Security Assessment

screechingagendaΔίκτυα και Επικοινωνίες

26 Οκτ 2013 (πριν από 3 χρόνια και 9 μήνες)

93 εμφανίσεις

Application Security Assessment

Rev: 4/18/13


Page
1

of
9


Application

Security A
ss
essment



Department
:


Department

Contact Name
:



Dep
ar
t
ment

Contact No:


EA Assessor
:

Sharon McNeil

Review
Date:



Software:



GENERAL
QUESTION
S

Summary of Application & Use: Please describe and provide website links if available



Company website address:


Has the application been approved by a Director of ITCS for purchase?

Yes:

No:

Will this system require a laptop, workstation or server? Please specify.

_
_____________________________
_

Who is the
ECU
System Administrator for this system?
_______
__________
_____________________________

Who i
s there a
n ECU
backup System Administrator?

_________
____________
___________________________

Please explain the
software A
uthentication process:


Doe
s the application support S
hibboleth

authentication?

Yes:

No:


Does the system support Active Directory / LDAP operations?

Yes:

No:

Please explain:


Application Security Assessment

Rev: 4/18/13


Page
2

of
9


Does the application interface with any existing application?

Yes:


If yes, please list applications:

No:



Does your product support auditing?

Yes:

Please explain:

No:


Will auditing be enabled?

Yes:

If so, what will be recorded for auditing? Attach a list if needed

No:


Does the application use
:

Domain

credentials
:


Application

credentials
:


Both
:

Please ex
plain:


Does the software enable unique user IDs and passwords?

Yes:

Please explain:

No:


Are the password strength requirements configurable?

Yes:

Please explain
:

No:



Do these passwords expire periodically?

Yes:


No:



Are there

any user passwords stored within the software?

Yes:

If yes, what form of encryption is used? ___________________________________

No:


Are the stored passwords encrypted?

Yes:

If yes, w
hat is the algorithm used for the encryption?

No:

Application Security Assessment

Rev: 4/18/13


Page
3

of
9



Will any data from this system be printed?

Yes:

If yes, what happens to the printed copies?

________________________________________________

No:


Will any data from this system be copied to CD or DVD?

Yes:

No:


Will it be encrypted when copied to the CD or DVD?

Yes:

If yes, w
hat happens to the CDs or DVDs?

_________________________________________________

No:


Will data from this system be placed in the medical record?

Yes:

If yes, what technical mechanism is

used for this purpose?

No:


Is there a
Disaster Recovery/
B
usiness
C
ontinuity
P
lan

in place
if
the
laptop/workstation/server
used to access
this application were
stolen
,
no
longer functions
, or
if hosted application is unavailable
?
Yes:

No:


Please explain:


Please explain
the software’s
D
ata
B
ackup
P
rocess
:


Will this application require a server?

Yes:


If yes, can a virtual server be used?

Yes:

No:


No:



If software requires a
virtual
server, what are the approved applications to run on the server?


H
as a server
assessment been completed?

Yes:


Application Security Assessment

Rev: 4/18/13


Page
4

of
9


No:


If no,
a
request must be sent to Enterprise System Team for assessment.


If the software requires a web server, is the web server configured to use SSL version 3 and refuse connectivity
on SSL2?

(Required Response)

Yes:

No:


What
type of encryption will be used?
Algorithm: ___________________ Keyspace (Bits): ________________

What type of encryption is used fo
r data in storage: ___________________ Data in transit: ________________


Does the
software vendor
possess SAS70 or SSAE16 Audit credentials? (
Required Response
)

Yes:

If yes, please provide a copy of agreement.

No:


If data is stored locally, are there options for central storage such

as Pirate Drive?

Yes:

No:


Is remote vendor access required

for support
?

Yes:

If yes, then How? VPN

Other technology


No:


Indicate Availability:

24x7x365

8x5

Other_______


Does the
application have FAX capabilities?

Yes:

If yes, will it be used? Yes:

No:


No:

N/A:


Will FAX data remain on the system?

Yes:

No:


Will FAX data be encrypted?

Yes:

No:


Application Security Assessment

Rev: 4/18/13


Page
5

of
9


How many users will access this system?

_________________
_________________________________
______


Is data uploaded from
this system to another system?

Yes:

If yes, what type of data will be uploaded?

No:

If not, will this data remain o
n this workstation permanently?
Yes:

No:



Will data from

this workstation be backed up?

Yes:

No:

Does the application support portable devices operating systems, e.g.,
iPhone, iPad, Android,
Windows
Mobile, Blackberry, etc.?

Yes:

If so, specify: _______________________________________________________

No:




DATA

STORAGE


Will data be stored
locally (ECU)?

Yes
:

No:

If not, where will data be stored?

