VIII.COMPUTER SECURITY CHECK LIST
Since this module represents the capstone effort of the computer security curriculum, include a checklist for computer security. Necessarily, aim this list at large organizations with mainframes; the list also includes most information needed for microcomputer system security.
- General Information
- A detailed Statement of Threat for the organization.
- A Statement of Threat for individual locations.
- A list containing phone numbers for all individuals involved in the organizational security.
- A policy document detailing how the security personnel has access to the MIS personnel.
- Documentation on the training of all MIS personnel.
- An organization chart and documentation demonstrating the separation of duties to minimize the opportunity for collusion.
- Documentation of an MIS Security Group (MSG) or equivalent. This documentation should include but not necessarily be limited to:
- Names, functions, and phone numbers of all members (for emergency access).
- Security Specialists, Operations Specialists, Physical Security Specialists, Auditor, Facilities Engineer, Communications Security Specialists, and others with appropriate skills are fully represented on the committee.
- Documentation for each area that demonstrates that an effective liaison has been established with local support activities in the following areas:
- Plant engineering and facilities, construction, electrical, air conditioning, and site preparation.
- Physical security.
- Personnel.
- Safety (Safety Officer, Fire Marshal, Transportation).
- Records management.
- General Security
- Documentation that each area has been designated a restricted area following current company policy, if appropriate.
- Documentation of security policies and procedures.
- Documentation of internal audit efforts that determine compliance with security procedures.
- Documentation of a formal risk management program.
- Fire Risk and Water Damage Analysis
- Specific site documentation for fire risk and exposure should contain, but not necessarily be limited, to the following:
- The construction techniques that demonstrate the fire resistance of the building containing the system. Raised floors and ceilings, curtains, rugs, furniture, and drapes should be from non-combustible materials.
- The procedures used to manage the paper and other combustible supplies for the computer facilities. In addition, this should document the control of inflammable or dangerous activities in areas surrounding the computer room.
- The storage of magnetic media outside the computer room.
- The periodic training of operators in fire fighting techniques and assigned responsibilities in case of fire.
- Documentation that each site has computer fire protection.
- Automated carbon dioxide. If so, do all personnel have training in the use of gas masks and other safety devices.
- Halogenated agents.
- Water (either wet-pipe or preaction alarm).
- Documentation that portable fire extinguishers are spread strategically around the area with markers visible above computer equipment.
- Documentation that power shutdown switches are accessible at points of exit. Switches should shut down the air conditioning flow as well.
- Documentation on the location of smoke detectors. Are they located in the ceiling, under the raised floor, in air return ducts? It should answer the following questions:
- Will air conditioning systems shutdown on detection of smoke?
- Who will perform the engineering analysis of the function of smoke alarms and how often?
- Who tests the smoke detection system and how often?
- Who is responsible for fire drills and how often should they occur?
- Documentation of sub floor cleaning and contents, if appropriate. It should include:
- water supplies for fire fighting
- battery powered emergency/ evacuation lighting
- manual alarm systems
- Documentation of fire alarm systems to include where they ring, who will respond, and how.
- Documentation of 24-hour attendance and procedures for reporting problems.
- Documentation of control of potential water damage that includes:
- The elimination of overhead water and steam pipes except for sprinklers.
- The existence of subfloor drainage including drainage away from all hardware.
- The protection of the electrical system from water damage in subfloor area.
- The water integrity of doors, windows, and roof.
- The location of sheeting materials for protection of hardware components from water damage.
- Air Conditioning Systems
- Documentation of the air conditioning system should include:
- The unique use of computer air-conditioning system.
- The existence of fireproof ducts and filters.
- Location of compressor.
- Backup air-conditioning availability.
- Fire protection of cooling tower if applicable.
- Air intake protection with protective screening, and is it above street level.
- That the air intakes prevent the uptake of pollutants or debris.
- Document the temperature and humidity recording and control.
- Electrical System: The electrical system is frequently a weak link in information security. PC/workstations are often overlooked as a source of problems.
-
Document electrical system reliability by showing:
- That uninterruptible power supplies are available at those locations that require them.
- That motor-generator systems are backed up and that there are lightning arrestors on appropriate circuits.
- The reliability of the commercial power supply and that it is clean power if the system relies on it.
- That the security system will continue to function even after a power failure.
- The backup system test frequency and results.
- Natural Disasters: Document the resistance to a natural disaster by showing:
-
- The structural soundness and resistance to windstorms, floods, and earthquakes. This would include demonstrating that the buildings are remote from earthquake faults or earthquake-proof. Show relationship to geothermal/volcanic areas.
- Proper grounding of all electrical equipment for lightning protection.
- Backup Systems
- Document the existence of backup systems for all critical systems at the site. This should include, but not be limited to:
- A fully articulated agreements for backup computers in -
- the same room.
- another room in the same building.
- a separate location.
-
Benchmarks or other indicators that the backup systems can, in fact, handle the intended workload.
- Copies of the contract granting access to computers owned by others.
- Quarterly tests, performed to familiarize staff with procedures for using a backup system.
- A full security review and plan for a backup system, if needed.
