ITLEx Lockheed Martin's Threat and Vulnerability Workbook


Overview

Business Impact
DR Plan
Computer Assessment
Audit
Facility
Physical Security
Emergency
First Aid
Computer Room
System Administration
Document Security


Sheet 1: Business Impact

BUSINESS IMPACT

ANSWER
Public View



Are activities or products generated by your company perceived by the public as dealing unfavorably with volatile civil issues (i.e., nuclear waste, nuclear power, chemicals, defense or military weapons procurement or development)?

Potential Target



Is the facility or the computer area a potential target because of its mission or the nature of the work done there?

Competition



Is the company involved with other organizations in "friendly" competition over projects, personnel, or recognition?

National Security



Could unauthorized use of the data or programs, or destruction of this facility, have an adverse effect on national security?

Trade and Defense Relations



Could a disruption in computer area services result in an adverse change in trade or defense relations with another nation?

Security Directives



Is the company required to maintain compliance with any specific security directive or guidance (i.e., DOE, DOD, FBI, etc.)?

Procedures



Are all employees aware of the organization's policies regarding accountability and responsibility for company property such as the removal of equipment from the premises?

Media Release



What is the written policy limiting media releases of company sensitive information?

Records



What is the retention time for financial, stockholder, employee information, tax records, and other vital records?

Media



What type of media are used at this location (hard drive, tape, video, optical, etc.)?

Priority



Are all current programs prioritized as to their importance and impact to this business?


Are all files categorized as to their sensitivity (critical, important, useful, and nonessential)?

Back-up



Are, backups of inventory lists of equipment, files, and documents kept off-site?


Are all files which are critical to the continued operation of your business retained in either back-up form, hard-copy, or original font? Refer to CPS-527 regarding Records Management; Refer to Appendix A for document types.

Data Handling



Could potentially embarrassing or legally damaging information be mishandled if the computer area were out of service or if data were lost?


Could potentially embarrassing or legally damaging information be mishandled if the computer center were out of service or if data were lost?

Destroy



Have successful or partially successful attempts to damage, penetrate or destroy the data center, sensitive material areas, or the facility been carried out within the past two years?

Sensitive Information



Can access to trade secrets or highly sensitive private-sector corporate information be gained by using the facility's computing resources?


Can use of or access to system data result in competitive advantage within private-sector companies?


Could unauthorized use or misuse of sensitive information result in a negative organizational image that is neither justified nor deserved?


Does the facility maintain compartmented or special company sensitive information? If so, list restrictions on the use of this information.


How is the loss, compromise, or disclosure of company sensitive information handled?

Unauthorized Access



If the computer area's computers were successfully accessed by unauthorized persons and knowledge of the access were made public, would the organization be publicly embarrassed in a damaging way?


If the sensitive material were successfully accessed by unauthorized persons and knowledge of the access were made public, would the organization be publicly embarrassed in a damaging way?


Sheet 2: DR Plan

DR PLAN

ANSWER
Attacks



Are there plans developed for bomb threats, terrorist attacks, or catastrophic events?

Emergency Preparedness



Have disaster recovery, emergency preparedness plans been developed?

Small Emergencies



Are smaller emergencies addressed in the disaster recovery plan (brown-outs, data erasures, viruses, etc.)?

Specific Disasters



Are there specific plans to cover specific disasters (such as earthquakes, floods, hazardous materials)?

Contingency Plan



Does a written contingency plan exist for your department that includes business resumption?

Knowledge Base



Is more than one person knowledgeable about critical departmental processes?

Coordinator



Has an individual been assigned as the disaster recovery plan coordinator? Is this individual a manager?

Procedures



Do departmental procedures detail actions to be taken in the event of equipment malfunction or inability to access needed information resources?


Do written procedures exist for each critical departmental process?

DR Plan



Is there a formal disaster recovery plan in place? Who is responsible for this plan?


