INFORMATION SYSTEMS SECURITY QUESTIONNAIRE
Table of Contents
Operating Systems and Software
Backup and Operations Continuation Plan
In addition to this abbreviated questionnaire, below we have attached the full audit questionnaire in MS Word. Click below and open the questionnairethrough your word processing software.
Data Classification
1. What is considered sensitive data?
-
Sensitive data is protected by legal, administrative, or contractual requirements. Some examples of sensitive data include personal health information, social security numbers, credit card data, or contractually restricted data. In some cases there are alternatives to storing critical data on your network.
2. Should sensitive data be encrypted?
-
Ideal Answer: YES. Data stored on a file or transmitted across a network is vulnerable to disclosure. There are several encryption technologies that can be used to protect this data.
Physical Security
1. Is the server protected from environmental damage (fire, water, etc.)?
Ideal Answer: YES. All servers must be housed in such a way as to protect against fire, water, and other environmental hazards. For example, server rooms should have adequate air conditioning, kept away from potential flooding, and in close proximity to a chemical extinguisher.
2. Is access to server, hubs and routers, and wiring areas adequately controlled?
Ideal Answer: YES. Servers, hubs, routers, and wiring areas should only be accessible to authorized personnel to reduce the risk of intrusion.
3. Is the server also used as a PC/Workstation?
-
Ideal Answer: NO. A server should not be used for dual purposes. There's a high risk of accidental loss of data if a server is used for dual purposes.
4. Are there adequate door locks or access cards to prevent access to server facilities?
-
Ideal Answer: YES. The level of physical security will depend on the sensitivity of the data. However, at minimum this should include durable doors and locks. More stringent access card systems may be required if sensitive data is stored.
5. If some workstations are used to display sensitive information, are these workstations located in areas that will not allow unauthorized viewing of the information?
Ideal Answer: YES. It is important to strategically locate workstations in a way that prevents unauthorized individuals from viewing sensitive information.
Logical Security
1. Administrator Accounts and Access
-
Ideal Answer: YES. Only those employees who are responsible for maintenance on the system should have "administrator" privileges. As a generalrule, "administrator" status is limited to the primary support person and a backup.
Ideal Answer: YES. Administrators should have at least one separate common account for their day-to-day activities (e.g. email, calendar, applications, etc.). This will prevent unnecessary contact with the server under the "administrator" account and reduce the risk of accidental loss of data.
A. Do only those individuals that have administrative responsibilities for the network have "administrator" right and privileges to the system?
B. Do administrators have a second account on the server/LAN for day-to-day activities?
2. User accounts and access
Ideal Answer: YES. A written authorization form must be completed, reviewed, and also approved by the application owner before a user is given access.
Ideal Answer: YES. The administrator and personnel should review authorized user lists at least quarterly.
-
Ideal Answer: YES. A written policy outlining user rights responsibilities, security, confidentiality, etc. must be presented, reviewed, and signed by the user at the time of authorization. In the event of abuse, a signed statement is evidence an individual was made aware of the rules and responsibilities that go with data access. The campus acceptable use policy can be modified on a department basis.
-
Ideal Answer: YES. Once an employee has been terminated or assigned other duties, a personnel procedure should trigger a notification to the administrator to delete or change that user's access.
A. Are there established procedures in place to authorize users to access the system and applications?
B. Do you periodically verify your authorized user lists?
C. Are users informed of there rights and responsibilities regarding the computers, data and data security, passwords, copyrights?
D. Do you promptly cancel user access for individuals who have been terminated or assigned other duties?
Password Security
1. Are passwords non-printing, non-displaying, or keyed onto obliterated spaces?
Ideal Answer: YES. This reduces the risk of stolen passwords.
2. Should complex password be required?
Ideal Answer: YES. A complex password reduces the risk that unauthorized individuals will be able to crack the password. There are multiple “brute force” programs available that will randomly attempt to guess passwords. A complex password should consist of upper and lower case letters, numbers, and special characters.
3. Is the minimum length of passwords at least 8 characters?
Ideal Answer: YES. Preferably, a password would consist of a least 8 characters.
4. Are passwords periodically changed?
Ideal Answer: YES. All passwords must be changed on a periodic basis to prevent others from cracking passwords and using them without the permission. The frequency of a required password change should be based upon the sensitivity of the data and the level of user authorization (e.g. "supervisor").
5. Are group logon I.D.'s utilized?
Ideal Answer: NO. The use of a group logon I.D. makes it impossible to assign responsibility to an individual for any action assignable to that I.D.
6. Are there controls over duplicate logons (duplicate logons are those that allow a user to log in to multiple workstations at the same time)?
Ideal Answer: YES. While some departments or labs find duplicate logons beneficial for functionality, it increases the risk of unauthorized users being logged-on without detection. Ideally, a control should be in place to limit one user I.D. logged-on at any given time.
7. Is there automatic user sign-off/log-off?
Ideal Answer: YES. All servers and user machines should automatically log the user off a secured system after a specific time of inactivity has elapsed. If a user leaves an unattended workstation while logged-on, anyone with access to the workstation could cause serious damage to the system or data.
