IT infrastructure security checklist for the company to maintain security during COVID 19

Procedure

Yes

No

 

 

 

PERSONEL SECURITY

 

 

 

 

Are authorized access level and types identified to access resources and enter at company?

 

 

Do you have policies addressing background checks for employees and contractors?

 

 

Do you have a process for effectively cutting off access to facilities and information systems when an employee/contractor terminates employment?

 

 

 

 

PHYSICAL SECURITY

 

 

 

 

 

Do you have policies and procedures that address allowing authorized and limiting unauthorized physical access to electronic information systems and the facilities in which they are housed?

 

 

Do your policies and procedures specify the methods used to control physical access to your secure areas, such as door locks, access control systems, security officers, or video monitoring?

 

 

Is access to your computing area controlled (single point, reception or security desk, sign-in/sign-out log, temporary/visitor badges)?

 

 

 Are visitors escorted into and out of controlled areas?

 

 

Are your PCs inaccessible to unauthorized users (e.g. located away from public areas)?

 

 

Visitors escorted into and out of controlled areas.

 

 

Is your computing area and equipment physically secured?

 

 

Are there procedures in place to prevent computers from being left in a logged- on state, however briefly?

 

 

Are screens automatically locked after 10 minutes idle?

 

 

Are modems set to Auto-Answer OFF?

 

 

Do you have procedures for protecting data during equipment repairs?

 

 

Do you have an emergency evacuation plan and is it current?

 

 

 Does your plan identify areas and facilities that need to be sealed off immediately in case of an emergency?

 

 

 Are key personnel aware of which areas and facilities need to be sealed off and how?

 

 

Wipe content on all devices before they are discarded or transferred to others

 

 

Develop and implement procedures to prevent unauthorized data transfer via USB drives and other portable devices

 

 

Secure all computer equipment and servers in a locked storage area with specific individual access permissions

 

 

Set automatic timeouts for all computers following a period of inactivity

 

 

Establish policies and procedures to disable inactive accounts, including those of transferred or terminated employees, after a set time period

 

 

Identify lost or stolen laptops and devices immediately; establish appropriate procedures to report lost items for employees

 

 

 

 

 

ACCOUNT AND PASSWORD MANAGEMENT

 

 

Do you have policies and standards covering electronic authentication, authorization, and access control of personnel and resources to your information systems, applications and data?

 

 

Do you ensure that only authorized personnel have access to your computers?

 

 

Do you require and enforce appropriate passwords?

 

 

Are your passwords secure (not easy to guess, regularly changed, no use of temporary or default passwords)?

 

 

Are you computers set up so others cannot view staff entering passwords?

 

 

 

 

 

CONFIDENTIALITY OF SENSITIVE DATA

 

 

Do you classify your data, identifying sensitive data versus non sensitive?

 

 

Are you exercising responsibilities to protect sensitive data under your control?

 

 

Is the most valuable or sensitive data encrypted?

 

 

Do you have a policy for identifying the retention of information (both hard and soft copies)?

 

 

Do you have procedures in place to deal with credit card information?

 

 

Do you have procedures covering the management of personal private information?

 

 

Is there a process for creating retrievable backup and archival copies of critical information?

 

 

Do you have procedures for disposing of waste material?

 

 

Is waste paper binned or shredded?

 

 

Is your shred bin locked at all times?

 

 

Do your policies for disposing of old computer equipment protect against loss of data (e.g.. by reading old disks and hard drives)?

 

 

Do your disposal procedures identify appropriate technologies and methods for making hardware and electronic media unusable and inaccessible (such as shredding CDs and DVDs, electronically wiping drives, burning tapes) etc.)?

 

 

 

 

 

 

DISASTER RECOVERY

 

 

Do you have a current business continuity plan?

 

 

Is there a process for creating retrievable back up and archival copies of critical information?

 

 

Do you have an emergency/incident management communications plan?

 

 

Do you have a procedure for notifying authorities in the case of a disaster or security incident?

 

 

Does your procedure identify who should be contacted, including contact information?

 

 

Is the contact information sorted and identified by incident type?

 

 

Does your procedure identify who should make the contacts?

 

 

Have you identified who will speak to the press/public in the case of an emergency or an incident?

 

 

Does your communications plan cover internal communications with your employees and their families?

 

 

Can emergency procedures be appropriately implemented, as needed, by those responsible?

 

 

 

 

 

SECURITY AWARENESS AND EDUCATION

 

 

Are you providing information about computer security to your staff?

 

 

Do you provide training on a regular recurring basis?

 

 

Are employees taught to be alert to possible security breaches?

