Critical Incident Management

Audits are generally very time consuming and require a great degree of planning and coordination before they can be successfully completed. Comprehensive audits consist of thorough review controls detailed in policies, procedures, standards, and vulnerability testing. These steps are expensive and for this reason audits are generally performed annually at best. Many organizations need to design more expedient methods by which they can assess their risks, enter the self-assessment. Self-assessments can be used as checklists helping senior managers address vulnerability elements during systems design phases and after the system goes into production, before they become findings in the next audit.

In the perfect world, application vulnerability assessments actually begin in the planning stages of the Systems Development Life Cycle. When the system design phase begins, vulnerabilities should be identified and addressed before the system goes through the acquisition and implementation phases.

Vulnerability Self-Assessment

It is important in vulnerability self-assessments that all steps document policies and procedures addressing risk-elements. It is also important that if system vulnerabilities are identified during the course of the self-assessment, they should be made part of the company's risk management and audit processes.

The following discussion is a checklist that can be used in system vulnerability self-assessment.

Hardware

• Describe the system infrastructure. Is there a diagram illustrating the topology? Is there an organizational chart reflecting job description and hardware responsibilities?

• Document and describe the data outlets for servers, workstations, printers, modems, video cameras, CSU/DSU (network interface equipment), switches, hubs, load balancing, routers, firewalls, gateways, VPN appliances, etc.

• Document and describe the cabling between the major hardware components.

• Describe the location, organization, and person responsible for the relevant hardware documentation.

• When was the date of the last hardware inventory? Was all hardware accountable? Were there any instances of unauthorized hardware installed?

• Is all hardware authorized?

• Is there a policy addressing official use of personal equipment?

• Document and describe all pertinent hardware components that have software installed with default configurations. Why?

• Document and describe access control lists, ACLs, for the firewall configurations including interior and exterior firewalls.

• Document and describe perimeter router filtering policies, rules, and enforcement.

• Document and describe the standard software installation policies and procedures for each hardware platform.

• Document workstation access measures such as: BIOS passwords, Screensaver Passwords, Tokens, Biometrics, and Smart Card requirements.

Physical Security

• Document and describe the location of fire suppression equipment.

• Document any and all equipment that is not physically secure. Why?

• Describe server and workstation boot processes. Do these equipment configurations have floppy drives (A) disabled for booting processes?

• Are there BIOS, Basic Input/Output Information System, passwords? Do workstations have screensaver passwords? Are hard drives of mobile computing devices encrypted? Does mobile equipment have antitheft devices?

• Are hard drives and removable media, containing sensitive information, secured in approved receptacles during idle periods?

• Describe safeguards protecting equipment/media from theft.

• Describe the location and safeguards of all publicly accessible equipment, including mobile units, e.g., laptops, PDAs, cellular telephones, PBX (Telephone Branch Exchange) equipment.

Emergency Power Management

• Are there sufficient resources in the form of auxiliary power generators, uninterruptible power supplies, and electrical power conditioners for all user needs?

• Is there individual hardware protection for power surges and voltage spikes?

Environmental Conditions

• Are specific environmental needs met for employees, data, and equipment?

• Are heating, air conditioning, and ventilation equipment in conformity with building and safety codes?

• Is the employee work environment safe?

Configuration Management

• Describe hardware and software configuration management. Who is responsible for configuration approval?

• Are the protected interior systems connected to systems, through modems, terminal equipment, or PBX equipment having weak security procedures?

• Are IP or IPX addresses accountable? When was the last inventory?

• Are telephone numbers accountable? When was the last inventory?

• Is information, within the organization, classified relative to its sensitivity? Does information have an owner?

• What is the means by which access is granted to information resources?

Network Protocols

• Have all nonessential network services been disabled or removed on all relevant equipment?

• Can any system be accessed by telephone, and if so, why?

• Can any system be accessed wirelessly, and if so, why?

• What security precautions have been implemented in wireless environments? Is there adequate supporting documentation?

• Are wireless security precautions adequate for the traffic?

• Are cabling cabinets/closets secured? Who has access, and why?

• Are rooms containing networking equipment secured with restricted access? Who has access, and why?

• Document all network equipment with remote configuration. Why?

• Is network equipment accessible from consoles other than those located immediately next to the equipment? Why?

• Have Web services been placed in a DMZ?

• Are interior networks protected by firewalls?

• Are sensitive interior networks partitioned by firewalls?

• In the case of sensitive information, what is the justification of having open-ended networks connected?

• Has intrusion detection technology been installed at the network and host levels?

• Is there a procedure to respond to IDS alarms?

Disaster Recovery and Business Resumption

• Have critical assets been identified and prioritized?

• Has there been a risk management program implemented? Has this risk plan been thoroughly tested in the past 12 months?

• Do employees know of shut-off procedures for water, electricity, and gas?

• Is there a business resumption program? Has it been tested in the past 12 months?

• Is there a critical incident management program?

• Is there a Critical Incident Response Team?

• Is there a business resumption plan? Has it been tested in the past 12 months?

• Are there application and network transaction logs? With what frequency are they reviewed?

Software

• Is there a list of authorized software to be installed on systems? Document authorized software lists.

• Is there a policy regarding employees authorized to install software?

• When was the last software inventory? Did this inventory include version numbers?

• Is there a policy that addresses personally owned software?

• Is there a standard configuration procedure for all authorized software installations?

• What are the procedures for remote access to network/applications/workstations?

• Are nonessential ports and services disabled?

• Has antivirus software been installed and updated? How often is it run?

• Have all applications and operating systems been updated with appropriate security patches?

• Are software licenses audited regularly? When?

• Are applications/operating systems protected by access control procedures?

• Who are the employees having access to data? Why?

• Who are the employees having access to production systems? Why?

• Who is capable of accessing production code/applications/operating systems?

• Do engineers/programmers/help desk employees have access to data? Why?

• Are there system maintenance accounts? Who has access?

• What justification is needed for user accounts?

• Are departing employees' accounts audited before exiting? Are former employees' accounts disabled appropriately?

Media

• Are media containing sensitive information appropriately secured during use and in idle periods?

• Is there a policy regarding the use of personally owned media?

• Is there a policy regarding scanning all media antivirus software?

• Are media regularly backed up with copies secured offsite?

• Is there a test of the integrity of backed-up media?

• Is backed-up media tested for systems recovery? How long do recovery steps take?

• Is printer output protected?

• Is media, containing sensitive information, appropriately labeled?

• Is there a procedure for media destruction and disposal?

• Are there efforts requiring passwords to be changed regularly, minimum length, and containing special characters and capital letters? Are passwords required for application and operating system access? Are biometrics used to grant system access? Are Tokens/Smart Cards required for system access?

• Are there documents showing that user authentication mechanisms are installed to limit system, building, and workspace access?

• Are procedures requiring employee background investigations in place? Have the professional and personal references of all employees been verified? Have the professional qualifications of all employees been verified?

• Is there appropriate separation of duties and least privilege?

Employee Security Awareness Training

• Have employees been trained relative to risks and their management?

• Is security awareness training mandatory for all employees? Are there documented attendance records?