Are designated objectives clearly outlined in both the emergency preparedness and disaster recovery plans?


Has a copy of the disaster plan been secured off-site to ensure its preservation?


How often is the disaster recovery plan tested?


When was the last time the plan was tested and updated?


Are all corporate objectives clearly outlined in the disaster recovery plan?


Is the disaster recovery plan adequate?


Is the disaster recovery plan current?


Are there partial and full implementation phases in the plan corresponding to different levels of emergencies?


Is the team concept utilized in the disaster recovery plan (individuals with specific functions and/or expertise are assigned to a team)?


Is there a disaster management plan for all of the data processing and storage systems?


Is there a written disaster recovery plan? Refer to IPM-009


Does the disaster recovery plan take into account the company's organizational structure and test to ensure that it's integrity is maintained after a "disaster"?


Does the plan allow for the orderly transition from normal to emergency operations?


Does the plan include provisions for shutting down equipment and machinery once unforeseen disasters have occurred (i.e., earthquakes or explosions)?


Does the plan include provisions for shutting down equipment and machinery prior to an anticipated disaster (such as tropical storms or extreme temperatures)?


Has the disaster recovery plan been reviewed by the following departments: The facilities department? The security department? Your legal department or representative? Your insurance carrier?


Has upper management approved each phase of the disaster recovery plan?

DR Teams



Have disaster recovery teams been identified and implemented?

Notification



Will appropriate computer area personnel will be notified of nearby disasters and/or threats that may affect computer operations?

Responsibility



Is someone assigned the responsibility for requesting and updating password access to all information resources?


Is someone assigned the responsibility for requesting deletion of password access for terminated and transferred employees?


Is there a record listing both individual and team responsibilities?


List the chain of command in the event that designated individuals are unable to fulfill their responsibilities.


What procedures are in place to maintain current "contact-lists"? Who is responsible for this?


Who is assigned to update the disaster recovery plan?


Who is responsible for testing the disaster recovery plan?


Who reviews the job scheduling system?

Plans (Continuity?)



Have these plans been reviewed by the company's insurance carrier?


Sheet 3: Computer Assessment

COMPUTER ASSESSMENT

ANSWER
Assets



What is the total dollar value of all computing assets?


What is the total value of each category of computer system (hardware, software, peripherals, and other associated equipment)?

Cleaning Schedule



Are all disk packs and drives cleaned on a regularly-scheduled basis?


Are all heads on disk drives cleaned on a regularly-scheduled basis (not required with sealed drives)?


Are all tapes and tape drives cleaned regularly?

Condition of Equipment



Are all tapes (including archive tapes) tested to determine their general condition and the condition of the tape library?

Database Applications



What database applications are used in your department? (Select all that apply and specify any others): Paradox (DOS); Paradox (Windows); Q&A; dbase; Monarch; 4th Diminison; FoxPro; Other
E-mail Applications



What electronic mail systems are used in your department? (Select all that apply and specify any others): Office Vision (PROFS); Microsoft Mail; DaVinci E-Mail; Eudora E-mail; CC Mai; Quick; OtherMail
Spreadsheet Applications



What spreadsheet applications are used in your department? (Select all that apply and specify any others): Lotus 1-2-3 (DOS); Lotus 1-2-3 (Windows); Excel (MAC); Excel (Windows); Other
Word Processing Applications



What word processing applicationsAre used in your department? (Select all that apply and specify any others): WordPerfect (DOS ); WordPerfect (Windows); WordPerfect (MAC); Microsoft Word (DOS ); Microsoft Word (Windows); Microsoft Word (MAC); Other:
Design



Are individuals who are responsible for internal quality assurance involved during the conceptual system design phase for hardware and/or software?

Destroy



Are all printouts, magnetic media, and printer ribbons with sensitive information destroyed by using approved security methods?

Tests



Are standard test programs run frequently to check the validity of on-line software?