- Document a full written contingency plan covering:
- Individuals who are responsible for each functional area.
- A current “who calls whom” list with alternates. This list should include but not be limited to: Management, Emergency Crews, Selected Users, Service Personnel, Facilities Personnel, and Points of contact at backup sites.
- Detailed descriptions of the criteria for determining the duration of disruptions to service.
- Individual responsibilities for retaining source documents and/or data files for each application.
- Individual responsibilities for the destruction or safeguarding of classified materials in the computer facility in the event the facility must be evacuated.
- Individual responsibility for the purchase or lease of new or temporary computer equipment.
- Individual responsibility for the acquisition of:
- Air conditioning equipment.
- Computer time/services.
- Additional manpower.
- Furnishings, cabinets, etc.
- Replacement tapes and disk packs.
- Alternate sites and their preparation.
- Travel accommodations for essential personnel.
- Orderly transportation of computer jobs, personnel, and related materials and appropriate coordination with security.
- Duplication of backup files.
- Continuing security in the contingency mode.
- Document the existence of a contingency training program for all computer personnel
- Access Control
- Document the access control that is unique to the computer facilities by showing:
- That a general guard schedule provides adequate physical security in accordance with the Statement of Threat and a positive identification system exists for all employees.
- That the access to computer areas is restricted to selected personnel this would include, but not be limited to:
- Unescorted access to the equipment.
- Files are segregated so that only specific individuals have access.
- That an adequate visitor control procedure exists that including:
- Escorts procedures
- Proper training of potential escorts about their responsibilities.
- Personnel trained to challenge improperly identified individuals.
- That security and operations personnel are briefed on how to react to civil disturbances.
- That a good liaison program exists with local law enforcement agencies and that suitable articulation agreements are in place.
- That all personnel know how to handle telephone bomb threats.
- Document that background checks and rechecks are performed on all employees.
- Document that policies exist to ensure that computer employees are cross-trained to cover all essential functions.
- Document the existence of a continuing personnel education program in computer security matters. This should include but not be limited to:
- Knowledge of the provisions of company security policies and procedures
- Personnel training of supervisors in human behavior to aid managers in identifying changes in personality and living habits of their people
- Personnel training of supervisors so that they can identify possibly disgruntled employees.
- Personnel policies that allow for containment or immediate dismissal of employees who may constitute a threat to installation.
- Document that all exterior windows accessible from the ground level are covered with metal grills.
- Document that no one can gain access to the computer area without the knowledge of a guard or another employee.
- Document that the computer facilities are manned by at least two appropriately cleared personnel at all times.
- Document that housekeeping standards for the computer room include the prevention of accumulation of trash in the computer area and that floors (and associated underfloor areas), equipment covers, and work surfaces are cleaned regularly.
- Document that wastebaskets in the computer room are of metal material with closing tops and that they are dumped outside the computer area to minimize dust.
- Document smoking rules in the computer facility. If smoking is allowed, document the existence of self-extinguishing ashtrays.
- System Utilization
- Document that the hardware utilization policy includes but is not limited to:
- that systems comply with operations schedules
- that techniques exist for matching meter hours to operational hours. This is to ensure that the equipment is not being used for unauthorized purposes during off duty hours.
- that a regular maintenance schedule exists for hardware to ensure reliability and that maintenance personnel have appropriate security clearance.
- that batch type jobs are logged and cross-checked against an authorized job list.
- spot checks of output for possible misuse of a system and that output distribution systems prevent an unauthorized person from receiving a confidential report.
- Document communications control techniques.
- Document the existence of emanation security (no RFI detectable outside computer facility).
- System Operation
- Document that erasure and declassification procedures include the erasure and overwriting of classified data before the contents of that memory can be reused.
- Document that the necessary programs, equipment, and procedures exist for declassifying any and all computer equipment used for the processing or storage of classified data on-site.
- Document that policies exist for magnetic tapes and disks that require:
- Accountability for use and cleaning frequency of tapes and disks.
- Use by authorized individuals only.
- The orderly filing of tapes and disks.
- Tapes Storage (vertically and in containers) except when in use.
- Tape and disk pack utilization records.
- The frequent cleaning of tape heads to ensure data reliability.
- Location of the media library in an area secure from an explosion or other dangers.
- The use of magnetic detection equipment to preclude the presence of a magnetic field near the magnetic media.
- Adequate protection for magnetic media while in transit between locations.
- Document that media or devices are marked with:
- Date of creation.
- The highest classification level of any information contained on the media.
- Downgrading or exemption instructions when placed in permanent files.
- A unique identifier.
- The classification of the system’s environment when the product was produced, if the assigned classification cannot be immediately verified by the customer.
- Special access restrictions.
- Color codes.
- Software
- Document that software security policy includes the following:
- That physical security includes backup file systems at a secondary location for both the programs and the associated documentation. Essential programs, software systems, and associated documentation of programs in the library are located in a locked vault or a secured area.
- That access to the essential programs and software systems is restricted to a need to know basis in the prime and backup areas.
- That a multilevel access control to the data files (read/write/update, block, record, field, and characters) is provided by various levels of security classification.
