To provide an evaluation report make two lists. One list will contain the statements from the checklist which were positive which you can use to prepare an evaluation report. The other will contain a list of issues and negative observations which you will address for the Security Plan.
The Checklist provides questions. You can turn these questions into statements to provide the basis for an evaluation report. The Evaluation will provide information on what the department now has in relation to security.
Sample Departmental Evaluation Report
This is a Sample Evaluation Report. This evaluation started with an Inventory and Risk Assessment followed by a Security Checklist. Statements on the sample report below have been gleaned from the Security Checklist. All items answered 'no' should be addressed in the following Sample Security Plan. Be sure to take into consideration the level of risk from Step 2 (Risk Assessment).
The following is based on the positive responses to the security checklist. Everything checked 'yes' on the Checklist is used and stated in this report.
A process has been developed to address vulnerabilities, performance measures and security tools. Most vulnerabilities found in recent scans have been corrected with the remaining vulnerabilities being addressed.
This Sample department has redundant hardware to allow work to continue in the event of a single hardware failure. Most of the department's equipment is currently covered by service contracts. Uninterruptible Power Supplies (UPS) protect servers and workstations in the event of power outages. UPS' were last tested 1/25/09. The UPS does not notify when it goes into operation.
The departmental hardware is recycled at three year intervals. The Sample department has change control procedures and system maintenance standards and procedures which are documented. The department's IT System Administrator ensures that all sensitive data is removed from equipment before being sent out for repair. Diagnostic software is not maintained onsite.
Original disks to reinstall software are kept with workstations in the event of hard drive failure. The Sample department has a database which is running on an old Paradox application. Since the software is no longer supported our intention is to move it to Access in the near future. The Sample department has no locally developed software. The Sample department does not have provisions to continue operation if central services software is not available.
The Sample department is in a new building and our equipment situated in locations that are safe and free from potential danger. The Sample department does not have network documentation to assist problem resolution of a computer or network device. The Sample department does not have physical and software access to network devices. The Sample department does not have the ability to continue to function in the event of a wide area network failure.
Department Security Policies
The Sample department has written the following security policies, standards and processes.
Response to security incidents
Policies, standards and processes are kept in a bookcase in the department conference room. Security standards do not currently identify all individuals responsible for implementing Sample department standards and their duties. Department standards identify steps to be taken if there is a physical and/or information security breach. Standards identify that contracts, social security numbers, and health records are most important to protect. All departmental staff are aware of University and departmental security policies, standards and processes via an annual security review.
Duties and Responsibilities
The Sample department has hired a full-time permanent systems administrator. The systems administrator understands her duties related to IT security which have been clearly defined. All security related IT duties appear in job descriptions and are reviewed during evaluations. Written procedures do not currently exist explaining how to perform all IT security related duties. Some IT personnel require additional training to accomplish security related duties which will be addressed in the near future.
Personnel in the Sample department do not have sufficient authority to accomplish IT security related duties. Policies are needed to remove employee discretion in questionable situations.
Competent personnel are available to back up IT security related duties in the event the regular System Administrator is unavailable for short periods of up to two weeks. Assistance would be requested for longer periods. Sufficient funds have not been budgeted to cover IT security. The following items will be budgeted in coming years:
- Additional personnel
- Host based firewalls
- Integrity checking software
Employees currently do not sign nondisclosure agreements on the use of confidential material/research material.
Accounts and Passwords
Currently there is not a departmental policy for selecting strong passwords. The Sample department is not using software that enforces strong passwords. The systems administrator is not authorized to check for weak passwords. Passwords are changed at the will of the user. The Sample department is not planning to use any other form of authentication other than passwords in the future. The department does not have an account removal process. The department does not have a method for identifying unauthorized users. Staff receive security awareness training annually. There is a document held by the Director and systems administrator establishing the identity and number of those having root access to departmental information. The identity of those having remote access to departmental information is not currently known. Forgotten passwords are addressed through the Help Desk. There are no written procedures for closing accounts when an employee terminates employment.
Privacy and Confidential Data Storage
Files kept on-site in a secure location.
A physical security audit was done when the Sample department moved into the building last year. The department has physical security standards and procedures, however they are not documented. The department has an alarm system. Doors are locked when the building is vacant. Workstations and laptops are kept behind locked doors when they are not being used. CPU cases are not locked. The department does not have microphones or cameras attached to any workstations or servers. The Sample department does not have a standard or procedure for sanitizing and disposing of confidential and sensitive material on hard drives, tapes, floppy disks, CDs, etc.