N/A:

(check only if there is no data to be stored)



Where will data be stored locally (at ECU)? Please list the sever name and location. _____________________



If the data will be stored locally (at ECU), will it be encrypted?

Yes:

Via what format?

No:



If the data will be stored locally (at ECU),
p
lease explain the data backup process:



Please provide a brief description of the department’s Business Continuity Plan with regard to this applic
ation:



Will data be

stored with the software vendor or
outsourced to a third party?

Software Vendor
:


Outsourced to third
-
party
:

List company name and website address:


Does the
software vendor
possess SAS70 or SSAE16

Audit credentials? (
Required Response
)

Application Security Assessment

Rev: 4/18/13


Page
6

of
9


Yes:

If yes, please provide a copy of agreement.

No:


If the
data will be stored
with the software vendor,

p
lease explain the data backup process:



Please provide a brief description of the
software vendor’s
Business Continuity Plan with regard to this
application:




If the data will be stored
with the
third
-
party vendor, p
lease explain the hosting
vendor’
s data backup process:



Please provide a brief description of the
hosting

vendor’s
Disaster Recovery /
Business Continuity Plan:



Does the
third
-
party
hosting
vendor
possess

SAS70
or SSAE16
Audit
credentials?

(
Required

Response
)

Yes:

If yes, please provide a copy of agreement.

No:


Please explain the
hosting vendor’s
data backup process for local sto
rage:


Who will own the data

stored with the hosing vendor
?


Once the contract expires, what happens to the data

stored by the hosting
vendor
?

Explain the process:


Will the data
stored by the hosting
vendor
be encrypted?


Yes:

If yes, via what format


provide brief explanation below:

No:



Can data
stored by the hosting
vendor
be
simultaneou
sly
backed up locally to ECU?

Yes:

If yes, please explain below

No:




Anti
-
Virus Software:

Application Security Assessment

Rev: 4/18/13


Page
7

of
9




Is the system compatible with Anti
-
Virus software Symantec Endpoint V.11 or above?
Yes:

No:



Can upda
tes to software and signature files be deployed when available?
Yes:

No:

Spyware/Adware/Pop
-
up blocker Software:



Is the system compatible with Spyware/Adware/Pop
-
up blocker software?
Yes
:

No:



Can updates to software and signature files be deployed when available?
Yes:

No:

Operating System Patching:



Is the vendor
-
supplied method of patching supported (e.g. Microsoft Windows Update)?
Yes:

No:




Can updates be applied when available from vendor?
Yes:

No:



Are there any supported third party products for proactive patch updates (e.g. Bigfix, Patch Link)
Yes:

No:



Does this system contain a web server?

Yes:

If yes, does it reside locally on the system?
Yes:

No:

No:


COMPLIANCE



Does the application store, transmit or access
Social Security Numbers

(
SSN
)?

Yes:

No:

If SSN data is stored, has client submitted an
SSN Use Request

and received approval by ITPC? Yes:

No:

Has this application been approved by the CIS Committee (Helpdesk Form)? Yes:

No:


Does the application store, transmit or access protected health information (
PHI
1
) protected by
HIPAA
?

Yes:

No:

If PHI data is stored, has client received Privacy approval of use of data? Yes:

No:

If
the a
pplication is vendor provided or supported, has the department submitted a Vendor Security Matrix
form to
the vendor? Yes:

No:


Does the application store, transmit or access student data protected by
FERPA
?

Yes:

No:

If

yes, please list FERPA identifiers. Example: Banner ID, SSN, etc.:

Application Security Assessment

Rev: 4/18/13


Page
8

of
9




If FERPA data is stored, has client received

approval from the Office of the Registrar?

Yes:

No:


Does the application store, transmit or access
Credit Card Data (
PCI
)
?

Yes:

No:

If PCI data is stored, has client received approval from Financial Services? Yes:

No:


Does the application store, transmit or access
H
uman
S
ubjects
R
esearch

data?

Yes:


No:

If the application stores, transmit, or accesses human subjects research data, has
IRB

approved?

Yes:


No:

NETWORKING



Does the software support external data transmission?
Yes:

No:

Please indicate the method(s)
supported?

Methods:


FTP


Fax


Email


File Copies (CD, Diskette, etc
.
)


Br
owser applications


Tape media


Other (provide details):

For externally electronically transmitted information, can the solution support encryption and data
protection?

Yes:

N
o:


Data Protection: Yes:

No:



Is network connectivity required?
Yes:

No:



Application Security Assessment

Rev: 4/18/13


Page
9

of
9


Required TCP/IP Ports Required:

TCP/IP Ports Required for Server/Clients

(All IP ports closed by default)

Port #

TCP
/
UDP

Inbound

Outbound

Function












1
PHI
-

any information about health status, provision of health care, or payment for health care that can be
linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s

medical
record or payment history.