 

 

Are your employees taught about keeping their passwords secure?

 

 

Are your employees able to identify and protect classified data, including paper documents, removable media, and electronic documents?

 

 

Define policies and procedures for employee use of your organization’s information technologies

 

 

Employ a system use notification banner before granting employees access to the system that informs them of applicable regulations and federal laws (i.e. system usage may be monitored, recorded, and subject to audit and unauthorized use of the system is prohibited and subject to criminal and civil penalties)

 

 

Require employees and staff to utilize strong passwords for networks and systems with a combination of letters, numbers, and special characters

 

 

Require frequent password resets for all systems

 

 

Implement multiple authentication methods for computers and networks

 

 

Does your awareness and education plan teach proper methods for managing credit card data (PCI standards) and personal private information (Social security numbers, names, addresses, phone numbers, etc.)?

 

 

 

 

 

COMPLIANCE AND AUDIT

 

 

Do you review and revise your security documents, such as: policies, standards, procedures, and guidelines, on a regular basis?

 

 

Do you audit your processes and procedures for compliance with established policies and standards?

 

 

Do you test your disaster plans on a regular basis?

 

 

Does management regularly review lists of individuals with physical access to sensitive facilities or electronic access to information systems?

 

 

 

 

Network security

 

 

 

 

Conduct a computer network assessment to obtain the information you need to develop a cybersecurity plan to reduce cyber attacks and address breaches

 

 

Encrypt all computers and mobile devices issued by the organization; preapprove the use of any devices not issued by the organization

 

 

Implement role-based access to any systems to ensure employees only have access to any programs and applications necessary to perform the functions of their job

 

 

Prevent the installation of any peer-to-peer software applications

 

 

Perform regular desktop audits for the entire organization to ensure unauthorized software applications are not installed

 

 

Install and regularly update anti-virus software on all network computers

 

 

Conduct anti-virus scans on all incoming and outgoing files

 

 

Research and build the necessary firewalls to protect against intruders

 

 

Develop security policies for the use of virtual private network or remote connections

 

 

Configure any electronic health records (EHR) system or database to require specific access permissions for each user; inquire with the EHR vendor to determine how they provide updates and technical support

 

 

Backup data regularly and develop a plan to access information quickly in case of a natural or manmade disaster

 

 

 

 

Risk and Governance

 

 

Update and communicate acceptable use policies for employees and address the use of home computing devices.

 

 

Identify functions requiring secure IT environments that remote working may not provide, and develop ways of performing them.

 

 

Anticipate how entities on which your business depends — cloud, network infrastructure providers, and others — may be affected by COVID-19 disruptions, and develop resiliency options.

 

 

Refresh and update cyber incident response and disaster recovery plans to address current operational needs.

 

 

Regularly communicate cybersecurity awareness messages to employees to reinforce security procedures.

 

 

 

 

server security

 

 

Do you use configuration security standards?

 

 

Are tools used to initially harden production systems?

 

 

Are tools and technologies used to automate secure host builds and host hardering?

 

 

Is a dedicated group responsible for secure builds and host hardening?

 

 

Does secure configuration guidelines exist for deployed network devices?

 

 

Is testing conducted to validate host hardening and secure build efforts?

 

 

Is system baselining and integrity checking performed?

 

 

Does an established system patch and update policy exist?

 

 

Are the latest vendor - supplied security patches tested and applied within a scheduled timeframe for release to system components and software?

 

 

Do you apply patches withing seven days of the vendors releasing them?

 

 

Is the organization using a tool to detect known vulnerabilities and/or missing patches?

 

 

Does an established antivirus signature update policy exist?

 

 

Does an established IDS signature update policy exist?

 

 

Are all patches tested prior to production deployment?

 

 

Do network or other control exist to detect direct patching or updating of systems from the internet?

 

 

 

 

Application Security

 

 

 

 

Is a formal methodology or process used to guide the acquisition, deployment or maintenance of software systems?

 

 

Is a security Deployment Lifecycle utilized in software development?

 

 

Does management provide effective support and resources for the SDL process?

 

 

Are SDL tasks deliverables built into the software development schedule?

 

 

Have security requirements been established including the planed operational environment?

 

 

Have bug and quality bars established and integrated into the issue tracking system?

 

 

Have security and privacy risk assessments been conducted?

 

 

Did the product team follow good design practice?

 

 

Has the attack surface been analysed and appropriately minimized?

 

 

Has the threat modelling been performed appropriately to identify potential vulnerabilities?

 

 

were unsafe functions defined and deprecated?

 

 

Does development follow secure programming practices?