Network and Configuration Security
The Sample department does not have a network diagram that includes IP addresses, room numbers and responsible parties. The department does not have an inventory of devices attached to the network room nor are jacks mapped to a switch port. The department has an Internet Use Policy. The Sample department does not have a policy as to how network services are accessed by users.
There is an IT auditing standard in place. End users are prevented from downloading and/or installing software. Contents of system logs are protected from unauthorized access, modification, and/or deletion due to limited access. The retention standard is being discussed. "Trusted workstations" been identified for critical grant applications. Special security procedures will be addressed for these via policy. Workstations for critical applications are used by a single user. Said user has additional responsibilities for which the critical workstation is used. "Trusted workstations" have complex passwords and use one-time passwords for critical applications. Other workstations used by more than one employee are secured via password and locked doors.
Clear-text passwords are embedded in SQL scripts for routine functions such as back up and recovery. Protection is currently being discussed. Remote control software (for example, PCAnywhere) is permitted in the department. Software is controlled via policy. The Administrator account, and any equivalent accounts, on all workstations is limited to the office technical support person and password protected. Administrators only use an administrative account when doing actual administration. Data integrity software is not in use.
The Sample department does not have an email server.
Business Continuity and Disaster Planning
The Sample department does not have a written contingency plan to perform critical processing in the event that on-site workstations are unavailable nor a plan to continue departmental business in the event that Central Systems are down for an extended period. The department has a close partnership with vendors who can help in an emergency if equipment is damaged due to disaster.
Backup and Recovery
Sample department critical files are regularly backed up with media stored on site in a locked location. Backup files are rarely restored as a test to verify they are usable.
The Sample department keeps records of systems changes. The change control log is the only process for communication of systems changes. The department does not have a configuration/asset control plan for all hardware and software products other than the three-year renewal plan. The department does not have a version control plan for software products. The department does not have network and system diagrams of all system resources. Maintenance records are kept to indicate what repairs and/or diagnostics were performed and by whom.
Software patches are applied to all workstation operating systems automatically and software, web browsers, word processing, spreadsheet, and databases monthly. The department has not created a plan for upgrades and nor set aside funding to enable keeping software up to date.
All software in the Sample department is licensed with available proof of purchase.
User Awareness Training
The department reviews security annually and requires new employees to read university and department level documents.
Staff knows what's expected of them regarding security.
Network and Host Based Security
The department currently has no any way of determining they have been or are being attacked. Penetration testing has not been done for the department. There are no workstations running host based IDS.
Critical data is stored on the department server requiring protection from compromise. The department cannot monitor anyone accessing critical data. Personal firewall software is not in use on any workstations. The department does not have enough technical staff to manage individual firewalls on all desktops nor a network firewall.
All workstations are running the latest version of anti virus software, scanning engine and virus signatures. Staff notify their systems administrator if a virus or other malware is found.
According to the Department Security Checklist the following IT security issues should be addressed: (these are addressed in the Departmental Security Plan)
- Regular testing of UPSs
- Maintain diagnostic software onsite
- Move database to new software
- Provisions to continue operations in the event central services software is not available
- Network documentation for computers and network devices
- Physical and software access to network devices
- WAN failure department functionality
- Staff duties and standards
- Documentation to explain how to perform all IT security related duties
- Additional training (target dates and suggested training)
- Delegation of authority
- Non disclosure agreements
- Enforce and check strong passwords (authorize)
- Account removal process
- Unauthorized users
- Remote access authorization not known
- Document physical security procedures
- Procedure for disposing of confidential and sensitive material on hard drives, tapes, floppy disks, CDs, etc.
- Network diagram that includes IP addresses, room numbers and responsible parties
- Log retention standard
- Need protection for clear-text passwords that are embedded in SQL scripts
- The FTP server operator needs more information about site problems and techniques
- Data integrity software
- Inventory of devices attached to the network
- Room jacks mapped to a switch port
- Written contingency plan
- Plan to continue departmental business in the event that Central Systems are down
- Should the department store back-up media off site?
- Regular dates to verify backup capabilities
- Configuration/asset control plan
- Network and system diagrams of all system resources
- Only trained authorized individuals install computer equipment and software
- Plan and funding for upgrades
- No any way of determining if they have been or are being attacked (IDS) (firewall)
- Monitor anyone accessing critical data
- Secure workstation recommendations
- Password policy
- Account removal policy
- Prohibition of chat clients policy
- Trusted workstation security standard