Server Security Checklist (2009 Standard)



Similar documents
Security Standard: Servers, Server-based Applications and Databases

Security Tool Kit System Checklist Departmental Servers and Enterprise Systems

Client Security Risk Assessment Questionnaire

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM

Cybersecurity Health Check At A Glance

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Guide to Vulnerability Management for Small Companies

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

Payment Card Industry Self-Assessment Questionnaire

Introduction. PCI DSS Overview

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

GFI White Paper PCI-DSS compliance and GFI Software products

IT Security Standard: Computing Devices

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

Small Business IT Risk Assessment

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Projectplace: A Secure Project Collaboration Solution

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Security Controls for the Autodesk 360 Managed Services

Document ID. Cyber security for substation automation products and systems

Did you know your security solution can help with PCI compliance too?

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

Information Security Office

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

New Systems and Services Security Guidance

MSP Center Plus Features Checklist

Before deploying SiteAudit it is recommended to review the information below. This will ensure efficient installation and operation of SiteAudit.

HIPAA Privacy and Security Risk Assessment and Action Planning

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

Data Access Request Service

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Best Practices For Department Server and Enterprise System Checklist

Retention & Destruction

Secondary DMZ: DMZ (2)

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

PCI DSS Requirements - Security Controls and Processes

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

DHHS Information Technology (IT) Access Control Standard

Standard CIP 007 3a Cyber Security Systems Security Management

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

Information Technology Branch Access Control Technical Standard

Network and Security Controls

Automate PCI Compliance Monitoring, Investigation & Reporting

Apollo Education Group Information Security

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Server Protection Policy 1 1. Rationale 1.1. Compliance with this policy will help protect the privacy and integrity of data created by and relating

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Ovation Security Center Data Sheet

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Supplier Information Security Addendum for GE Restricted Data

HIPAA Security Alert

AHS Flaw Remediation Standard

LogRhythm and PCI Compliance

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Network Computing Architects Inc. (NCA) Network Operations Center (NOC) Services

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Passing PCI Compliance How to Address the Application Security Mandates

A Decision Maker s Guide to Securing an IT Infrastructure

GE Measurement & Control. Cyber Security for NEI 08-09

GOALS. Server Management Program Review / Training. To Review SMP structure, requirements, logistics. To increase quality and benefit of documentation

HIPAA Security. assistance with implementation of the. security standards. This series aims to

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template)

Information security controls. Briefing for clients on Experian information security controls

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

Supplier Security Assessment Questionnaire

Security Policy JUNE 1, SalesNOW. Security Policy v v

Credit Card Security

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

GiftWrap 4.0 Security FAQ

Securing the Service Desk in the Cloud

Thoughts on PCI DSS 3.0. September, 2014

Ellucian Cloud Services. Joe Street Cloud Services, Sr. Solution Consultant

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Transcription:

Server Security Checklist (2009 Standard) Server identification and location: Completed by (please print): Date: Signature: Manager s signature: Next scheduled review date: Date: Secure Network and Physical Environment 1. Server is secured in locked rack or in an area with restricted access. (5.1.1) 2. All non-removable media is configured with file systems with access controls enabled. (5.1.2) 3. Server is set up in an environment with appropriately restricted network access. (5.1.3.1) 4. The server displays a trespassing banner at login. (5.1.4) If unable to display banner, check box Patching/ Server Maintenance 5. There is a documented maintenance process to keep applications and operating systems at the latest practical patch levels. Where is it documented? (5.2.1) 6. Vendor-supported operating systems and application patches are readily available to RIT. (5.2.1.1) 7. Operating systems or applications that are no longer supported by the vendor or an open source community have an exception request pending or granted by the ISO. (5.2.1.1.1) 8. There is a documented maintenance process which includes a reasonable timetable for routine application of patches and patch clusters (service packs and patch rollups). Where is this documented? (5.2.1.2) 9. Systems supported by vendor patches have the patch application integrated into a documented server maintenance process. Where is this documented? (5.2.1.3) 10. There is a process to inventory the current level of patches specific to this server (5.2.1.4) 11. There is a process for monitoring patch installation failures (5.2.1.5) Logging 12. Server is configured with appropriate real-time OS/application logging turned on. (5.3.1) 13. There is a documented process for routine log monitoring and analysis. Where is it documented? (5.3.2) Server Security Checklist - draft revision 3a 1 of 5 9/27/2012

