The following checklist was developed to assist departments in evaluating security processes and procedures that promote the protection and security of information assets and resources. The goal is to provide you with a comprehensive approach to enhanced security within your organization by presenting opportunities to mitigate risk.
Most of the survey questions can be answered yes or no. Upon completion of the Checklist review the questions with the Dean/Director/Administrator and determine if your current actions are adequate for the type of protection your data and services require. Address the questions answered 'no' to determine the need to address those issues by looking at them from a risk mitigating perspective. What steps need to be taken to provide positive responses? Are those issues important based on your risk assessment?
Our goal is to assist you with the identification of critical information, security needs and implementation of a plan to meet those needs. Information Technology is ready to assist you with consultation and recommendations. Please call our office at 201-216-5500, or visit stevens.edu/servicedesk.
Mitigating Hardware Risks
Is there redundant hardware to allow work to continue in the event of a single hardware failure?
When was it last tested?
Does the uninterruptable power supply (UPS) notify someone when it goes into operation? When was it last tested?
Is there a plan to have departmental hardware replaced at regular intervals?
Does the department have change control procedures?
Does the department have system maintenance standards and procedures?
Does the IT System Administrator ensure that all non-public personal information (NPPI) is removed from equipment before being sent out for repair or replacement?
Is diagnostic hardware and/or software maintained onsite?
Are laptops free of non-public personal information (NPPI) and encrypted where necessary?
Mitigating Software Risks
Do you have original disks to reinstall the software if the hard drive fails?
Is all software supported? If your software is old or unsupported, what are your plans to replace it?
Is locally developed software supported by an easy to reach developer?
Do you have provisions to continue operation if central services software is not available?
Mitigating Environmental Failures
Is your equipment situated in locations that are safe and free from potential danger (i.e., leaky roofs, sufficient power sources, etc.)?
Do uninterruptible power supplies (UPS) protect servers and workstations?
Does heating, cooling and ventilation (HVAC) maintain appropriate temperature and humidity for system operation?
Mitigating Network failures
Does your department have network documentation to assist problem resolution of a computer or network device?Does your department have physical and remote access to your network devices?
Does your department have the ability to continue to function in the event of a wide area network failure?
Department Security Policies
Does the department have written security policies, standards and processes?
Are these documented and available for faculty and staff to view?
Do security standards identify all individuals responsible for implementing such standards and their duties?
Do the standards identify steps to be taken if there is a physical and/or information security breach?
Do the standards define and identify what physical and/or information (NPPI) are most important to protect? Are all departmental staff aware of security processes?
Are departmental staff aware of university IT policies?
Duties & Responsibilities
Deans, Chairs, or Directors
Does the department have an IT system administrator?
Is there a background and/or reference check on new employees?
Are there clearly defined system security procedures for the administrator?
Are security-related duties clear to IT personnel?
Is there an orientation course on good security practices for new employees?
Do all security related IT duties appear in job descriptions?
Are IT staff aware of university policies relating to IT security related positions?
Do security related duties have a place in evaluations?
Do written procedures exist that explain how to perform all IT security related duties?
Are IT personnel up to date on training for security related duties?
Do personnel in your department have sufficient authority to accomplish IT security related duties and policies in place to remove employee discretion where necessary ?
Are there available and competent personnel to back up IT security related duties in the event the regular system administrator is unavailable?
Are sufficient funds budgeted to cover IT security?
Does the department have a process to address incidents or compromises?
Do employees sign nondisclosure agreements on the use of confidential material/research material?
Has funding been provided to recycle old computers and operating systems?
Primary System Administrator and/or Unit Computing Manager
Does the technical staff review security settings and policies when necessary?
Does the technical staff know how to respond to security breaches?
Does the technical staff use user level accounts when not providing administrative services?
Can you ensure that any forms of media containing confidential and sensitive information (NPPI) are sanitized before disposal?
Are you fully aware of your duties, responsibilities, and resources?
Have you identified and secured systems that hold critical information, NPPI or applications?
Have you identified and secured documents designated as "critical" or NPPI?
Is data wiped from equipment that is being discarded?
Is mobile equipment free of NPPI and critical information?
Is staff instructed on basic workstation security?
Are users familiar with email best practices?
Are employees aware of the dangers social engineering and social networks can bring?
Does staff have written guidelines for the storage of media files and protecting mobile equipment?
Accounts and Passwords
Is there a departmental policy for selecting strong passwords?
Is the department using software that enforces strong passwords?
Is the system administrator authorized to check for weak passwords?
Are passwords changed? If so, how often?
Is the department planning to use other forms of authentication other than passwords in the future?
Does the department have an account removal process?
Does the department have a method for identifying unauthorized users?
Is there a document establishing the identity and number of those having root access to departmental information?
Is the identity of those having remote access to departmental information known?
Are there written procedures for forgotten passwords?
Are there written procedures for closing accounts when an employee terminates employment?
Federal and State Compliance and Privacy
Are backup files sent off-site to a physically secure location?
Are on-site files in a secure location?
