Information Systems Security Assessment



Similar documents
Procedure Title: TennDent HIPAA Security Awareness and Training

HIPAA Security Alert

SECTION 15 INFORMATION TECHNOLOGY

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

OFFICE OF THE STATE AUDITOR General Controls Review Questionnaire

HIPAA Security COMPLIANCE Checklist For Employers

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

HIPAA Information Security Overview

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

DETAIL AUDIT PROGRAM Information Systems General Controls Review

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Information Systems and Technology

HIPAA Privacy and Security Risk Assessment and Action Planning

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Cathay Business Online Banking

General Computer Controls

Data Management Policies. Sage ERP Online

Information Technology Branch Access Control Technical Standard

Service Children s Education

Miami University. Payment Card Data Security Policy

VIRGINIA STATE UNIVERSITY RISK ANALYSIS SURVEY INFORMATION TECHNOLOGY

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Tom J. Hull & Company Type 1 SSAE

HIPAA Security Series

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

FINAL May Guideline on Security Systems for Safeguarding Customer Information

RESOURCE AND PATIENT MANAGEMENT SYSTEM. Drug Accountability (PSA) GUI Invoice Upload Program Installation and Configuration Guide

IT - General Controls Questionnaire

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

USFSP Network Security Guidelines

PART 10 COMPUTER SYSTEMS

How To Write A Health Care Security Rule For A University

Empower TM 2 Software

This document and the information contained herein are the property of Bowman Systems L.L.C. and should be considered business sensitive.

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

PERSONAL COMPUTER SECURITY

Information Technology Cyber Security Policy

Application Intrusion Detection

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Cybersecurity Health Check At A Glance

GE Measurement & Control. Cyber Security for NEI 08-09

Protection of Computer Data and Software

Information Technology Internal Controls Part 2

Retention & Destruction

Information Technology Security Procedures

Walton Centre. Document History Date Version Author Changes 01/10/ A Cobain L Wyatt 31/03/ L Wyatt Update to procedure

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Supplier Information Security Addendum for GE Restricted Data

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

Computer Security Policy (Interim)

SITECATALYST SECURITY

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy

CITY OF BOULDER *** POLICIES AND PROCEDURES

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

PHI- Protected Health Information

MCR Checklist for Automated Information Systems (Major Applications and General Support Systems)

Security Policy JUNE 1, SalesNOW. Security Policy v v

NASDAQ Web Security Entitlement Installation Guide November 13, 2007

Data Stored on a Windows Server Connected to a Network

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

HIPAA RISK ASSESSMENT

Risk Assessment Guide

Supplier IT Security Guide

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

Information Security Policy. Policy and Procedures

Policy for the Acceptable Use of Information Technology Resources

SECURITY RULE POLICIES AND PROCEDURES

VMware vcloud Air HIPAA Matrix

Physical Security Policy

Volume UC DAVIS HEALTH SYSTEM. HIPAA Security Compliance Workbook. Multi User Guide

CHIS, Inc. Privacy General Guidelines

Toronto Public Library Disaster Recovery recommended safeguards and controls

General IT Controls Audit Program

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

User Guide. SafeNet MobilePASS for Windows Phone

INFORMATION TECHNOLOGY CONTROLS

Best Practices For Department Server and Enterprise System Checklist

How To Protect The Time System From Being Hacked

Physical Protection Policy Sample (Required Written Policy)

Information Systems Access Policy

Information Technology (I.T.)

