APPENDIX G
Information System Security Checklist
The following checklist represents a generic approach for a quick assessment of an information system. You can use the checklist for large or small systems and tailor it accordingly.
A. General information
1. A detailed understanding of threats to the organization.
2. A description of threats for individual locations.
3. A list containing phone numbers for all individuals involved in the organizational information assurance.
4. A policy document detailing how the information assurance personnel have access to the IT operations personnel.
5. Documentation on the training of all IT operations personnel.
6. An organization chart and documentation demonstrating the separation of duties to minimize opportunity for collusion.
7. Documentation of an IT operations information assurance group or equivalent. This documentation should include, but not necessarily be limited to, the following:
a. Names, functions, and phone numbers of all members (for emergency access).
b. Security specialists, operations specialists, physical security specialists, auditor, facilities engineer, communications security specialists, and others with appropriate skills.
8. Documentation for each area that demonstrates how an effective liaison has been established with local support activities in the following areas:
a. Plant engineering and facilities, construction, electrical, air conditioning, and site preparation
b. Physical security
c. Personnel
d. Safety (safety officer, fire marshal, transportation)
e. Records management
B. General information assurance
1. Documentation that each area has been designated a restricted area in accordance with current organizational policy, if appropriate
2. Documentation of information assurance policies and procedures
3. Documentation of internal audit efforts that determine compliance with information assurance procedures
4. Documentation of a formal risk management program
C. Fire risk and water damage analysis
1. Specific site documentation for fire risk and exposure should contain, but not necessarily be limited to, the following:
a. The construction techniques that demonstrate the fire resistance of the building containing the system. Raised floors and ceilings, curtains, rugs, furniture, and drapes should be from noncombustible materials.
b. The procedures used to manage the paper and other combustible supplies for the computer facilities. In addition, this should document the control of inflammable or dangerous activities in areas surrounding the server room.
c. The storage of portable (magnetic) media outside the server room.
d. The periodic training of operators and administrators in firefighting techniques and assigned responsibilities in case of fire.
2. Documentation that each site has appropriate fire protection.
a. Automated carbon dioxide. If so, do all personnel have training in the use of gas masks and other safety devices?
b. Halogenated agents.
c. Water (either wet pipe or pre-action alarm).
3. Documentation that portable fire extinguishers are spread strategically around the area with markers visible above equipment.
4. Documentation that power shutdown switches are accessible at points of exit. Switches should shut down the air conditioning as well.
5. Documentation on the location of smoke detectors. Are they located in the ceiling, under raised floors, or in air return ducts? It should answer the following questions:
a. Will air-conditioning systems shut down on detection of smoke?
b. Who will perform the engineering analysis on the functioning of smoke alarms and how often?
c. Who tests smoke detection systems, and how often?
d. Who is responsible for fire drills, and how often should they occur?
6. Documentation of subfloor cleaning and contents, if appropriate. It should include the following:
a. Water supplies for firefighting
b. Battery powered emergency/evacuation lighting
c. Manual alarm systems
7. Documentation of fire alarm systems to include where they ring, who will respond, and how.
8. Documentation of 24-hour attendance and procedures for reporting problems.
9. Documentation of control of potential water damage that includes the following:
a. The elimination of overhead water and steam pipes except for sprinklers
b. The existence of subfloor drainage including drainage away from all hardware
c. The protection of electrical systems from water damage in subfloor area
d. The water integrity of doors, windows, and roof
e. The location of sheeting materials for protection of hardware components from water damage
D. Air conditioning
1. Documentation of the air-conditioning system should include the following:
a. Unique use of computer air-conditioning system.
b. The existence of fireproof ducts and filters.
c. Location of compressor.
d. Backup air conditioning availability.
e. Fire protection of cooling tower, if applicable.
f. Air intake protection with protective screening. Is it above street level?
g. That the air intakes prevent the uptake of pollutants or debris.