Sheet 4: Audit

AUDIT

ANSWER
Audit Trails



Are audit trails of updates or modifications to applications software and data kept in general?


Are on-line audit trails archived frequently?


Are on-line audit trails maintained on a disk volume separate from the main data file?


Are program modifications and duplications recorded in an audit trail for review?


Is there an automated audit trail maintained of activity on each computer system?


Who reviews audit trails and written computer access logs for integrity?

Computer Operations



Is the record of all computer operations available for audit?

Console Activity



Is the record of operating-console activity available for audit?


Does computer area management require that a record of all operating-console activity is kept, checked, and available for audit (if partially true, answer affirmatively)?

Entrance Suveillance



Are records from the computer area entrance surveillance monitors, intrusion sensors, and/or alarms kept in some form available for audit?

Procedures



Are checks made to verify proper operation of on-line audit procedures?

Random Checks



Are random spot-checks run to compare on-line copies of essential software with master copies or source listings to detect unauthorized modification?


Sheet 5: Facility

FACILITY

ANSWER
Location



Are the facility and computer area located along a route used for transporting hazardous or explosive materials?


Are the facility and the computer area in a high crime-rate area?


Are the facility and the computer area located below a nearby darn?


Are the facility and the computer area located in a landslide or mudslide area?


Are the facility and the computer area located in or near a forest, in heavy brush, or in a grassland area?


Are the facility and the computer area near a place where hazardous processes or materials are in use (such as a chemical plant, refinery, etc.)?


Are the facility and the computer area near any other potential source of hazard?


Are the facility areas located in or near a college community?


Do aircraft regularly fly over the building where the computer area is located?


Do volatile chemicals, liquefied natural gas, or explosives pass within 2000 feet of the computer area by sea, rail, or overland transport?


Have persons in the area (community, county, state) been questioned within the past two years by law-enforcement agencies about, or arrested on suspicion of, charges related to data fraud, security violations, or other "white-collar" crime?


Is the facility located in an area where political activism is high or hostile foreign nationals are common?


Are there other occupants or activities in the building housing the computer area that might be a potential threat or hazard to the computer area, personnel, facility, or the organization's environment?


How long does it take to reach the off-site storage location (should be under one hour)?

Access



Are all doors kept closed and locked to ensure compliance in accordance with normal access control procedures?


Are all secured, restricted, closed, and limited access areas properly marked?


Are authorization lists and control mechanisms allowing facility entry updated when a person's entry authority is revoked?


Are entrance rosters and logs maintained?


Do security personnel control all perimeter openings to the facility?


Does this facility have an enforced limited-access policy?


Indicate which authentication devices are in use at each facility: Badge readers, finger print techniques, keys, magnetic card readers, voice print techniques, other?


Is photographic identification (such as a driver's license) and prior management approval required from: Non-employees, Contractors, Service Personnel, and Vendors for entry into sensitive material areas?

Activity Monitoring



Do operations or employees monitor the activities of emergency, service, and other "invisible" personnel when they are servicing the computer area, area, building, or equipment?


Do operations or employees monitor the activities of other "invisible" personnel (i.e., vending machine suppliers, protective force, janitors, health and safety personnel, etc.)?


Do operations or employees monitor the activities of service personnel (a large part of the "invisible people") when they are servicing the computer area, area, building, or equipment?

Barriers



Where are there barriers or controls to deter an individual from physically reaching: The facility and its environment (grounds, buildings, etc.)?

Where are there barriers or controls to deter an individual from physically reaching: Hard-copy information (documents/data)?

Where are there barriers or controls to deter an individual from physically reaching: Hardware?

Where are there barriers or controls to deter an individual from physically reaching: Software?
Structure



How many floors of the building are above grade?


How many floors of the building are below grade?


Is ducting large enough and sturdy enough to permit the passage of a person through it?


Is the building constructed on a solid foundation?


Is the building housing the computer area more than one story tall?


