Enable auditing and logging features on the system to capture pertinent information pertaining to all user activities. Network Monitor network for malicious and/or abnormal activity Apply patches to network devices, operating systems, and software on network subject to change management process. Monitor network for malicious and/or abnormal activity Apply patches to network devices, operating systems, and software on network subject to change management process. Encrypt transmissions that contain sensitive and/or confidential information. Regularly review logs from network devices such as VPN, Routers, IDS, IPS, and Firewalls for suspicious activity. Update IDS/IPS signatures regularly Ensure strong passwords are set and changed regularly on routers. Remove default passwords from all networking devices. Disable all unnecessary services on network devices. Encrypt transmissions that contain sensitive and/or confidential information. Regularly review logs from network devices such as VPN, Routers, IDS, IPS, and Firewalls for suspicious activity. Update IDS/IPS signatures regularly Ensure strong passwords are set and changed regularly on routers. Remove default passwords from all networking devices. Disable all unnecessary services on network devices. Page 5 of 8

Use stronger more secure protocols to security network devices such as SSH instead of telnet. Use stronger more secure protocols to security network devices such as SSH instead of telnet. Anti-Virus Have a security assessment performed at least annually on network devices such as routers and firewall. Download Anti-Virus software program and instructions from http://helpdesk.gwu.edu/nav/ Have a security assessment performed at least annually on network devices such as routers and firewall. Download Anti-Virus software program and instructions from http://helpdesk.gwu.edu/nav/ Update Anti-Virus Definitions regularly. Update Anti-Virus Definitions regularly. Scan system regularly for virus, worm, and Trojan activity. Scan system regularly for virus, worm, and Trojan activity. Documentation Document description of systems software and hardware. Document contingency plan for system in the event the system becomes unavailable. Document and maintain backup procedures for system. Document description of systems software and hardware. Document contingency plan for system in the event the system becomes unavailable. Document and maintain backup procedures for system. Page 6 of 8

Keep user manuals from vendors for systems that were pre-built or develop documentation on systems that have been developed in house. Keep software license catalog of system software and applications on hand. Keep risk and security assessments for system on hand. Keep user manuals from vendors for systems that were pre-built or develop documentation on systems that have been developed in house. Keep software license catalog of system software and applications on hand. Keep risk and security assessments for system on hand. BEST PRACTICE CHECKLIST SIGN-OFF 1) I have reviewed the Department Server and/or the Enterprise System against this Best Practice checklist. 2) Best Practice requirements that could not be met for a business justifiable reason has been documented in the Justification for Non- Completion column of this document. System Administrator Sign-off Name: Signature: System Owner Sign-off Name: Signature: Page 7 of 8

Title: Date: Title: Date: Page 8 of 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information