2. Document the temperature and humidity recording and control.
1. The electrical system is frequently a weak link in information assurance. Workstations and mobile devices are often overlooked as a source of problems.
2. Document electrical system reliability by showing the following:
a. That uninterruptible power supplies are available at those locations that require them
b. That motor generator systems are backed up and that there are lightning arrestors on appropriate circuits
c. The reliability of the commercial power supply and that it is clean power if the system relies on it
d. That the physical security system will continue to function even after a power failure
e. The backup system test frequency and results
F. Natural disasters
1. Document the resistance to natural disaster by showing the following:
a. The structural soundness and resistance to windstorms, floods, and earthquakes. This would include demonstrating that the buildings are remote from earthquake faults or earthquake proof. Show relationship to geothermal/volcanic areas.
b. Proper grounding of all electrical equipment for lightning protection.
G. Backup systems
1. Document the existence of backup systems for all critical systems at the site. This should include, but not be limited to, the following:
a. A fully articulated agreements for backup computers in the following areas:
1) The same room
2) Another room in the same building
3) A separate location including cloud providers
b. Benchmarks or other indicators that the backup systems can, in fact, handle the intended workload.
c. Copies of the contract granting access to systems and facilities owned by others.
d. Quarterly tests, performed to familiarize staff with procedures for using backup system.
e. A full security review and plan for backup system, if needed.
4. Document a fully written contingency plan covering the following:
a. Individuals who are responsible for each functional area.
b. A current “who calls whom” list with alternates. This list should include, but not be limited to, management, emergency crews, selected users, service personnel, facilities personnel, and points of contact at backup sites.
c. Detailed descriptions of the criteria for determining the duration of disruptions to service.
d. Individual responsibilities for retaining source documents and/or data files for each application.
e. Individual responsibilities for the destruction or safeguarding of classified materials in the computer facility in the event the facility must be evacuated.
f. Individual responsibility for the purchase or lease of new or temporary computer equipment.
g. Individual responsibility for the acquisition of the following:
1) Air-conditioning equipment
2) Computer time/services
3) Additional manpower
4) Furnishings, cabinets, and so on
5) Replacement tapes and disk packs
6) Alternate sites and their preparation
7) Travel accommodations for essential personnel
8) Orderly transportation of computer jobs, personnel, and related materials and appropriate coordination with security
9) Duplication of backup files
10) Continuing security in the contingency mode
h. Document the existence of a contingency training program for all computer personnel
H. Access control
1. Document the access control that is unique to the computer facilities by showing the following:
a. That a general guard schedule provides adequate physical security in accordance with the statement of threat and a positive identification system exists for all employees
b. That the access to computer areas is restricted to selected personnel this would include, but not be limited to, the following:
1) Unescorted access to the equipment.
2) Files are segregated so that only specific individuals have access.
c. That an adequate visitor control procedure exists that includes the following:
1) Escorts procedures
2) Proper training of potential escorts about their responsibilities
3) Personnel trained to challenge improperly identified individuals
d. That security and operations personnel are briefed on how to react to civil disturbances
e. That a good liaison program exists with local law enforcement agencies and that suitable articulation agreements are in place
f. That all personnel know how to handle telephone bomb threats
2. Document that background checks and rechecks are performed on all employees.
3. Document that policies exist to ensure that computer employees are crosstrained to cover all essential functions.
4. Document the existence of a continuing personnel education program in computer security matters. This should include, but not be limited to, the following:
a. Knowledge of the provisions of organizational security policies and procedures
b. Personnel training of supervisors in human behavior to aid managers in identifying changes in personality and living habits of their people
c. Personnel training of supervisors so that they can identify possibly disgruntled employees
d. Personnel policies that allow for containment or immediate dismissal of employees who may constitute a threat to installation
5. Document that all exterior windows accessible from the ground level are covered with metal grills.
6. Document that no one can gain access to the server area without the knowledge of a guard or another employee.
7. Document that the facilities are manned by at least two appropriately cleared personnel at all times.
8. Document that housekeeping standards for the computer room includes the prevention of accumulation of trash in the computer area and that floors (and associated under floor areas), equipment covers, and work surfaces are cleaned regularly.