Is the principal material of the exterior walls of the building housing the computer area one of the following materials: reinforced concrete, concrete block, brick, or stone?

Surveillance



Do surveillance monitors, intrusion sensors, or alarms operate for: Emergency exits and emergency situations in the computer area?


Do surveillance monitors, intrusion sensors, or alarms operate for: Non-normal computer area entrances such as delivery portals?


Do surveillance monitors, intrusion sensors, or alarms operate for: Normal operating computer area entrances?

Breach of Security



If a breach of security occurred, do employees know where trained assistance is available?

Visitors



Are all visiting personnel (vendors, consultants, contractors, service personnel, visitors, etc.) identified by some visible means such as a badge when visiting the facility (especially near sensitive material areas)?


Does the computer facility frequently have tours or visitors from the general public?

Emergency Evacuation



Is there an emergency evacuation plan current in place? Is it disseminated to employees?


Where are emergency destruction sites located within the facility?

Evacuation



Are evacuation plan drawings and procedures posted in accessible areas?

Facilities



Has a plan been developed addressing each of the company's facilities?


What other occupants or activities in the building may be a potential hazard? Chemical storerooms, Laboraties, Machine shops, Offices, Warehouses, Other?

Communications



Are communications systems and procedures equipped to allow employee's to reach families and to handle their relative's inquiries?

Public Utilities



Are the availability of public utility services such as electricity, natural gas, and water included in the Continuity plans?

Public-Address System



Can the public-address system be clearly heard and understood by all personnel?


Does the public-address system announcer practice canned messages so that message quality is consistent and does not suffer from the potential panic of an emergency?

Inventory



Are there inventory lists of equipment, machine-readable files, and documents?


Is a facility-wide inventory of office equipment and supplies, hardware, software, and documents conducted at least yearly for the facility and the computer area?


Is the facility-wide inventory list updated periodically as determined by facility management?


Is there an established procedure for resolving discrepancies in the facility and/or computer area inventories of equipment, files, and documents?

Sensitive Material Location



Does a lobby directory, site map, facility description, or other publicly-available or posted document clearly pinpoint the location of the sensitive material areas?


How and where is sensitive information stored? indicate on facility map.

Backup Site



If a disaster recovery service is used, how far is it from the facility's location?


Are the following backup sites utilized in the disaster recovery plan adequate: an off-site hot or running backup site, a cold or purely storage backup site and reciprocal agreements with other companies (see reciprocal agreements)?


Is there backup for facility support hardware (generators, HVAC, etc.) at the long-term contingency backup site?


Are there backups for essential office machines (i.e., typewriters, word-processing equipment, copying machines) at the local or short-term contingency backup site?


Are there backups for furniture at the local or short-term contingency backup site?


Are there backups for off-line equipment (i.e., forms bursters, film processors) at the long term contingency backup site?


Are there backups for terminal equipment at the long-term contingency backup site?


Are there backups for the computer and its main components at the long-term contingency backup site?


Are there maintenance procedures for terminal equipment at the long-term contingency backup site?


Are there maintenance procedures for off-line equipment at the long-term contingency backup site?

Policy



Is it policy to provide a staff escort for visitors, vendors, and service personnel: In the building housing the computer equipment? During Normal Business Hours? Outside of Normal Business Hours?

Is it policy to provide a staff escort for visitors, vendors, and service personnel: In the computer area?

Is it policy to provide a staff escort for visitors, vendors, and service personnel: In the computer area during normal business hours? Outside of Normal Business Hours?

Is it policy to provide a staff escort for visitors, vendors, and service personnel: In the perimeter zone during normal working hours? Outside of Normal Business Hours?

Is a policy addressing fires and fire protection emergencies and how they should be handled disseminated to employees?


Is a policy addressing medical emergencies and how they should be handled disseminated to employees?


Is a procedure addressing bomb threats disseminated to employees?


Are procedures for responding to notification from area monitors and alarms defined and documented?

