 | Response | Please provide details or comments |
| Security Policy | | |
| 1. Is there a current, documented corporate IT security policy, including all systems, internal, external, web sites, PBX, etc.? |
Yes
No
N/A |
|
|
| 2. Does the policy explicitly define "acceptable use" of all company resources and of the internet and are employees and contractors required to sign acknowledgements of the policy? |
Yes
No
N/A |
|
|
| 3. Does the security policy specify the security responsibilities of managers and employees? |
Yes
No
N/A |
|
| | |
| Asset Classification and Control | | |
| 4. Is there an inventory of all business critical information and IT assets? |
Yes
No
N/A |
|
|
| 5. Does your company have a formal privacy policy that has been approved by legal counsel? |
Yes
No
N/A |
|
|
| 6. Does your IT infrastructure support proper compliance of your privacy policy? |
Yes
No
N/A |
|
|
| 7. Has the privacy policy been made available to all employees and to the general public? |
Yes
No
N/A |
|
| | |
| Personnel Security | | |
| 8. Are employees, consultants and contract personnel informed about the proper process for reporting suspected security incidents? |
Yes
No
N/A |
|
|
| 9. As part of the hiring/contracting process, are applicants for system administration, security administration, sensitive programming, and other positions requiring high level access to mission critical systems subject to background checks with law enforcement authorities (and government agencies if warranted)? |
Yes
No
N/A |
|
|
| 10. Are contractors with access to production systems required to be bonded and insured? |
Yes
No
N/A |
|
|
| 11. Are there specific processes to control physical, logical on-site, and remote access by all third party contractors? |
Yes
No
N/A |
|
| | |
| Computer and Network Management | | |
| 12. Are firewalls used to prevent unauthorized access on all connections from internal networks and systems to external networks, such as vendor’s systems or the internet? |
Yes
No
N/A |
|
|
| 13. Are the firewalls configured to explicitly allow authorized traffic and deny all other traffic in both directions by default? |
Yes
No
N/A |
|
|
| 14. Are remote users authenticated before being allowed to connect to internal networks and systems? |
Yes
No
N/A |
|
|
| 15. Are there documented operating procedures for security requirements and access control of all networks, mission critical systems and their components that control access (e.g. firewalls, routers, web servers, application servers, etc.)? |
Yes
No
N/A |
|
|
| 16. Is there enforced separation of duties in all critical process steps for all sensitive operations? |
Yes
No
N/A |
|
|
| 17. Is all sensitive information encrypted when it is transmitted over all external networks? |
Yes
No
N/A |
|
|
| 18. Are anti-virus procedures used on desktops and mission critical servers? |
Yes
No
N/A |
|
|
| 19. Are backup and recovery procedures documented for all mission critical systems? |
Yes
No
N/A |
|
|
| 20. Are backups taken at least once per week and secured off site? |
Yes
No
N/A |
|
|
| 21. Are recovery procedures tested at least quarterly? |
Yes
No
N/A |
|
|
| 22. Is removable media containing sensitive information properly labeled and protected against unauthorized access at all times? |
Yes
No
N/A |
|
|
| 23. Are Computer Emergency Response Team (C.E.R.T.) and vendor advisories related to security problems monitored and applied as soon as possible to all affected systems? (i.e. software vulnerability patches, antivirus updates, etc.) |
Yes
No
N/A |
|
|
| 24. Is there a system management program in place that monitors networks for intrusions and other irregularities that immediately notifies management (via pager, etc.)? |
Yes
No
N/A |
|
| | |
| System Access Controls | | |
| 25. Are customers and other external users authenticated through the use of PINS, passwords or digital certificates? |
Yes
No
N/A |
|
|
| 26. If you have an externally accessible Web Server, are access controls implemented for the files and directories that are stored on the Web server? |
Yes
No
N/A |
|
|
| 27. Are all access controls monitored for compliance? |
Yes
No
N/A |
|
|
| 28. Are passwords required to be changed at least every 2 months? |
Yes
No
N/A |
|
|
| 29. Are special privileges restricted to primary and backup systems administration personnel and individuals with approved need to have these privileges? |
Yes
No
N/A |
|
|
| 30. Do authorized individuals use their privileged accounts only for the tasks for which they are needed and use their unprivileged accounts for all other normal business activities? |
Yes
No
N/A |
|
|
| 31. Are procedures in place to ensure that the passwords and privileges of terminated employees and contractors are immediately revoked? |
Yes
No
N/A |
|
|
| 32. Are all IT equipment and terminals in areas protected from unauthorized access? |
Yes
No
N/A |
|
| | |
| System Development and Maintenance | | |