Ideal Answer: YES. Controls should be in place to lock out a user after a set number of failed log-on attempts. As a general practice, only three attempts are allowed. This control reduces the risk of hackers using a computer program for repeated attempts to gain access.
9. After getting locked out by failing consecutive log-on attempts to the system, is the administrator required to re-authorize access?
Ideal Answer: YES. This control provides better security than an automatic "time-out" reset, and provides more timely access to the user. There are several standards that require the administrator to reset a password after a number of failed logon attempts if sensitive data is stored on the network.
10. Are passwords encrypted during transmission from the workstations to the servers and communications outside your network?
-
Ideal Answer: YES. Password encryption for all transmissions is critical in reducing security exposures. By encrypting transmissions, you reduce the risk of an outside user crossing transmission lines and hacking into sensitive information on your server.
Operating System and Software Security
1. Should security patches and vendor-supplied fixes be kept up to date?
Ideal Answer: YES. It is imperative that vendor-supplied fixes (patches) be applied in a reasonable time to protect against system compromise. In adequate patching is a leading case of security preaches. Critical patches should be updated with in a couple of days if not sooner. Certain operating systems (Windows 95, 98, ME, NT4) are no longer supported or were not designed with enterprise level security controls. These operating systems should not be used.
2. Should unused or unneeded services and software be removed?
-
Ideal Answer: YES. All services and software installed on a system serve a possible entry point for crackers.
3. Are there insecure software and systems that should be avoided?
Ideal Answer: YES. Communication protocols such as telnet and FTP transmit information across the network in clear text, making it possible for attackers to intercept the transmission. These technologies should be replaced by SSH, SFTP, or Kerberos.
4. Do you have a memory resident virus protection program on your computers and are they periodically updated?
-
Ideal Answer: YES. All computers must have a memory resident virus protection program loaded and updated on a periodic basis. These programs help prevent your computer from getting infected with a destructive computer virus.
5. Should vulnerability scanning be run on network machines?
-
Ideal Answer: YES. Computer hackers and crackers are already running these scans on open networks looking for vulnerability. The practice of running these scans is a proactive way to identify potential weaknesses. Ideally these scans should be run behind your firewall to identify missing patches and other potential threats. The Division of Information Technology provides several free scanning tools at http://www.doit.wisc.edu/restricted/security/scanning/centralized .
6. Does your division/department have a software use policy for users? A software use policy is one in which the users are informed that they are only to use authorized software installed on their workstation. This policy includes a statement on what to do if the user has software (demos, trial versions, freeware, shareware, etc.) that they want to use on their workstation.
-
Ideal Answer: YES. All divisions/departments must have a software use policy, to provide guidance to users in areas of appropriate use, computer responsibility, foreign software, security, etc.
7. Protection of software copyrights
-
Ideal Answer: YES. A periodic software inventory is vital in identifying any unauthorized or missing software. Maintenance of this inventory is essential in documenting authorized software additions, upgrades, or deletions.
-
Ideal Answer: YES. A control must be in place to ensure no unauthorized licensing agreements are entered into without proper approval. The administrator's co-signature on all hardware/software purchases would reduce the risk of unauthorized agreements.
A. Is a software inventory maintained and periodically updated?
B. Is there an established procedure to ensure compliance with licensing agreements?
8. Are access violations and logs reviewed on a periodic basis?
-
Ideal Answer: YES. The administrator should review the access violation logs for suspicious activity. This includes both successful and unsuccessful attempts and its location. Reviewing this on a regular basis can alert the administrator of possible hacking attempts and react accordingly.
Backup and Operations Continuation Plan
1. Are backups of data performed regularly?
Ideal Answer: YES. Full backups should be routinely performed based upon the data volume and the difficulty of data reconstruction. In general, nightly backup minimizes the risk of data loss. This routine control will prevent any loss of data if a temporary interruption should occur.
2. Are backups of departmentally authored programs performed?
Ideal Answer: YES. Non-commercial program backups should also be periodically performed.
3. If backups are being performed, then
Ideal Answer: YES. These routine backup procedures should be documented and easily accessible to employees in the event of a temporary interruption or staffing changes.
Ideal Answer: YES. An offsite (secondary) location must be used for backup media storage. In the event of a fire, natural disaster, vandalism or a theft at the primary business location, this will prevent loss of both on-line and backup data. A copy of your back up procedures should be kept offsite as well.
Ideal Answer: YES. As with data stored at the primary office location, offsite backups should be protected against unauthorized users.
Ideal Answer: YES. Backup files aren't worth maintaining if they can not restore the original data. Testing the backup files will ensure backup file integrity should the primary files get destroyed.
A. Do you have written backup procedures for programs and/or data?
B. Is a copy of backup media maintained offsite for programs and/or data?
C. Are backup copies, which are maintained offsite and at the primary office, protected against unauthorized access?
D. Has the use of backup files been tested?
4. Do you have an operations continuation plan?
Ideal Answer: YES. All computer operations must have a continuation plan. This plan should be in writing so it is available to staff in the event of an emergency. In addition, training in the execution of the plan should be included and practiced.