Repairs



Is a complete set of vendor-recommended spare parts (to service equipment, alarm systems, access control systems, computers, etc.) available near enough to the facility to be able to effect emergency repairs within the time period determined by facility management?


Is a complete set of vendor-recommended spare parts available near enough to the computer area to be able to effect emergency repairs within the time period determined by facility management?

Risk Analysis



Has a risk analysis assessment of the facility been conducted recently?

Storage



Do all facilities have enough storage capacity (tape, disk drives, etc.) to properly fulfill their obligations under the reciprocal agreement?

Training



Are drills for bomb threats practiced periodically?


Sheet 6: Physical Security

PHYSICAL SECURITY

ANSWER
Alarm System



What type of alarm systems are used in the facilities?

Security



Is all alarm and CCTV wiring enclosed in conduit?

Response



Are there documented guidelines for evaluating appropriate responses to notifications from area entrance monitors and/or alarms?

Authorization



When a person's area entry authorization is revoked, are: Authorization lists revised? Locks/combinations changed? Badges, keys, cards surrendered? Other (specify)?

Badges



Do employees wear identification badges within the facility?


Who disseminates badges (security, receptionist, delegated alternate, etc.)?

Breach in Progress



Are personnel instructed about how to deal with a penetration in progress?

Building Entry



Is there a designated individual responsible for authorizing building entry?

Call List



Is the "call-out" or list of phone numbers, assignment and positions updated regularly?

Confidentiality Agreement



Have all individuals operating the computer area, involved in the disaster recovery plan (either on-site or off) and all vendors signed a confidentiality agreement with your company?

Drills



Are drills for catastrophic events practiced periodically?


Are drills for terrorist attacks practiced periodically?

Education



Are employees actively involved in developing components of the security education program, especially where computing assets are concerned?


Are employees given continuing or periodic refresher education about security practices?

Individual Responsibility



Have individuals been assigned to be responsible for the following functions: Computer equipment maintenance? Key computer area functions? System operations functions? System software maintenance?

Policy



Are the following areas covered by written policy: The removal of computer equipment, parts, data, or documentation from the building?

Are the following areas covered by written policy: The removal of computer printouts and documentation from the building?

Are the following areas covered by written policy: The removal of storage media and memory devices from the building?

Are the following areas covered by written policy: A situation where an individual avoids or defeats the authorization procedure for removing computer equipment, data, or documentation from the building?

Are the following areas covered by written policy: That key or sensitive jobs are rotated periodically?

Are the following areas covered by written policy: That no essential function can be performed by only one person (i.e., a multiple person rule for all essential functions)?

Are the following areas covered by written policy: That one person cannot perform a complete set of transactions for an operation or application (i.e., separate personnel for systems programming and for computer operations)?

Are the following areas covered by written policy: That personnel using the computer area are held responsible for a clean working environment?

Are the following areas covered by written policy: The inspection of failed parts and equipment before they can be removed from the building?

Is a policy addressing remedial action for security violations disseminated to employees?


Is there a policy addressing releases of drawings or other technical company sensitive formation at outside meetings or trade conferences? What is it?


Is there a policy governing how personnel should interact with outside organizations and outside personnel with respect to security breaches and other emergencies?


Is there a policy governing how personnel should interact with outside personnel (i.e., the public with respect to security breaches and other emergencies)?


Is there a policy governing how personnel should interact with representatives of the news media with respect to security breaches and other emergencies?


Is there a written policy addressing the release of company sensitive information to outside sources other than the media? What is it?


Is there a policy prohibiting introducing disks, programs, and data from outside sources other than shrink wrapped vendor purchased media, into facility computer systems?


Is there a written computer security policy that assigns responsibilities for users, management, computer systems operators and the security staff


What are the visitor admission and registration procedures for visits?


Have all personnel been trained in the correct procedures to handle the various levels of operations?