14. Reviews are conducted periodically to ensure the effectiveness of the server logging process. (5.3.3) How often? (At least monthly): 15. There is a schedule for log monitoring of the server. Where is it documented? (5.3.4) 16. Logging has been configured to include at least 2 weeks of relevant OS/application (5.3.4.1) information. The logging elements include: All authentication Privilege escalation User additions and deletions Access control changes Job schedule start-up System integrity information Log entries must be time and date stamped 17. Intentional logging of private information, such as passwords, has been disabled. (5.3.5) 18. Logging is mirrored in real time and stored on another secure server. (5.3.6) System Integrity Controls 19. System is configured to restrict changes to start-up procedures. (5.4.1) 20. There is a documented change control process for system configurations. (5.4.2) Where is it documented? 21. All unused services are disabled. (5.4.3) 22. If available, anti-virus software and definitions are current and up-to-date. (5.4.4) 23. Server has a host firewall installed and enabled. (5.4.5) 24. Is host-based intrusion prevention software (HIPS) enabled? (Y/N) (5.4.6) 25. Is this an authentication server?(y/n) (Host-based intrusion prevention software is required for authentication servers) (5.4.6.1) 26. If available, hardware-based system integrity control is enabled. (5.4.7) Vulnerability Assessment 27. A pre-production configuration or vulnerability assessment has been performed on the server and its services prior to moving to production. (5.5.1) 28. Server has been scanned using an ISO-approved vulnerability scanner before being moved to production, after being moved to production, and ISO-specified periods thereafter. (5.5.2) How often is the server being scanned? 29. A copy of the configuration and/or vulnerability assessment reports done at initial server configuration has been retained for possible future use by the ISO. (5.5.5) 30. After vulnerabilities with the CVSS score of 7 or greater are announced the corresponding (5.5.6.1) patches and/or configurations are updated within one business day. Server Security Checklist - draft revision 3a 2 of 5 9/27/2012

31. If no CVSS applies to a vulnerability then the vulnerability must be evaluated for remote (5.5.6.3) exploitation. 32. The ISO is authorized to perform vulnerability scanning for this server. (5.5.3) 33. The ISO vulnerability scanner is not blocked specifically or permanently whitelisted. (5.5.3.1) 34. A systems/server administrator is authorized to perform scans when approved by the system (5.5.4) owner or the ISO. Is there anyone else authorized to perform scanning?(y/n) If yes, who? Authentication and Access Control 35. All trust relationships have been identified and reviewed. (5.6.1) 36. All manufacturer and default passwords have been changed. (5.6.2) 37. Strong authentication has been configured for all users with root or administrator system privileges. (5.6.3) Refer to the ISO website for a list of strong authentication practices. 38. Access Control has been configured to allow only authorized, authenticated access to the system (5.6.4) and its applications and data. 39. There is a documented process for granting and removing authorized access (5.6.4.1) Where is it documented? 40. Generic or persistent guest accounts allowing user interactive logins have been disabled. (5.6.4.2 and 5.6.4.3) (Service accounts are excluded from this requirement.) Backup, Restore, and Business Continuity 41. Operationally Critical data has been backed up. (5.7.1) 42. All servers with Operationally Critical data have documented back-up, system and application restoration (including configurations) and data restoration procedures to support business continuity and disaster recovery planning. Where is this documented? (5.7.1.1) 43. Back-up procedures are verified at least monthly through automated verification, customer restores, or through trial restores. How often are they verified? (5.7.1.2) 44. Backups are not being stored solely in the same building where the Operationally Critical data is located. (5.7.1.3) 45. Backups have been made readily accessible. (5.7.1.4) 46. Measures to transmit server back-ups securely have been put in to place. (5.7.1.5) 47. Back-up media is compliant with the Portable Media Security Standard. (5.7.1.6) Applications Administration 48. The application administrator is responsible for application-specific aspects including ensuring (5.8.2) the application is in compliance with the server standard where applicable. 49. The applications/module administrator is responsible for ensuring the security of their (5.8.1) applications/modules. 50. For each application, the application owner must identify an application administrator and (5.8.1.1) systems administrator. These administrators must be approved by their management. Use the form on the last page to list all applications and their application and systems administrators. Server Security Checklist - draft revision 3a 3 of 5 9/27/2012

Security Review and Risk Management 51. Is this a new server installation? (Y/N) (5.9.1) (See ISO Server Security Standard Section 5.9.2 for specific criteria.) Answer question 52 only if answer to 51 is YES. 52. A security review/risk assessment has been completed (5.9.1) When? By who? Are they ISO approved? Server Registration 53. The server has network access and has been registered in an ISO-approved centralized (5.10.1) registration system. Server Hardware Replacement and Retirement 54. Have there been any server storage media and/or devices containing RIT Confidential Information (5.11.1) been removed or replaced? (Y/N) If yes, the media or device must be degaussed or the data otherwise rendered unrecoverable. Server Administration 55. All computers used to administer servers conform to the requirements for RIT-owned or leased (5.12.1) computers as stated in the Desktop and Portable Computer Security Standard. 56. Secure protocols are being used for administrative functions and transmission of login (5.12.2.1) credentials. 57. NTP and DNS have authoritative sources. (5.12.2.2.1) High Performance and Distributed Computing 58. Does this server participate in High Performance/Distributed Computing/grid computing? (5.13.1) (Y/N) If yes, list which one: Servers that do participate in this type of computing must employ appropriate and documented safeguards to protect RIT Confidential Information and access to RIT internal networks. Server Security Checklist - draft revision 3a 4 of 5 9/27/2012

Application Application Administrator Systems Administrator For more information: RIT Information Security 585-475-4122 infosec@rit.edu https://www.rit.edu/security Server Security Checklist - draft revision 3a 5 of 5 9/27/2012

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information