Previous Table of Contents Next


COMMENTS

Fire Suppression Systems —Please note which of the following you have.
Y/N 13. Halon system
Y/N Is there a prevent discharge button?
Y/N Are there posted instructions by the prevent discharge button to ensure it is used properly?
Y/N 14. CO2 system
Y/N 15. Sprinkler system
Wet Is it a wet or dry pipe system?
Dry
16.If you have a Halon system, is there a plan to replace it with a non-CFC chemical?

COMMENTS

Electrical Considerations
Y/N 17. Do you have an uninterruptible power source (UPS)?How many minutes of backup does it provide?What items are protected?
Y/N Are the UPS and CPU logically linked to manage the power outage?
Y/N 18. Is the room air conditioned?
Y/N Is it on a separate system or systems?
Y/N Are air ducts closed automatically?

COMMENTS

Y/N 19. Is there an emergency power cutoff switch for the room?Where is it located?
Y/N Is it protected from accidental contact?

COMMENTS

Y/N 20. Is the data center on a dedicated circuit breaker?
Y/N Is the breaker protected from accidental shut-off?
Y/N 21. Is there battery powered lighting in place?

COMMENTS

Other Physical Security Considerations
22. Is the file server keyboard locked?
Y/N 23. Does the installation use System Fault Tolerance (SFT) technology to prevent system outages?

COMMENTS

Y/N 24. Is smoking permitted in the data center?
Y/N 25. Is trash removed promptly so that the risk of fire and accidents is minimized?
26.Who cleans the data center?
Y/N If an outside cleaning service is used, are the employees supervised?
Y/N 27. Are cables and electrical wires either under a raised floor or covered to prevent accidents?

COMMENTS

Wiring Closet(s)
Y/N 28. Do all doors have locks?
Y/N 29. Are the doors locked at all times the closet is unattended?
Y/N 30. Exposed to fire from other equipment?
Y/N 31. Are the walls fire rated?
C. LOGICAL SECURITY
Netware Security Administration
1. Security Administrator/Supervisor
Y/N a. Has one individual been provided supervisor rights?
Y/N b. Is a copy of the supervisor password written down and locked in a secure location?
Y/N c. An alternate or backup supervisor established?d.How often are the SUPERVISOR’s passwords changed?
Y/N e. Are different passwords used on different file servers?
Y/N f. Does each file server have different security administrators?
Y/N g. Do security administrators have a separate login and a password different to that of the SUPERVISOR account?
Y/N h. Are activities of supervisor user accounts monitored by an appropriate individual separate from the LAN administration group?
Y/N i. Are there accounts (other than the supervisor accounts) that have effective ownership to the SYS:SYSTEM directory?
Y/N j. Is there an adequate audit trail of activities performed in the SYS:SYSTEM directory?
Y/N k. Are SUPERVISOR accounts restricted to secure stations?

COMMENTS

Y/N 2. Have administrative procedures been developed and the approvals defined to manage user profiles?
Y/N a. Are user access request forms used to obtain approval from management for access to the system?
b. Describe the security policy.

COMMENTS

3. User Profile Management

Y/N a. Is each user assigned a unique profile?
Y/N b. Are passwords required for all users?
Y/N c. Do users establish their own passwords?
Y/N d. Are there accounts that do not require password to log on to the LAN?
Y/N e. Is a new user forced to change his or her password at first sign-on?
Y/N f. Do all users change their passwords at a regular interval?g.What is the interval for changing passwords?
Y/N h. Are end users of the system confined to menu-driven capabilities?
Y/N i. Are system utilities restricted to LAN administration accounts?
Y/N j. Is there a limit on unsuccessful access attempts?
k.What is the limit?
Y/N l. Are workstation users notified of their last sign-on and the number of invalid sign-on attempts each time they access the system?
Y/N m. Are users restricted as to the times they can use the system?
Y/N n. Are users restricted to workstations they can use on the system?
Y/N o. Has accounting been installed?
Y/N p. Are system access security violations monitored?
Y/N q. How often, and by whom, is the review performed?

COMMENTS

Y/N 4. Are inactive user profiles (i.e., has not signed on the network for XXX days) automatically revoked?
Y/N a. Is the “SECURITY.EXE” or a similar report reviewed for accounts that have not been used for XXX days?
Y/N b. Is the GUEST ID active?

COMMENTS

Y/N 5. Are accounts restricted from concurrent connections (limited to one connection at a time)?