Are employees briefed to proprietary or competitor sensitive information safeguarding protocols?

Removal of Material



Is there a written "pass" procedure implemented identifying proper removal of material or equipment?

User's Access Agreement



Does the user's agreement clearly state the penalties for deviation for non-compliance?


Does the user's agreement included remote terminal usage responsibilities?


Does the user's agreement require the signature of all users, managers, and security personnel before system access is granted?


Does this agreement extend to all your computing resources?


Sheet 7: Emergency

EMERGENCY

ANSWER
Possibilty of Disaster



Has a study been conducted to determine the probability of an emergency or disaster affecting company operations?

Command



Has a hierarchy of command been established for each designated emergency?

Communication



Are emergency plans clearly communicated and accessible to each employee?


Do employees receive continuous and accurate status reports during emergency situations? How?


How are employees notified of an emergency situation?


In each of the named emergency situations, is there a "contact-list" of individuals who need to be notified (owners, executive personnel, managers, etc.)?


Is the current telecommunication system between both facilities adequate to function properly in an emergency situation?

Disaster Recovery Service



If utilized, what type of disaster recovery service is used (commercial vendor, service bureaus, shared contingency agreements with other companies)?

Alternate Site



Has a long-term contingency backup site (alternate site) been selected?


Has a site been selected for local or short-term contingency backup?


Has the backup system for hardware at the local or short-term contingency backup site been tested to ensure compatibility with the applications?


Has the computer and its peripheral equipment at the long-term contingency backup site been tested to ensure compatibility with the applications?


Have written agreements with other agencies, service bureaus, and vendors been obtained for backup computer service at the short-term contingency backup site?


Have you tested your critical applications at the other facility's computer area?


Have you tested your critical functions (management, security, etc.) at the other facility?


Is a long-term contingency backup site (alternate site) deemed mission critical?


Is the local or short-term contingency backup site located where it will not share interruptions with the home site and yet it can be reached conveniently.


Is the long-term contingency backup site located far enough from the home site that it will not share the same catastrophes (such as earthquakes, volcanic eruptions, major storms, etc.)?


Is the location of the off-site place for storing backup files public or common knowledge?


Is the off-site storage facility located at a distance that would preclude damage if a large scale disaster hit your facility?


Is the site selection still valid if the main facility is damaged or destroyed?


Is there an alternative operational site, or communications center, to coordinate and implement emergency plans and to continue business activities?


Is there backup for all computer hardware at the local or short-term contingency backup site?


Is there proper temporary storage of your company's sensitive information at the other facility?


Is there proper temporary storage of your company's sensitive output (printouts) at the other facility?


Is there proper temporary storage of your tape and disk storage media at the other facility?


When assessing the off-site storage facilities are the following areas adequate: Access authorization systems and 24-hour operation?

When assessing the off-site storage facilities are the following areas adequate: Courier service?

When assessing the off-site storage facilities are the following areas adequate: Fire protection?

When assessing the off-site storage facilities are the following areas adequate: Physical security?

When assessing the off-site storage facilities are the following areas adequate: Vaulting or building materials?
Backup Power



Are uninterruptible back-up power systems available at the site of the emergency?

Data Center Emergency Response Plan (DCERP)



Does the DCERP describe emergency and backup voice and data communications requirements?


Does the DCERP establish a plan for computer area evacuation?


Does the DCERP include a procedure for reporting incidents and notifying all personnel necessary to deal with an emergency situation?


Does the DCERP include a strategy for emergencies caused by weather or natural phenomena?


Does the DCERP include a strategy for fire emergencies?


Does the DCERP include a strategy to deal with HVAC failures?


Does the DCERP include a strategy to deal with power failures?


Does the DCERP include a strategy to deal with structural instability or damage, such as that caused by earthquakes or excessive snow buildup?


Does the DCERP include a strategy to deal with water/flood emergencies?

Disaster



Could the computer area withstand a major disaster if one occurred today?


