Previous | Table of Contents | Next |
COMMENTS
Fire Suppression Systems Please note which of the following you have. | |
Y/N | 13. Halon system |
Y/N | Is there a prevent discharge button? |
Y/N | Are there posted instructions by the prevent discharge button to ensure it is used properly? |
Y/N | 14. CO2 system |
Y/N | 15. Sprinkler system |
Wet | Is it a wet or dry pipe system? |
Dry | |
16.If you have a Halon system, is there a plan to replace it with a non-CFC chemical? | |
COMMENTS
Electrical Considerations | |
Y/N | 17. Do you have an uninterruptible power source (UPS)?How many minutes of backup does it provide?What items are protected? |
Y/N | Are the UPS and CPU logically linked to manage the power outage? |
Y/N | 18. Is the room air conditioned? |
Y/N | Is it on a separate system or systems? |
Y/N | Are air ducts closed automatically? |
COMMENTS
Y/N | 19. Is there an emergency power cutoff switch for the room?Where is it located? |
Y/N | Is it protected from accidental contact? |
COMMENTS
Y/N | 20. Is the data center on a dedicated circuit breaker? |
Y/N | Is the breaker protected from accidental shut-off? |
Y/N | 21. Is there battery powered lighting in place? |
COMMENTS
22. Is the file server keyboard locked? | |
Y/N | 23. Does the installation use System Fault Tolerance (SFT) technology to prevent system outages? |
COMMENTS
Y/N | 24. Is smoking permitted in the data center? |
Y/N | 25. Is trash removed promptly so that the risk of fire and accidents is minimized? |
26.Who cleans the data center? | |
Y/N | If an outside cleaning service is used, are the employees supervised? |
Y/N | 27. Are cables and electrical wires either under a raised floor or covered to prevent accidents? |
COMMENTS
Wiring Closet(s) | |
Y/N | 28. Do all doors have locks? |
Y/N | 29. Are the doors locked at all times the closet is unattended? |
Y/N | 30. Exposed to fire from other equipment? |
Y/N | 31. Are the walls fire rated? |
C. | LOGICAL SECURITY |
Netware Security Administration | |
1. Security Administrator/Supervisor | |
Y/N | a. Has one individual been provided supervisor rights? |
Y/N | b. Is a copy of the supervisor password written down and locked in a secure location? |
Y/N | c. An alternate or backup supervisor established?d.How often are the SUPERVISORs passwords changed? |
Y/N | e. Are different passwords used on different file servers? |
Y/N | f. Does each file server have different security administrators? |
Y/N | g. Do security administrators have a separate login and a password different to that of the SUPERVISOR account? |
Y/N | h. Are activities of supervisor user accounts monitored by an appropriate individual separate from the LAN administration group? |
Y/N | i. Are there accounts (other than the supervisor accounts) that have effective ownership to the SYS:SYSTEM directory? |
Y/N | j. Is there an adequate audit trail of activities performed in the SYS:SYSTEM directory? |
Y/N | k. Are SUPERVISOR accounts restricted to secure stations? |
COMMENTS
Y/N | 2. Have administrative procedures been developed and the approvals defined to manage user profiles? |
Y/N | a. Are user access request forms used to obtain approval from management for access to the system? |
b. Describe the security policy. | |
COMMENTS
3. User Profile Management
Y/N | a. Is each user assigned a unique profile? |
Y/N | b. Are passwords required for all users? |
Y/N | c. Do users establish their own passwords? |
Y/N | d. Are there accounts that do not require password to log on to the LAN? |
Y/N | e. Is a new user forced to change his or her password at first sign-on? |
Y/N | f. Do all users change their passwords at a regular interval?g.What is the interval for changing passwords? |
Y/N | h. Are end users of the system confined to menu-driven capabilities? |
Y/N | i. Are system utilities restricted to LAN administration accounts? |
Y/N | j. Is there a limit on unsuccessful access attempts? |
k.What is the limit? | |
Y/N | l. Are workstation users notified of their last sign-on and the number of invalid sign-on attempts each time they access the system? |
Y/N | m. Are users restricted as to the times they can use the system? |
Y/N | n. Are users restricted to workstations they can use on the system? |
Y/N | o. Has accounting been installed? |
Y/N | p. Are system access security violations monitored? |
Y/N | q. How often, and by whom, is the review performed? |
COMMENTS
Y/N | 4. Are inactive user profiles (i.e., has not signed on the network for XXX days) automatically revoked? |
Y/N | a. Is the SECURITY.EXE or a similar report reviewed for accounts that have not been used for XXX days? |
Y/N | b. Is the GUEST ID active? |
COMMENTS
Y/N | 5. Are accounts restricted from concurrent connections (limited to one connection at a time)? |