 

 

Does application execute proper error handling so that error messages do not reveal potentially harmful information to unauthorized users

 

 

Have you disabled default password while installing the applications?

 

 

Have you removed/disable the functionalities that allow the bypass of security controls prior to implementation in a production environment?

 

 

 

 

Wi-Fi security

 

 

Have you changed the SSID of your wireless router while installing it?

 

 

Have you enabled network encryption?

 

 

Do you filter devices using MAC address so that only specified devices can be added into your wireless network?

 

 

Have you restricted the range of the wireless signal?

 

 

 

 

Cloud security

 

 

 

 

Are cloud related security policies and procedures aligned with general corporate or departmental strategy and policies? Is there a process in place that assures this?

 

 

Have you addressed data residency concerns of the country?

 

 

Does the workload or capability considered for the cloud allow for access by unmanaged devices — laptops, smartphones, iPads/Slates, general browsers, etc.?

 

 

Do you have a data classification scheme? Is there a policy and related processes that underpin such a scheme? Do you have a way to identify sensitive or confidential information?

 

 

In the context of data classification, are you encrypting data in the cloud?

 

 

Can you ensure integrity of data and applications in the cloud?

 

 

For cloud adoption, is there a process that helps to determine, understand, and mitigate threats to the company or department? Is there a formal threat modelling process?

 

 

Have you mapped the assets to potential cloud deployment models?

 

 

Have you carried out IT risk assessment for cloud adoption?

 

 

Does your company or department have known, documented criteria for due diligence on third party providers; whether cloud providers or outsourcers?

 

 

Does your cloud service provider share risk assessment reports?

 

 

Does your cloud provider operate at a level that is more or less secure than you are at present?

 

 

How does your GRC (Governance, Risk and Compliance) model map through security controls to the cloud service and the SLA for that service?

 

 

Do you have Data Loss Prevention (DLP) solution that identifies, monitors, and protects sensitive data and helps users understand and manage data risk for the organization?

 

 

For secure access, do you have a solution to use multi-factor authentication with options like call my mobile phone, text code to mobile phone, notify me through app, etc. for cloud Do you have a solution to encrypt e-mail messages with appropriate access privileges like don't copy, don’t forward, etc., for cloud-based solutions?

 

 

Do you automatically delete unnecessary accounts when an employee leaves, changes groups, or does not use the account prior to its expiration?

 

 

Do you carry out mandatory background checks for high-privilege access?

 

 

Do your cloud service provider have a process in which Just-In-Time access and elevation is granted on-an-as needed and only-at-the-time-of-need basis to troubleshoot the service?

 

 

 


Comments

Post a Comment

Popular posts from this blog

Set password by default when transfering data through xender hot spot network.

Image
We are going to explain how to transfer data securely through xender app. Whenever we turn on hot spot of xender then mobile hot spot network turned on through a xender which is by default open network. In this case if our data connection is on then any one can access our network and may they perform crime through network. So always keep your network password protected. How to Set password in xender when turned on hot spot through it 1.  Go to settings menu in xender app. 2.  Under the connect phone tab click on to set connection password. 3.  At that time it will ask password give password on pop up box. 4.  Done. Now check your hot spot network is now secure with password.
Read more

Browser cache weakness

    Browser cache weakness Severity: Medium Vulnerability description Browsers can store information for purposes of caching and history. Caching is used to improve performance, so that previously displayed information doesn’t need to be downloaded again. History mechanisms are used for user convenience, so the user can see exactly what they saw at the time when the resource was retrieved. If sensitive information is displayed to the user (such as their address, credit card details, Social Security Number, or username), then this information could be stored for purposes of caching or history, and therefore retrievable through examining the browser’s cache or by simply pressing the browser’s Back button. Impact Browsers often store information in a client-side cache, which can leave behind sensitive information for other users to find and exploit, such as passwords or credit card numbers. The locations at most risk include public terminals, such as those in libraries and Inte
Read more

Email Phishing

Image
Email Phishing may get an attacker your personal information like credentials, credit card information, registered mobile number, etc PII (Personal Identifiable Information) parameters. How to perform Phishing via Email? Step 1: Create an identical working website that is appearing quite similar to the official company website. This dummy website acts as a fake verified validation to the target to gain trust over. Ex. Gmail account login page, Facebook login page or any other website. Step 2: An important part to ponder over is the URI or URL of the fake but working website that has to be changed minutely in such a way that the target person is not able to spot the changes easily in its link and fewer people are aware as well as concerned about this security threat. Ex. For 'gmail.com' one can modify it to 'gma1l.com' or for 'facebook.com' that can be modified to 'facebeok.com'. Users enter their details here on the fake login page without checking
Read more