The following is the domain checklist:

• Are the possibilities that exist to restrict access to the system software, documents, and datasets utilized as best as possible?
• Is there, within the security access, functionality for identification, authentication, authorization, logging, and reporting distinguished?
• Is it possible to make a difference between the responsibilities for input, processing, correction, and checking of the granting of authorization?
• Is it possible to make a difference between input, change, query, and removal of data at the granting of authorization?
• Has consideration been made for the requirements of the (logical) security access with external data communication?
• Will the users maintain their own passwords and are they responsible for the use of their user-IDs and passwords?
• Does a (technical) procedure exist for the changing of passwords periodically?
• Does the system enforce the use of 'strong' passwords (minimum length, not only lower case letters, but also upper case, numbers or special characters)?
• Is there a restriction on the number of possible attempts to log in?
• Is the input and storage of passwords conducted in such a way that third parties cannot recognize them?
• Will the security access be violated by the use of query languages?
• Will any unsuccessful attempts for use be logged?
• Have measures been taken for the restriction of the period for free access to the terminal (that is, automatic log-off)?
• Is a specific application present and in use for security?
• Will the memory be cleared after processing?
• Are the subsystems distributed?
• Will the data processing be done dually?
• Does the infrastructure architecture cover backups, storage databases, servers, hardware, licensing areas?
• Does it address various considerations around the SDLC environment; for example, development, staging, pre-production, and production?
• Is the security architecture defined and described?
• Are different security architecture cover identification and authorization, SSO, audit trail, and logging?
• Is the authentication, authorization and identification mechanism described as applicable to various applications, systems and users?
• Does the Security Architecture cover users, systems, and network aspects?
• Have you addressed each threat identified in the threat model to the extent required?
• Have you used as much third-party security technology as possible?
• Have you produced an integrated overall design for the security solution?
• Have you considered all standard security principles when designing your security infrastructure?
• Is your security infrastructure as simple as possible?
• Have you defined how security breaches will be identified and how to recover from breaches?
• Have you applied the results of the security perspective to all of the affected views?
• Have external experts reviewed your security design?
• Will backups be made automatically?
• Have check processes (watchdogs) been applied?
• Is the input, the output and the processing implemented separately?
• Is the operator able to supply status information?
• Has the consistency of data been taken care for by use of the checkpoint/restart utilities?
• Have national, international, or company standards been used, for instance to exchange of data via networks (OSI, TCP/IP, XML), of applications in the IBM-environment (SAA) or of a standard programming language?
• Has a standard machine interface been used?
• Are the routine actions built into the interface consistent?
• Is there a description of the user applications and standard modules (including version numbers) required at installation?
• Have standards for nomenclature been used?
• Is it possible to perform each function (including the non-logical) at least once?
• Are the subsystems distributed?
• Are the programs parameterized?