security-policy-checklist-.pdf

Checklist: IT Security Policy Version 1.0 April 27, 2005

By David M Davis, CCIE, MCSE Every organization, large or small, needs a solid IT Security Policy. The following comprehensive checklist can help you get started in creating a policy, or it can help audit the one you already have. This checklist, based on suggestions submitted by TechRepublic members, covers a wide variety of technologies and issues, and provides some helpful recommendations.

Planning Item Notes Web browsing

Document the central point of control for Web browsing. Perhaps it is a proxy server, a router, or a firewall.

Document who has access to determine who can perform Web browsing, what Web sites users can access, and when they can access those sites. Some newer Web browsing content control systems can even categorize sites and control who can access certain categories of sites and for how long (i.e. Joe can only access news sites for 20 minutes per day).

Document the method for reporting who is browsing the Web, what sites they are visiting, who those reports will be delivered to, and how often.

Document what the process is if an employee visits improper sites or engages in excessive Web browsing, and define those two actions. Also, is it the job of IT to notify their supervisor?

Log all Web browsing activity, making sure to record the username, and make it clear in the policy that this is a company practice.

Ensure that all employees are aware of the company’s Web browsing policy. This is important since most employees will browse the Web everyday and the security policy about Web browsing is something that will most likely affect them.

Implement Windows Group Policy settings (if using Active Directory) on Internet Explorer to strengthen end user systems and protect from some malicious Web content. For example, using GPO you can standardize Windows IE settings throughout the company to that browsers do not download unsigned ActiveX components. Make it a company policy not to download unsigned ActiveX controls unless they are approved by IT

Put download security software in place to prevent adware, malware, and spyware from being unknowingly installed on users’ machines. Use this download security software to block/quarantine certain types of downloads (perhaps MP3s or videos) and to scan other downloads for viruses.

Page 1

Copyright ©2005 CNET Networks, Inc. All rights reserved. For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html

Checklist: IT Security Policy

Username and passwords Implement complex password requirements. This can be done

with a Windows policy. Using a Group Policy (if possible), force passwords to be reasonable long, to expire every few months, to prevent the reuse of old passwords, and to lock out users with too many failed logins.

Log successful and failed logins and logouts. This is especially important for administrator accounts.

Consider renaming the default "Administrator" account so that it is less of a target for password cracking.

Consider using Single-Sign-On (SSO) so that all users only have one username/password to remember for all applications. This is only important if you have multiple username/password databases for authentication (such as Windows, Linux/UNIX, and Novell) or if you have different applications with their own username/password database.

Document your policy on usernames and passwords and educate users on the proper use of them.

Periodically perform in-house password cracking attempts on administrator accounts to test the strength of passwords. This can be done with a tool such as L0ptcrack.

Instant Messaging

Seriously consider blocking all instant messaging (IM) unless it is needed for business reasons.

If IM is needed for business reasons, implement a program to control who can use it, what software they can use, and log all conversations. Programs that do this can also control the content that is passed through the IM conversations and whether they can send/receive downloads through IM (which can open up the company to virus, malware, and privacy concerns).

Document and educate users on your IM policies. E-Mail

Document what level of storage will be required from each e-mail user. Determine what will be the consequences when an e-mail user exceeds their quota (such as preventing them from sending and/or receiving email).

Control external access to internal groups (such as “all employees”).

Consider performing e-mail content control to prevent trade secrets or confidential information from exiting the company.

Page 2



Implement a corporate e-mail anti-spam program.

Educate users on the proper use of e-mail and how they should not give out their e-mail address to companies that might send them spam. Educate users on what to do if they do receive spam.

Implement e-mail antivirus scanning

Implement an email archiving program. Depending on the advice of your company’s legal team, the archive program may be used more to destroy email at set expiration dates instead of preserving email. The other function of the archiving program is to control the size of the email database.

Develop a policy on using company e-mail for personal use (including the forwarding of jokes and chain letters) and decide what is "acceptable use." Educate users on this policy.

Educate users on “phishing” scams to help prevent identity theft.

File access permissions

Document who the owners are for critical files. These will be the persons who determine who has access to what. Determining who has access to what should not be an IT function. The function of IT is to configure that access within the operating system or application once it is determined.

Watch out for shares with the default permission "Everyone."

Consider logging success and failure access and modifications to files.

Backups

Document what data needs to be backed up, how often it should be backed up, and how long it should be retained. Document how often a test should be done to ensure that the backups are restorable.

Consider encrypting backup tapes so that the data cannot be recovered if they are lost or stolen.

Ensure that backups are taken offsite. Consider a service that will do this for you.

Crisis management and Disaster recovery

Develop a crisis management plan. This plan should cover not just an IT crisis but any crisis that may occur. This should include natural disasters and terrorist attacks.

Page 3



Develop an IT disaster recovery plan. This plan must be periodically tested. We won’t go into how to create a disaster recovery plan, as that is outside of the scope of this document. However, this document can help.

Physical

Document what physical security controls are in place for IT security. Does the datacenter/server room have locks on the doors? Are they electronic locks with a log of who goes in and out? Does the room have windows that could be broken? How resilient would it be to a flood, tornado, or power outage? Are there UPS and generators in place? What sort of fire protection does the datacenter/server room have? Also, consider video surveillance. Keep in mind that this only covers IT assets and does not cover physical security for the entire company.