Students Mobile Messaging Registration & Configuration

Transcription:

Physical Security Information Systems Security Assessment 1. Is the server protected from environmental damage (fire, water, etc.)? Ideal Answer: YES. All servers must be housed in such a way as to protect against fire, water, and other environmental hazards. Example: servers must be in close proximity to a chemical extinguisher, CO2 extinguisher, or equipped with a sprinkler system in case of a fire. 2. Is access to server, hubs and routers, and wiring areas adequately controlled? Ideal Answer: YES. Servers, hubs, routers, and wiring areas should only be accessible to authorized personnel to reduce the risk of intrusion. 3. Are passwords encrypted during transmission from the workstations to the servers and communications outside your network? Ideal Answer: YES. Password encryption for all transmissions is critical in reducing security exposures. By encrypting transmissions, you reduce the risk of an outside user crossing transmission lines and hacking into sensitive information on your server. 4. Is the server also used as a PC/Workstation? Ideal Answer: NO. A server should not be used for dual purposes. There's a high risk of accidental loss of data if a server is used for dual purposes. 5. If some workstations are used to display sensitive information, are these workstations located in areas that will not allow unauthorized viewing of the information? Ideal Answer: YES. It is important to strategically locate workstations in a way that prevents unauthorized individuals from viewing sensitive information.

Logical Security 6. Administrator Accounts and Access A. Do only those individuals that have administrative responsibilities for the network have "administrator" right and privileges to the system? Ideal Answer: YES. Only those employees who are responsible for maintenance on the system should have "administrator" privileges. As a gerneal rule, "administrator" status is limited to the primary support person and a backup. B. Do administrators have a second account on the server/lan for day-to-day activities? Ideal Answer: YES. Administrators should have at least one separate common account for their day-to-day activities (e.g. email, calendar, applications, etc.). This will prevent unnecessary contact with the server under the "administrator" account and reduce the risk of accidental loss of data. 7. User accounts and access A. Are there established procedures in place to authorize users to access the system and applications? Ideal Answer: YES. A written authorization form must be completed, reviewed, and also approved by the application owner before a user is given access. B. Do you periodically verify your authorized user lists? Ideal Answer: YES. The administrator and personnel should review authorized user lists at least quarterly. C. Do you inform users of the rights and responsibilities regarding the computers, data and data security, passwords, copyrights? Ideal Answer: YES. A written policy outlining user rights responsibilities, security, confidentiality, etc. must be presented, reviewed, and signed by the user at the time of authorization.

8. User Account Passwords and logon ID s A. Are users required to sign any document acknowledging their privileges and responsibilities relating to the LAN and their LAN account and authorizations? Ideal Answer: YES. In the event of abuse, a signed statement is evidence an individual was made aware of the rules and responsibilities that go with data access. B. Are passwords non-printing, non-displaying, or keyed onto obliterated spaces? Ideal Answer: YES. This reduces the risk of stolen passwords. C. Are passwords established in a way to ensure they are nonstandard and unique? Ideal Answer: YES. All user passwords must be unique to reduce the risk of unauthorized individuals cracking passwords to gain user access. There are multiple programs that are free on the Internet that are used to crack common passwords. D. Is the minimum length of passwords at least 5 characters? Ideal Answer: YES. Preferably, an alphanumeric password with a length of 6 to 8 characters is most common. E. Are passwords periodically changed? Ideal Answer: YES. All passwords must be changed on a periodic basis to prevent others from cracking passwords and using them without the permission. The frequency of a required password change should be based upon the sensitivity of the data and the level of user authorization (e.g. "supervisor"). F. Are group logon I.D.'s utilized? Ideal Answer: NO. The use of a group logon I.D. makes it impossible to assign responsibility to an individual for any action assignable to that I.D. G. Are there controls over duplicate logons (duplicate logons are those that allow a user to log in to multiple workstations at the same time)?