Is the department in compliance with IT standards relative to state and/or federal mandates and grants?
If the department handles credit cards, is use in compliance with Payment Card Industry (PCI) Data Security Program?
Is the department aware of identity theft compliance legislation and the risks of identity theft?
Has a physical security audit been done?
Does the department have physical security standards and procedures?
Are there procedures for locking IT offices and computer rooms?
Does the department have an alarm system?
Are visitors greeted upon arrival?
Are workstations and laptops locked down to deter theft?
Are workstation cases locked to prevent access to internal components?
Are unused laptop computers kept in locked storage areas?
Is security hardware available, and used, when laptops leave the office? (laptop cables, tracking software, etc.)
Are microphones and cameras attached to any workstations or servers secure?
Network and Configuration Security
Does your department have a network diagram that includes IP addresses, room numbers and responsible parties?
Is there an IT auditing standard in place?
Are end users prevented from downloading and/or installing software? How?
Are contents of system logs protected from unauthorized access, modification, and/or deletion?
Is there a retention standard?
Is the CD-ROM Autorun feature disabled on all workstations?
Is password caching disabled on all workstations?
Have "trusted workstations" (workstations with access to critical information) been identified for critical applications?
Have special procedures been set up to maintain security for these?
Are the trusted workstations secured if used for other purposes?
Are trusted workstations SSL, SSH, or VPN enabled?
Are trusted workstations required to have complex passwords?
Are workstations used by more than one employee secured? How?
Are chat clients (ICQ, Yahoo Messenger, IM, etc.) managed (if allowed at departmental workstations) and if so, how are they managed?
Will any clear-test passwords be embedded in SQL scripts for routine functions such as back up and recovery? If so, how will this data be protected?
Is remote control software (for example, PCAnywhere) permitted in the department? If so where? Define how it is controlled.
Is the Administrator account, and any equivalent accounts, on all workstations limited to the office technical support person?
Do administrators use an administrative account ONLY when doing actual administration?
Can users tell if files have been changed? (Is data integrity software in use?)
Have host based firewalls been activated?
Has remote desktop and remote assistance been disabled?
Specific to Web Servers
Is the web server set to only accept traffic on port 80?
Is the web server set to reject attempts to remotely administer it?
Is the web server set to authenticate certain user traffic?
Have the sample files, scripts, help and development files been removed?
Specific to SFTP
Are all servers set to authenticate users?
Are all directories set to either read or write- but not to both?
Does the server operator know about site copyright/file-sharing problems and techniques?
Specific to Email
Is the E-mail server set to scan mail and attachments for viruses?
Is the e-mail server set to reject attachments?
Is the e-mail server set NOT to act as a relay?
Is web access to e-mail secured?
Are client connections from outside the subnet secured/encrypted? .
Specific to Network
Does the department have an Internet Use Policy?
Does the department have a network map/diagram?
Does the department have an inventory of devices attached to the network?
Are the room jacks mapped to a switch port?
Is there a policy as to how network services are accessed by users?
Business Continuity and Disaster Planning
Is there a written contingency plan to perform critical processing in the event that on-site workstations are unavailable?
Do you have a plan to continue departmental business in the event that the University's central systems are down for an extended period?
Do you have a partnership with vendors who can help in an emergency if your equipment is damaged due to disaster?
Is the contingency plan periodically tested to verify it can be followed to resume critical processing?
Backup and Recovery
Are critical files regularly backed up?
Do you store media off site?
Is the environment of a selected off-site storage area (temperature, humidity, etc.) within the manufacturer's recommended range for the backup media?
Are backup files periodically restored as a test to verify they are usable?
Are records kept of systems changes?
Is there a process for communication of systems changes?
Does the department have a configuration/asset control plan for all hardware and software products?
Does the department have a version control plan for software products?
Does the department have network and system diagrams of all system resources?
Are only trained authorized individuals allowed to install computer equipment and software?
Are maintenance records kept to indicate what repairs and/or diagnostics were performed and by whom?
Are software patches applied to all workstation software, especially operating system, web browser, word processing, spreadsheet, and database regularly? Checked how often?
Have you created a plan for upgrades and set aside funding to enable you to keep software up to date?
Is all software in your department licensed to Stevens?
Are you aware of site licensed software?
User Awareness Training
Do you require new employees to read any university and department level policies?
Does your staff know what's expected of them regarding security for the university and your department?
Is department staff aware of security in regard to handling email, social engineering, passwords, etc?
Network and Host Based Security
Does the department have any way of telling that systems have been or are being compromised?
Has penetration testing been done for the department?
Are host based firewalls enabled on all desktops and laptops?
Is critical data or non-public personal information (NPPI) stored on a department server protected from compromise?
Can you monitor if anyone is accessing critical data?
How often are logs reviewed?
Is there central monitoring of settings and logs?
Are all workstations running Stevens current McAfee anti-virus software with automatic update?
Are you aware that anti-virus/anti-spyware software is covered for all faculty/staff/students with the university's site license at no cost to the department?
Step 2. Risk Assessment - Step 4. Evaluation