Ensure against physical access to a console that can connect to servers, routers, and/or switches.

PCs and laptops

Document the controls on PCs and laptops.

Users should not have administrator privilege on their local PCs, unless there is a stated business need for it (e.g. to run a business application). Users should always log onto the domain and not have a local account, if possible.

Use file encryption so that if a PC or laptop is lost or stolen, its data cannot be read.

Run antivirus and anti-spyware on all PCs and laptops

Consider a personal firewall on laptops because they will travel from network to network.

Implement Windows Group Policy security controls to lock down what users can do on PCs and laptops. For instance, preventing users from being able to install programs.

Develop a procedure to ensure that PCs and laptops have the latest patches installed.

Develop a policy on USB removable devices. These are a major security risk because they can easily be used to remove large amounts of data, including corporate secrets.

Remote access

Control who has access to dial-up and VPN remote access. Only set up permissions for those who truly need it. The list should be as short as possible.

Document the company’s policy on remote access

Page 4


http://techrepublic.com.com/5138-10593-729828.html


Log the success and failure of logins for remote access

Periodically have a 3rd party company perform a penetration test on any dial-up remote access methods.

Implement a method to ensure that clients connecting through remote access have the proper antivirus and patches installed to prevent them from infecting the company’s systems. Document whether remote VPN users can have a split tunnel.

Consider using access tokens as a secondary authentication method for remote access. This way, if a username and password are stolen, they still cannot be used to gain access to the network without the token.

Servers, routers, and switches

Run antivirus anti-spyware software on servers

Ensure that servers, routers, and switches have the latest patches installed.

Log the events from these devices to a central logging server.

Run performance monitoring software so that you can be alerted if something abnormal happens on the servers or the network. Many times, this can be an indication of a security breach or another critical problem.

Document who has administrator/root level access on these devices and how often the password is changed.

Document what privilege and access method will be given to vendors who need access to support and/or change servers and network devices.

Document the security around the software development and testing environment, as well as the server and network device testing environment.

Harden servers and network devices based on guidelines that are available from sites like the NSA.

Internet / external network

Periodically (I suggest quarterly) have a 3rd party company perform a penetration test on your Internet connection (or connections).

Protect the internal network and the DMZ from the external network with a stateful firewall. Log what the firewall denies from coming into the network.

Document the firewall rules with explanations, and make firewall configurations consistent across different segments.

Use an Intrusion Prevention System to stop malicious attacks that would have, otherwise, gotten through the firewall.

Page 5


http://www.nsa.gov/snac


Ensure that you have the fewest number of Internet connections as possible (including dial-up connections). Every Internet connection is an avenue for a malicious attacker to get into your network.

Consider implementing a Security Information Management (SIM) in your network as a central repository for security information that will do event correlation and alerting.

Wireless

Periodically have a 3rd party company perform a penetration test on your wireless networks.

Ensure that you are using the strongest form of WEP encryption possible.

Consider a wireless security product that will help to prevent wireless signals from leaving your building or office and will control rogue access points on your network.

Consider using 802.1X authentication as a secondary authentication method for any wireless users (besides WEP key).

Consider putting the wireless network in the DMZ and forcing users to connect to it via a VPN connection.

Document the wireless security policy and educate users on it. Logging

Implement a centralized logging server

Document how information is logged, who can view the logs, and how long those logs are kept. Various sections above cover what specifically should be logged.

PDA and cell phone

Document proper and improper company use of cellular phones and PDA’s.

Consider using a product that will “remote kill” a lost PDA or cell phone and render its data useless.

Document what types of cellular phones will be supported and who will support them.

Documentation and change management

Document who will control the changes made to the security policy and who will keep the documentation up to date.

Document the process that changes must go through before they can be implemented.

Page 6



David Davis manages a group of systems/network administrators for a privately owned retail company. He also does networking/systems consulting on a part-time basis. His certifications include IBM Certified Professional-AIX Support, MCSE+Internet, Sun Certified Solaris Admin (SCSA), Certified Information Systems Security Professional (CISSP), Cisco CCNA, CCDA, and CCNP. He is also Cisco CCIE #9369.

Additional resources • Sign up for our Security Solutions newsletter, delivered on Fridays • Sign up for our IT Management newsletter, delivered on Tuesdays, Thursdays, and Fridays • Check out all of TechRepublic's newsletter offerings. • Information Security Policy (TechRepublic download) • Sample PDA IT support policy (TechRepublic download) • Disaster recovery plan template (TechRepublic download) • Crisis communications policy (TechRepublic download)

Version history Version: 1.0 Published: April 27, 2005

Tell us what you think

TechRepublic downloads are designed to help you get your job done as painlessly and effectively as possible. Because we're continually looking for ways to improve the usefulness of these tools, we need your feedback. Please take a minute to drop us a line and tell us how well this download worked for you and offer your suggestions for improvement.

Thanks!

—The TechRepublic Downloads Team

Page 7


http://techrepublic.com.com/5213-6257-0.html?id=994753

http://nl.com.com/MiniFormHandler?brand=techrepublic&list_id=e036

http://nl.com.com/MiniFormHandler?brand=techrepublic&list_id=e106

http://nl.com.com/acct_mgmt.jsp?brand=techrepublic&return_to=http://techrepublic.com.com/





mailto:[email protected]?subject=Download_Feedback

Documents

security-policy-checklist-.pdf