Ideal Answer: YES. While some departments or labs find duplicate logons beneficial for functionality, it increases the risk of unauthorized users being logged-on without detection. Ideally, a control should be in place to limit one user I.D. logged-on at any given time. H. Do you promptly cancel user access for individuals who have been terminated or assigned other duties? Ideal Answer: YES. Once an employee has been terminated or assigned other duties, a personnel procedure should trigger a notification to the administrator to delete or change that user's access. 9. Is there automatic user sign-off/log-off? Ideal Answer: YES. All servers and user machines should automatically log the user off a secured system after a specific time of inactivity has elapsed. If a user leaves an unattended workstation while logged-on, anyone with access to the workstation could cause serious damage to the system or data. 10. Are passwords protected when accessing the server via dialing in off-site? Ideal Answer: YES. Password encryption should be used for all dial-in access. By encrypting dial-in transmissions, you reduce the risk of an outside user tapping transmission lines and hacking into sensitive information on your server. 11. Are there controls in place to prevent repeated attempts (failures) to access the system? Ideal Answer: YES. Controls should be in place to lock out a user after a set number of failed log-on attempts. As a general practice, only three attempts are allowed. This control reduces the risk of hackers using a computer program for repeated attempts to gain access. 12. After getting locked out by failing consecutive log-on attempts to the system, is the administrator required to re-authorize access? Ideal Answer: YES. This control provides better security than an automatic "time-out" reset, and provides more timely access to the user. 13. Is there time of day restrictions for users to access the system?

Ideal Answer: YES. Authorized users must have access to the system containing sensitive information only during normal working hours (unless approved). This control further reduces the opportunity hackers have to gain access into the system during non-working hours. 14. Are access violations and logs reviewed on a periodic basis? Ideal Answer: YES. The administrator should review the access violation logs for suspicious activity. Reviewing this on a regular basis can alert the administrator of possible hacking attempts and react accordingly. Backup and Operations Continuation Plan 15. Are backups of data performed regularly? Ideal Answer: YES. Full backups should be routinely performed based upon the data volume and the difficulty of data reconstruction. In general, nightly backup minimizes the risk of data loss. This routine control will prevent any loss of data if a temporary interruption should occur. 16. Are backups of departmentally authored programs performed? Ideal Answer: YES. Non-commercial program backups should also be periodically performed. 17. If backups are being performed, then A. Do you have written backup procedures for programs and/or data? Ideal Answer: YES. These routine backup procedures should be documented and easily accessible to employees in the event of a temporary interruption or staffing changes. B. Is a copy of backup media maintained offsite for programs and/or data? Ideal Answer: YES. An offsite (secondary) location must be used for backup media storage. In the event of a fire, natural disaster, vandalism or a theft at the primary business location, this will prevent loss of both on-line and backup data.

C. Are backup copies, which are maintained offsite and at the primary office, protected against unauthorized access? Ideal Answer: YES. As with data stored at the primary office location, offsite backups should be protected against unauthorized users. D. Has the use of backup files been tested? Ideal Answer: YES. Backup files aren't worth maintaining if they can not restore the original data. Testing the backup files will ensure backup file integrity should the primary files get destroyed. 19. Do you have an operations continuation plan? Ideal Answer: YES. All computer operations must have a continuation plan. This plan should be in writing so it is available to staff in the event of an emergency. In addition, training in the execution of the plan should be included and practiced. Virus Protection 20. Do you have a memory resident virus protection program on your computers and are they periodically updated? Ideal Answer: YES. All computers must have a memory resident virus protection program loaded and updated on a periodic basis. These programs help prevent your computer from getting infected with a destructive computer virus. Software 21. Does your division/department have a software use policy for users? A software use policy is one in which the users are informed that they are only to use authorized software installed on their workstation. This policy includes a statement on what to do if the user has software (demos, trial versions, freeware, shareware, etc.) that they want to use on their workstation. Ideal Answer: YES. All divisions/departments must have a software use policy, to provide guidance to users in areas of appropriate use, computer responsibility, foreign software, security, etc.

22. Protection of software copyrights: A. Is a software inventory maintained and periodically updated? Ideal Answer: YES. A periodic software inventory is vital in identifying any unauthorized or missing software. Maintenance of this inventory is essential in documenting authorized software additions, upgrades, or deletions. B. Is there an established procedure to ensure compliance with licensing agreements? Ideal Answer: YES. A control must be in place to ensure no unauthorized licensing agreements are entered into without proper approval. The administrator's co-signature on all hardware/software purchases would reduce the risk of unauthorized agreements.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information