COMMENTS
6. Password Syntax: please indicate which of the following, if any, are in use.
Y/N | a. Password minimum length |
Y/N | b. Character Restriction |
Y/N | c. Consecutive digits |
Y/N | d. Repeated characters |
Y/N | e. Required digits |
Y/N | f. Password re-use restricted |
COMMENTS
7. Profile Considerations
Y/N | a. Do naming conventions clearly distinguish between group and individual profiles? |
Y/N | b. Have group profiles or authorization lists been set up to facilitate security administration? |
Y/N | c. Does the user group EVERYONE have only R (read) and F (file scan) access in the public directories PUBLIC, LOGIN, and MAIL? |
Y/N | d. Are there user profiles that are not restricted to R and F access in directories other than their own directory? |
COMMENTS
Y/N | 8. Have procedures been developed and the approvals defined to assign trustee rights to a group profile? |
Y/N | a. Are request forms used to obtain approval from management for access to the profiles? |
b.Describe the security policy. | |
COMMENTS
Y/N | 9. Are changes to trustee rights monitored and reviewed? |
10. Who is performing this review and how often? | |
COMMENTS
Y/N | 11. Are directories logically structured (such as by application) to provide consistent protection requirements for each library? |
Y/N | a. Are there users with excessive rights in critical system directories (SYS:, SYS:SYSTEM, and SYS:PUBLIC, for instance)? |
Y/N | b. Is NET$ACCT.DAT protected from unauthorized access? |
Y/N | c. Are all critical files stored in the SYS:SYSTEM directory that could cause system disruptions? |
Y/N | d. Are all trustee rights assignments removed from the SYS:LOGIN directory for all users? |
COMMENTS
Y/N | 12. Is encryption software available or being used? |
COMMENTS
Y/N | 13. Are workstation users automatically signed off after a specified period of inactivity? |
Time interval: | |
COMMENTS
Y/N | 14. Do users signing on from a remote system go through the normal sign-on procedure? |
COMMENTS
DOS
Y/N | 15. Are there any AUTOEXEC.BAT files and any other batch files that automatically log a workstation on the network? |
COMMENTS
Y/N | 16. Are time-out features available on the local microcomputer/workstations? |
COMMENTS
Y/N | 17. Has a security package been installed on local PCs to prevent unauthorized access by intruders? |
COMMENTS
D. | CHANGE MANAGEMENT | |
Project Request Procedures | ||
Y/N | 1. Is there a standard form used to request additions and/or changes to application systems? | |
COMMENTS
Y/N | 2. Is there evidence of authorization for program modifications? |
COMMENTS
Y/N | 3. Does the evidence include a service request, or some other identification method? |
COMMENTS
Y/N | 4. Are changes to production source and executable programs monitored via reporting that is reviewed by a responsible person (with review evidenced by signature or initials)? |
COMMENTS
Y/N | 5. Are programmers limited to read-only authority for production source programs? |
COMMENTS
Y/N | 6. Is a log or standard form kept for all additions and changes to the production environment? |
COMMENTS
Operating System
Y/N | 7. Is there a written procedure for performing operating system updates? |
Y/N | 8. Are these updates performed as required to ensure that support for the changes is maintained? |
COMMENTS
E. | BACKUP, RECOVERY AND CONTINGENCY PLANNING |
1. Please complete the following table concerning the backups you make. | |
Type of Backup | Frequency (daily, weekly, etc.) | Number of Generations Stored On-Site | Number of Generations Stored Off-Site |
---|---|---|---|
Full | |||
Selected | |||
Other: | |||
Y/N | 2. Are backup commands fully coded and compiled as control language programs, as opposed to being typed in at the system console when required? |
Please provide a sample of backup instructions/commands, if they exist. | |
COMMENTS
Y/N | 3. Are tapes and diskettes written on the system subject to controlled physical access? |
COMMENTS
Y/N | 4. Do you have any applications that include a communications component? (Examples would include purchasing that had an EDI component and shop floor data collection utilizing store and forward logic.) |
Identify fall-back alternatives and applications that incorporate communications in comments below. | |
COMMENTS
Y/N | 5. Do you have a disaster recovery plan? |
Does it address the following: | |
Y/N | a. Identification of vital records? |
Y/N | b. Assignment of specific responsibilities during an emergency? |
Y/N | c. Establishing an offsite agreement? |
Y/N | d. Determining how long it will take to replace damaged equipment? |
Y/N | e. Ranking jobs/systems in terms of criticality? |
Y/N | f. Determining what processing power will be needed to support critical activities? |
Y/N | g. Are involved employees familiar with emergency procedures? |
Y/N | h. Do involved employees have a copy of the procedures, or their section, at an offsite location? |
Y/N | i. How often is the plan updated? |
COMMENTS
Y/N | 6. Is a copy of the current systems/operations documentation kept either offsite or in a fireproof place? |
Where is it kept? | |
COMMENTS
F. | OPERATIONS |
Y/N | 1. Is system utilization monitored? |
COMMENTS
Y/N | 2. Are system errors logged? |
COMMENTS
Y/N | 3. Are magnetic tapes periodically checked for wear? |
COMMENTS
Y/N | 4. Are magnetic tapes periodically checked for errors? |
COMMENTS
Y/N | 5. Are file inventories taken periodically to determine obsolete files? |
COMMENTS
Previous | Table of Contents | Next |