| 33. Are there security controls in development, test and service processes? |
Yes
No
N/A |
|
| | |
| Business Continuity Planning | | |
| 34. Are continuity plans in place for all mission critical business processes including those provided by third parties? |
Yes
No
N/A |
|
|
| 35. Are business continuity plans tested at least annually? |
Yes
No
N/A |
|
|
| 36. Are there fault tolerant or redundant components that control access to the company's trusted systems to and from all external networks (e.g. firewalls, routers, web servers, application servers, etc.)? |
Yes
No
N/A |
|
|
| 37. Are software audit tools in place to detect unauthorized access and unauthorized changes to or removal of data, which will assist in post mortem analysis and system corrections? |
Yes
No
N/A |
|
| | |
| Security Compliance | | |
| 38. Are all security relevant actins on all systems logged? |
Yes
No
N/A |
|
|
| 39. Are security logs reviewed at least daily for suspicious activities? |
Yes
No
N/A |
|
|
| 40. Are the employees, designated to respond to suspected intrusions, trained in the handling of forensic evidence, law enforcement involvement and press relations? |
Yes
No
N/A |
|
|
| 41. Are there regular security reviews of IT systems by internal audit personnel or a trusted third party? |
Yes
No
N/A |
|
|
| 42. Are there documented incident management processes to respond to suspected intrusions detected on any components that control access to the company's trusted systems to and from all external networks (e.g. firewalls, routers, web servers, application servers, etc.)? |
Yes
No
N/A |
|
|
| 43. Are there comprehensive penetration tests conducted at least once a month to verify the security of the company's perimeter network controls (e.g. firewalls, external routers, remote access servers, etc.)? |
Yes
No
N/A |
|
| | |
| Wireless Applications | | |
| 44. Does your organization follow IEEE Standards 802 for your wireless networks? |
Yes
No
N/A |
|
|
| 45. Does your organization use only IP Security VPN's (Virtual Private Networks)? |
Yes
No
N/A |
|
|
| 46. Are wireless transmissions encrypted with at least 128 bit WEP? |
Yes
No
N/A |
|
|
| 47. Are your WLAN's (wireless LANs) installed outside the firewall? |
Yes
No
N/A |
|
|
| 48. Has the default security features of the products that are used to facilitate your wireless network been activated? |
Yes
No
N/A |
|
|
| 49. Have you changed the default key on your WLANS? |
Yes
No
N/A |
|
|
| 50. Do you restrict the knowledge of the new key to an "absolute need to know" basis? |
Yes
No
N/A |
|
|
| 51. Are keys changed immediately upon the knowledge of a lost or stolen laptop? |
Yes
No
N/A |
|
|
| 52. Are there regular WLAN audits to detect rogue WLAN connections? |
Yes
No
N/A |
|
|
| 53. Do you define and distribute security policies on WLAN and educate your employees on the risks associated with wireless networking? |
Yes
No
N/A |
|
| | |
| Intellectual Property/Content Injury Exposures | | |
| 54. Has legal counsel checked that your domain name does not infringe upon another’s trademark? |
Yes
No
N/A |
|
|
| 55. Is material of others (i.e. content, videos, graphics, music, metatags, etc.) used in the web site? If “yes,” has the applicant obtained the written right to use this material in each case? |
Yes
No
N/A |
|
|
| 56. Is there a review process in place to screen content of the web site? |
Yes
No
N/A |
|
|
| 57. Does the web site review process include review by a qualified attorney for possible libel, slander, trademark infringement, invasion of privacy, copyright infringement, inaccurate information or trade secrets? |
Yes
No
N/A |
|
|
| 58. Do new engineering, research or development employees and “work -for-hire” contractors sign a statement to the effect that they will not distribute or use previous employers’ or clients' trade secrets? |
Yes
No
N/A |
|
|
| 59. Do agreements with outside consultants providing content or material for your web site, include a provision regarding the use of your intellectual property? |
Yes
No
N/A |
|
|
60. Does the applicant offer a bulletin board or chatroom at its web site? If yes, please answer the following questions:
a) Who manages the bulletin board/chatroom?
In House
Subcontractor
Both
b) If subcontractor, are “hold harmless” agreements for liabilities arising out of it's use required?
Yes
No
N/A
c) Can the applicant remove any posting at its sole discretion and does the ISP agreement allow the applicant to do so?
Yes
No |
Yes
No
N/A |
|
|
| 61. If the applicant’s web sites contain links to the web sites of others, is written permission obtained from the owners of those web sites? |
Yes
No
N/A |
|
| | |
| Other | | |
| 62. Does the applicant have written policies and procedures addressing actions to be taken in the event of an extortion demand? If no, please provide a proposed implementation date of such policies and procedures. |
Yes
No
N/A |
|