9. Document that waste baskets in the computer room are of metal material with closing tops and that they are dumped outside the computer area to minimize dust.
10. Document smoking rules in the facility. If smoking is allowed, document the existence of self-extinguishing ashtrays.
I. System utilization
1. Document that the hardware utilization policy includes, but is not limited to, the following:
a. That systems comply with operations schedules.
b. That techniques exist for matching meter hours to operational hours. This is to ensure that the equipment is not being used for unauthorized purposes during off-duty hours.
c. That a regular maintenance schedule exists for hardware to ensure reliability and that maintenance personnel have appropriate security clearance.
d. That batch type jobs are logged and cross-checked against an authorized job list.
e. That spot checks of output for possible misuse of a system are done and that output distribution systems prevent an unauthorized person from receiving a confidential report.
2. Document communications control techniques.
3. Document the existence of emanation security (no RFI detectable outside computer facility).
J. System operation
1. Document that erasure and declassification procedures include the erasure and overwriting of sensitive data before the contents of that memory can be reused.
2. Document that the necessary programs, equipment, and procedures exist for declassifying any and all computer equipment used for the processing or storing classified data on site.
3. Document that policies exist for portable media (tapes, disks, flash drives) that require the following:
a. Accountability for use and cleaning frequency of portable media
b. Use by authorized individuals only
c. The orderly filing of portable media
d. Portable media storage (vertically and in containers) except when in use
e. Tape and disk pack utilization records
f. The frequent cleaning of tape heads to ensure data reliability
g. Location of the media library in an area secure from explosion or other dangers
h. The use of magnetic detection equipment to preclude the presence of a magnetic field near the magnetic media
i. Adequate protection for magnetic media while in transit between locations
4. Document that media or devices are marked with the following:
a. Date of creation
b. Highest classification/categorization level of any information contained on the media
c. Downgrading or exemption instructions when placed in permanent files
d. A unique identifier
e. The classification of the system’s environment when the product was produced, if the assigned classification cannot be immediately verified by the customer
f. Special access restrictions
g. Color codes
K. Software
1. Document that software security policy includes the following:
a. That physical security includes backup file systems at a secondary location for both the programs and the associated documentation. Essential programs, software systems, and associated documentation of programs in the library are located in a locked vault or a secured area.
b. That access to the essential programs on software systems is restricted to a need-to-know basis in the prime and backup areas.
c. That a multilevel access control to the data files (read/write/update, block, record, field, and characters) is provided by various levels of security classification.
d. That periodic checks are made to validate the security software utilities and the tables of access codes.
e. That techniques are employed that preclude more than one user updating files at any given time, in those areas where remote access to online databases is allowed.
2. Document the following in those areas that allow access by remote terminals:
a. That keyword or password protection with periodic changes of passwords is employed
b. That data encryption (either hardware or software) techniques are employed during the transmission of sensitive data
L. Hardware
1. Document that the operating systems are protected from unauthorized activity by the following:
a. Maintaining built-in protection to prevent the bypassing of security utilities and unauthorized access to databases by a knowledgeable information assurance professional familiar with the system
b. Demonstrating that memory bounds are tested following maintenance, initial program load, and each restart
c. Verifying vendor modifications to the operating system before being installed on the system
d. Verifying all local modifications to the operating system by the information assurance team or personnel designated by it
e. Maintaining a record of all operating system modifications until at least the next software release
f. Monitoring software technologists to ensure that they do not circumvent the normal access procedures by the use of special coding
2. Document that application programs are designed to restart using internal recovery procedures.
3. Document that all programming changes and maintenance are well controlled.
4. Document that continuous monitoring is accomplished by showing the following:
a. That a log of those who access data banks or sensitive files is maintained
b. That there are software security routines that monitor unauthorized attempts to access portions of the system via online notification of an operator or end-of-day printout
c. That attempts to misuse the system are followed up in a systematic manner and according to the appropriate rules established by the IT operations leadership and information assurance leadership
5. Document that in-house service personnel are controlled in their access to vital areas. All noncleared individuals should have special escorts while performing their tasks.