COMMENTS

6. Password Syntax: please indicate which of the following, if any, are in use.

Y/N a. Password minimum length
Y/N b. Character Restriction
Y/N c. Consecutive digits
Y/N d. Repeated characters
Y/N e. Required digits
Y/N f. Password re-use restricted

COMMENTS

7. Profile Considerations

Y/N a. Do naming conventions clearly distinguish between group and individual profiles?
Y/N b. Have group profiles or authorization lists been set up to facilitate security administration?
Y/N c. Does the user group EVERYONE have only R (read) and F (file scan) access in the public directories PUBLIC, LOGIN, and MAIL?
Y/N d. Are there user profiles that are not restricted to R and F access in directories other than their own directory?

COMMENTS

Y/N 8. Have procedures been developed and the approvals defined to assign trustee rights to a group profile?
Y/N a. Are request forms used to obtain approval from management for access to the profiles?
b.Describe the security policy.

COMMENTS

Y/N 9. Are changes to trustee rights monitored and reviewed?
10. Who is performing this review and how often?

COMMENTS

Y/N 11. Are directories logically structured (such as by application) to provide consistent protection requirements for each library?
Y/N a. Are there users with excessive rights in critical system directories (SYS:, SYS:SYSTEM, and SYS:PUBLIC, for instance)?
Y/N b. Is NET$ACCT.DAT protected from unauthorized access?
Y/N c. Are all critical files stored in the SYS:SYSTEM directory that could cause system disruptions?
Y/N d. Are all trustee rights assignments removed from the SYS:LOGIN directory for all users?

COMMENTS

Y/N 12. Is encryption software available or being used?

COMMENTS

Y/N 13. Are workstation users automatically signed off after a specified period of inactivity?
Time interval:

COMMENTS

Y/N 14. Do users signing on from a remote system go through the normal sign-on procedure?

COMMENTS

DOS

Y/N 15. Are there any AUTOEXEC.BAT files and any other batch files that automatically log a workstation on the network?

COMMENTS

Y/N 16. Are time-out features available on the local microcomputer/workstations?

COMMENTS

Y/N 17. Has a security package been installed on local PCs to prevent unauthorized access by intruders?

COMMENTS

D. CHANGE MANAGEMENT
Project Request Procedures
Y/N 1. Is there a standard form used to request additions and/or changes to application systems?

COMMENTS

Y/N 2. Is there evidence of authorization for program modifications?

COMMENTS

Y/N 3. Does the evidence include a service request, or some other identification method?

COMMENTS

Y/N 4. Are changes to production source and executable programs monitored via reporting that is reviewed by a responsible person (with review evidenced by signature or initials)?

COMMENTS

Y/N 5. Are programmers limited to read-only authority for production source programs?

COMMENTS

Y/N 6. Is a log or standard form kept for all additions and changes to the production environment?

COMMENTS

Operating System

Y/N 7. Is there a written procedure for performing operating system updates?
Y/N 8. Are these updates performed as required to ensure that support for the changes is maintained?

COMMENTS

E. BACKUP, RECOVERY AND CONTINGENCY PLANNING
1. Please complete the following table concerning the backups you make.
Type of Backup Frequency (daily, weekly, etc.) Number of Generations Stored On-Site Number of Generations Stored Off-Site
Full      
       
       
Selected      
       
       
Other:      
       
       
Y/N 2. Are backup commands fully coded and compiled as control language programs, as opposed to being typed in at the system console when required?
  Please provide a sample of backup instructions/commands, if they exist.

COMMENTS

Y/N 3. Are tapes and diskettes written on the system subject to controlled physical access?

COMMENTS

Y/N 4. Do you have any applications that include a communications component? (Examples would include purchasing that had an EDI component and shop floor data collection utilizing store and forward logic.)
  Identify fall-back alternatives and applications that incorporate communications in comments below.

COMMENTS

Y/N 5. Do you have a disaster recovery plan?
  Does it address the following:
Y/N a. Identification of vital records?
Y/N b. Assignment of specific responsibilities during an emergency?
Y/N c. Establishing an offsite agreement?
Y/N d. Determining how long it will take to replace damaged equipment?
Y/N e. Ranking jobs/systems in terms of criticality?
Y/N f. Determining what processing power will be needed to support critical activities?
Y/N g. Are involved employees familiar with emergency procedures?
Y/N h. Do involved employees have a copy of the procedures, or their section, at an offsite location?
Y/N i. How often is the plan updated?

COMMENTS

Y/N 6. Is a copy of the current systems/operations documentation kept either offsite or in a fireproof place?
  Where is it kept?

COMMENTS

F. OPERATIONS
Y/N 1. Is system utilization monitored?

COMMENTS

Y/N 2. Are system errors logged?

COMMENTS

Y/N 3. Are magnetic tapes periodically checked for wear?

COMMENTS

Y/N 4. Are magnetic tapes periodically checked for errors?

COMMENTS

Y/N 5. Are file inventories taken periodically to determine obsolete files?

COMMENTS


Previous Table of Contents Next