The following is the domain checklist:
- Are the possibilities that exist to restrict access to the system software, documents, and datasets utilized as best as possible?
- Is there, within the security access, functionality for identification, authentication, authorization, logging, and reporting distinguished?
- Is it possible to make a difference between the responsibilities for input, processing, correction, and checking of the granting of authorization?
- Is it possible to make a difference between input, change, query, and removal of data at the granting of authorization?
- Has consideration been made for the requirements of the (logical) security access with external data communication?
- Will the users maintain their own passwords and are they responsible for the use of their user-IDs and passwords?
- Does a (technical) procedure exist for the changing of passwords periodically?
- Does the system enforce the use of 'strong' passwords (minimum length, not only lower case letters, but also upper case, numbers or special characters)?
- Is there a restriction on the number of possible attempts to log in?
- Is the input and storage of passwords conducted in such a way that third parties cannot recognize them?
- Will the security access be violated by the use of query languages?
- Will any unsuccessful attempts for use be logged?
- Have measures been taken for the restriction of the period for free access to the terminal (that is, automatic log-off)?
- Is a specific application present and in use for security?
- Will the memory be cleared after processing?
- Are the subsystems distributed?
- Will the data processing be done dually?
- Does the infrastructure architecture cover backups, storage databases, servers, hardware, licensing areas?
- Does it address various considerations around the SDLC environment; for example, development, staging, pre-production, and production?
- Is the security architecture defined and described?
- Are different security architecture cover identification and authorization, SSO, audit trail, and logging?
- Is the authentication, authorization and identification mechanism described as applicable to various applications, systems and users?
- Does the Security Architecture cover users, systems, and network aspects?
- Have you addressed each threat identified in the threat model to the extent required?
- Have you used as much third-party security technology as possible?
- Have you produced an integrated overall design for the security solution?
- Have you considered all standard security principles when designing your security infrastructure?
- Is your security infrastructure as simple as possible?
- Have you defined how security breaches will be identified and how to recover from breaches?
- Have you applied the results of the security perspective to all of the affected views?
- Have external experts reviewed your security design?
- Will backups be made automatically?
- Have check processes (watchdogs) been applied?
- Is the input, the output and the processing implemented separately?
- Is the operator able to supply status information?
- Has the consistency of data been taken care for by use of the checkpoint/restart utilities?
- Have national, international, or company standards been used, for instance to exchange of data via networks (OSI, TCP/IP, XML), of applications in the IBM-environment (SAA) or of a standard programming language?
- Has a standard machine interface been used?
- Are the routine actions built into the interface consistent?
- Is there a description of the user applications and standard modules (including version numbers) required at installation?
- Have standards for nomenclature been used?
- Is it possible to perform each function (including the non-logical) at least once?
- Are the subsystems distributed?
- Are the programs parameterized?