Risk Assessment Procedure - System Server Questionnaire

tukwilagleefulInternet και Εφαρμογές Web

31 Οκτ 2013 (πριν από 3 χρόνια και 7 μήνες)

83 εμφανίσεις



Technology Models


Risk Assessment Procedure
-

System Server Questionnaire


Contact:


Valerie Adkins

1.

Does the System Server have anti
-
virus software that detects and remo
ves computer
viruses?




Check one:
YES

NO



2.

Is all System Server anti
-
virus software kept current by updating virus signatures
weekly at least?



Check one:
YES

NO

3.

Is email scanned for viru
ses and determined to be virus free before it is downloaded
to a mail server or user desktop?



Check one:
YES

NO

4.

Is imported software checked for viruses and determined to be safe before it is
installed on System Servers?



C
heck one:
YES

NO

5.

Has System Server security software been used to adequately protect application’s
source and executable programs and data files?



Check one:
YES

NO

6.

Does the System Server a
utomatically scan user files for viruses before allowing the
user
to
store files on the system server?



Check one:
YES

NO

7.

Is all software (operating system, database, application, etc.) used to support
applications at curre
nt release levels and supported by the vendor?



Check one:
YES

NO

8.

Are all updates (
service packs, fixes, and patches)

for software (operating system,
database, application, device drivers, etc.)

researched and applied in a
timely manner
when appropriate?



Check one:
YES

NO


9.

Are all system changes or new releases tested using formal procedures and approved
before being placed in operational use?



Check one:
YES

NO

10.

Are changes to system software made by properly trained and experienced system
support personnel?



Check one:
YES

NO

11.

Are operating procedures documented for sensitive and critical systems?



Check one:
Y
ES

NO

12.

Are network system administrator documentation (i.e. log
-
on, system commands,
etc.) manuals placed in a secure area when not in use?



Check one:
YES

NO

13.

Is access control documentation available, which

describes system usage and user
responsibilities?



Check one:
YES

NO

14.

Is disk mirroring or RAID used to reduce the impact of a single disk failure for
System Servers?



Check one:
YES

NO

15.

Are
backup procedures defined for System Servers?



Check one:
YES

NO

16.

Are backup files/tapes stored in a secure off site location?



Check one:
YES

NO

17.

Are users responsible for their own backups?



Check one:
YES

NO

18.

Does a documented procedure exist to guide users in restoring/requesting a restore of
a backup?



Check one:
YES

NO

19.

Do any users have access to the Internet from a System S
erver?



Check one:
YES

NO

20.

Are procedures in place to protect from unauthorized Internet access?



Check one:
YES

NO

21.

Are measures in place that Log Off workstations or servers that are left lo
gged on to
the system or network while unattended?



Check one:
YES

NO

22.

Are users formally trained on using system and applications?



Check one:
YES

NO

23.

Are logical groupings, such as College,
Department, etc., financial groupings, such as
Information Technology, Financial, Students Records, etc., and the rules for
connection, such as Security Rules, for external users, (systems and network) clearly
defined and regularly evaluated?



Check one:
YES

NO

24.

Are CD’s, tapes and disks labeled externally (on the cover) with the names of the
owners of the data?



Check one:
YES

NO

25.

Are CD’s, tapes and disks labeled externally (on the cover) wit
h the creation dates
and explanation of content?



Check one:
YES

NO

26.

Are backup files stored on the hard drive, CD’s, disk, or any other electronic media
named uniquely?



Check one:
YES

NO

27.

Ar
e identifying labels placed on all System Servers, peripherals and network
components?




Check one:
YES

NO


28.

Is printed output, which contains confidential information distributed or disposed of
in such a way as to ensure co
nfidentiality?



Check one:
YES

NO

29.

Are computer storage devices (hard drives, CD’s, floppies, tapes, etc.) purged of all
data using software utilities or electromagnetic means before being discarded or
distributed?



Check one
:
YES

NO

30.

Is encryption (e.g. SSLv3) used for all Web
-
enabled transactions that require user
authentication, transfer of sensitive data, or that involve the transfer of funds?



Check one:
YES

NO

31.

Do E
-
mail transports containing attachments with sensitive information incorporate
encryption technologies (e.g., using Pretty Good Privacy (PGP))?



Check one:
YES

NO

32.

Do web servers block hosts or networks that perfor
m port scans on your network?

Check one:
YES

NO

33.

Does security software prevent unauthorized personnel from deleting, changing, or
adding system or application software to the System Server?



Check one:
YES

NO

34.

Is the System Server, which contains sensitive or critical applications, secured behind
locked doors and protected from unauthorized physical access?



Check one:
YES

NO

35.

Are security event logs
maintained

for all system and network devices?



Check one:
YES

NO

36.

Are security event logs analyzed, correlated, and evaluated to identify and respond to
suspicious activity?



Check one:
YES

NO

37.

Are all

security violations detected reported to security administrator and security
staff?



Check one:
YES

NO

38.

Are security event logs archived daily and removed off of the associated device
daily?



Check one:
YES

NO

39.

Are security event logs archived daily stored at an off
-
site location?



Check one:
YES

NO

40.

Is a security audit performed on a periodic basis by a qualified external auditing party
as a supplement to inter
nal auditing activities?

Check one:
YES

NO

41.

Are System Servers used to store sensitive or critical applications adequately
protected against environmental threats such as fire and water?



Check one:
YES

NO

42.

Are hand held fire extinguishers, which do not damage electrical equipment (CO2 or
halon) visibly located near computer equipment?



Check one:
YES

NO

43.

Are System Servers used to store data and programs for se
nsitive or critical
applications adequately protected against electrical problems? (i.e. UPS, grounded
power supplies, surge protectors)



Check one:
YES

NO

44.

Does your site have fire, water and burglar alarm systems to protec
t System Servers
and other computer equipment?



Check one:
YES

NO

45.

Do areas where System Servers are placed, utilize proper environmental controls?



Check one:
YES

NO

46.

Does the building have a

viable fire detection, prevention, and suppression plan?



Check one:
YES

NO

47.

Has a contingency/disaster recovery plan that conforms to the
COV ITRM
Standard

SEC2001
-
01.1
, been developed to ensure that System Servers can recover from
potentially severe interruptions to normal processing?



Check one:
YES

NO

48.

If you have respond to “
NO”

to any of the above questi
ons please explain further by
listing questionnaire question number and check the box that applies.


Question #



Check one:


Aware of risk, need to correct


Aware of risk, risk is acceptable


Not applicabl
e

Question #



Check one:


Aware of risk, need to correct


Aware of risk, risk is acceptable


Not applicable


49.

In your opinion, does this questionnaire identify all security weaknesses?



Check one:
YES

NO

If NO, please explain:







Staff Completing Questionnaire


Title