6. Document that a list of vendor authorized service and system support personnel is maintained. Positive identification of these individuals is required so that they do not compromise security.
M. Information security
1. Document that online and offline sensitive information is as follows:
a. Protected by copies being maintained in a separate building from the original
b. Stored in low fire-hazard containers
c. Documented in a current inventory of the files
2. Document that system backup dry-runs are attempted on a regular (quarterly) basis and that the backups contain programs currently under development.
3. Document that program changes are controlled and recorded and that changes are made only to a reproduced version of the original program file with the original left intact.
4. Document that computer operations staff review systems documentation on a regular basis to ensure compliance with operational standards.
5. Document that minimum documentation standards are met throughout all operational sections. Documentation should include, but not be limited to, the following:
a. Detailed production specifications
b. A comprehensive narrative description of the function of the program
c. Detailed logic or flowcharts following established industry standards
e. Input and output formats
f. Output samples
g. User documentation
h. Copies of test data used to generate output samples following the procedures in the user documentation
i. Explanations of codes, tables, calculations, and other details unique to the particular program
j. Explanations of all error messages and program halts
k. Procedures for handling rejected records
l. File sequence descriptions
m. Control and balancing instructions
6. Document that duplicates of all documentation are stored in low fire-hazard storage equipment in a separate building from the original.
7. Document that the documentation is inventoried at least annually and that the backups are reviewed periodically to ensure that the documentation package is current.
8. Document that changes in programs and documentation are coordinated and approved by the cognizant areas and that these changes are reviewed by the internal auditor.
N. Data standards
1. Document that there is a retention cycle for all data files for all applications. This retention cycle review should include the following:
a. Certification that the data and documentation retention cycles are coordinated with the data reconstruction procedures
b. Review by the user for compliance
c. Certification that the data files are maintained within and under the control of the organization rather than the user
d. Certification that all files are properly classified in terms of degree of sensitivity and value to the organization
2. Document that the data files are kept in the following locations:
a. An area other than the computer room
b. A fire protected area
c. An access-controlled area
d. Low fire-hazard storage containers
3. Document dry-runs of the data security system that are performed periodically to ensure compliance with standard procedures.
4. Document that the staff members understand and comply with the legal requirements for file retention and that they understand the relative value of the programs and applications.
5. Document that an overall audit control philosophy relating to computer systems assets exists. This philosophy should include the following:
a. System usage and production controls
b. Control of user input to ensure receipt of all data
c. Monitoring of output to meet established standards
d. Error reporting and follow-up procedures
e. Control of program changes
f. Certification that all program options have been tested
g. Certification that program conversions provide similar results and do not disrupt production continuity
h. A policy detailing the separation of duties
i. Policies for both hardware and software backups
j. The auditability of the system
k. A policy of auditor involvement during the development cycle
O. Shared resource (cloud) systems security
1. Document that for resource sharing systems physical separation exists between tenants. This access may be controlled by one or more of the following:
a. Locked doors
b. Posted guards
c. Other approved restraints
2. Document that workstations are located such that each user’s privacy is ensured.
3. Document the use of authenticators (passwords, tokens) and the following about them:
a. That they are tamper-proof
b. That they are linked to individuals and locations
c. That they are combined with physical keys
d. That the ability to change passwords is closely controlled
4. Document that systems software restricts a given individual to specific data files. This access should control the right to add, delete, or modify files.
5. Document that the system maintains accurate records of all activity against each data file and that security override procedures are closely monitored.
6. Document the procedures used to monitor the changes to the operating and security systems.