- That periodic checks are made to validate the security software utilities and the tables of access codes.
- What techniques are employed that preclude more than one user updating files at any given time, in those areas where remote access to on-line databases is allowed.
- Document that in those areas that allow access by remote terminals:
- That keyword or password protection with periodic changes of passwords is employed.
- That data is encryption (either hardware or software) techniques are employed during transmission of vital data.
- That terminal users are restricted to higher-level language access only.
- Hardware
- Document that the operating systems are protected from unauthorized activity by:
- Maintaining built-in protection to prevent the bypassing of security utilities and unauthorized access to databases by a knowledgeable programmer familiar with the system.
- Demonstrating that memory bounds are tested following maintenance, initial program load, and each restart.
- Verifying vendor modifications to the operating system before being installed on the system.
- Verifying all local modifications to the operating system by the security officer or personnel designated by him.
- Maintaining a record of all operating system modifications until at least the next software release.
- Monitoring software technologists to ensure that they do not circumvent the normal access procedures by the use of special coding.
- Documenting that application programs are designed to restart using internal recovery procedures.
- Documenting that all programming changes and maintenance are well controlled. Configuration Control.
- Documenting that threat monitoring is accomplished by showing:
- That a log of those who access data banks or sensitive files is maintained.
- That there are software security routines that monitor unauthorized attempts to access portions of the system via on-line notification of an operator or end of day printout.
- That attempts to misuse the system are followed up in a systematic manner and according to the appropriate rules established by the SSO and the MIS manager.
- Documenting that in house service personnel are controlled in their access to vital areas. All non cleared individuals should have special escorts while performing their tasks.
- Document that a list of vendor-authorized service and system support personnel is maintained. That positive identification of these individuals is required and that they do not compromise security.
- File Security
- Document that online and offline program files are:
- Protected by copies being maintained in a separate building from the original.
- Stored in low fire hazard containers.
- That there is a current inventory of the files.
- Document that system backup dry runs are attempted on a regular (quarterly) basis and that the backups contain programs currently under development.
- Document that program changes are controlled and recorded and that changes are made only to a reproduced version of the original program file with the original left intact.
- Document that computer operations staff review systems documentation on a regular basis to ensure compliance with operational standards.
- Document that minimum documentation standards are met throughout all operational sections. Documentation should include but not be limited to:
- Detailed production specifications.
-
A comprehensive narrative description of the function of the program.
- Detailed logic or flowcharts following established industry standards.
- Current program listings.
- Input and output formats.
- Output samples.
- User documentation.
- Copies of test data are used to generate output samples following the procedures in the user documentation.
- Explanations of codes, tables, calculations, and other details unique to the particular program.
- Explanations of all error messages, and program halts.
- Procedures for handling rejected records.
- File sequence descriptions.
- Control and balancing instructions.
- Document that duplicates of all documentation are stored in low fire hazard storage equipment in a separate building from the original.
- Document that the documentation is inventoried at least annually and that the backups are reviewed periodically to ensure that the documentation package is current.
- Document that changes in programs and documentation are coordinated and approved by the cognizant areas and that these changes are reviewed by the internal auditor.
- Data File Standards
- Document that there is a retention cycle for all data files for all applications. This retention cycle review should include:
- Certification that the data and documentation retention cycles are coordinated with the file reconstruction procedures.
- Review by the user for compliance.
- Certification that the data files are maintained within and under the control of the computer complex rather than the user.
- Certification that all files are properly classified in terms of the degree of sensitivity and value to the organization.
- Document that the data files are kept in:
- an area other than the computer room.
- a fire protected area.
- Kept in an access controlled area.
- low fire hazard storage containers.
- Document that dry runs of the data file security system are performed periodically to ensure compliance with standard procedures.
- Document that the staff members understand and comply with the legal requirements for file retention and that they understand the relative value of the programs and applications.
- Document that an overall audit control philosophy relating to computer systems concerning assets exists. This philosophy should include:
- Computer usage and production controls.
- Control of user input to ensure receipt of all data.
- Monitoring of output to meet site established standards.
- Error reporting and follow-up procedures.
- Control of program changes.
- Certification that all program options have been tested.
- Certification that program conversions provide similar results and do not disrupt production continuity.
- A policy detailing the separation of duties.
- Policies for both hardware and software backups.
- The audibility of the system.
- A policy of auditor involvement during the development cycle.
- Shared Resource Systems Security
- Document that for resource sharing systems, remote terminals are available only to selected individuals. This access may be controlled by one or more of the following:
- Locked doors.;
- Posted guards;
- Other approved restraints.
- Document that terminals are located such that each user’s privacy is ensured.
- Document the use of passwords and the fact that:
- they are tamper-proof.
- they are linked to individuals and locations.
- that they are combined with physical keys.
- the ability to change passwords is closely controlled.
- Document that systems software restricts a given individual to specific data files. This access should control the right to add, delete or modify files.
- Document that the system maintains accurate records of all activity against each data file and that the security override procedure is closely monitored.
- Document the procedures used to monitor the changes to the operating and security systems.