Could this facility withstand a major disaster if one occurred today, could the overall organization survive?


Is the staff instructed to protect prioritized hardware, software, and documents from damage and/or disclosure if a disaster, major emergency, or an attack upon the computer area occurs?


Is there a system to prioritize on-line input after a disaster?


Is there an organizational structure specifically designed for operations during disasters?

Downtime



Have you estimated the maximum downtime your operation could withstand before irreparable damage is incurred?

Emergency Situations



Do you share your computer time with other organizations, under the reciprocal agreement, in emergency situations on their part?


Does your company have a formal reciprocal agreement with another facility or corporation to aid you in emergency situations?


Is there a generalized, established procedure for coordinating the movement of information and personnel in an emergency situation?


What are the criteria used to determine operational levels during an emergency (full, reduced or closed down)?

Funds and Supplies



Are emergency funds and supplies available to assist employees?

Instructions



Are written emergency situation instructions maintained for easy access by the equipment users?

Mock Disaster



Has your facility participated in a mock disaster?


Has the off-site facility participated in a mock disaster?

Procedures



Are procedures in place to destroy sensitive information waste in emergency situations.


Are there procedures addressing electrical outages?


Are there procedures permitting computer area access to emergency personnel in case of fire, major power outage, or emergency or disaster?


Have hardware maintenance procedures been established for data-processing equipment at the long-term contingency backup site?


Have maintenance procedures been established for the computer and its main components at the long-term contingency backup site?

Safeguards



Are safeguards against fire damage as stringent at the alternate, site as those at the home office?


Are safeguards against HVAC damage as stringent at the alternate site as those at the home office?


Are safeguards against major hazards damage as stringent at the alternate site as those at the home office?


Are safeguards against power outage damage as stringent at the alternate site as those at the home office?


Are safeguards against water damage as stringent at the alternate site as those at the home office?


Are the design and operation of the alternate-site safeguards against natural hazards damage (major hazards, water, fire, HVAC, and power damage) as comprehensive as those at the home office?

Security at Alternate Site



Are security requirements for the equipment backups at the alternate site as stringent as at home?

Temporary Office Space



Has temporary office space for system support personnel been addressed in the reciprocal agreement?


Sheet 8: First Aid

FIRST AID

ANSWER
CPR



Are there always at least one on-duty computer-operations personnel per shift who is trained in first aid and CPR?

Emergency Medical Assisstance



Among the computer area's personnel, are there persons with training for providing emergency medical assistance, cardiopulmonary resuscitation (CPR), and/or first aid?


Among the facility's personnel, are there persons with training for providing emergency medical assistance, cardiopulmonary resuscitation (CPR), and/or first aid?


Are fist-aid supplies located close enough for quick response in a medical emergency?


Sheet 9: Computer Room

COMPUTER ROOM

ANSWER
Risk Analysis



Has a risk analysis assessment of the computer area and computing resources recently been completed? When?

Times of Operation



What are the times of operations of each of the major computer areas? List on the facility map with locations of computers.

Access



Is this computer area considered to be a showcase computer area frequently having tours or visitors from the general public?

Facility Location



Is the computer area in a geographical area known for severe weather? For example, has a hurricane, flood, tornado, snowstorm, or severe cold caused the computer area to be inoperative for a total of any 5 or more days in the past 3 years?


Is the computer area located within 1000 feet of and below the level of a lake, river, dam, or ocean?


Is the computer area located within 50 miles of an active earthquake fault, an active volcano, or a high erosion area?


Is the computer area located within five miles of a defense installation, major defense contractor, government laboratory, nuclear processing plant, or nuclear power plant?


Is the computer area on a landing or take-off path or otherwise situated within one mile of a major international, commercial, or military airfield?

Computer Room Facility



In what is the computer area housed (if other than a typical, permanent building)? A semi-permanent transportable building? A trailer? An RV? Other?


On what floor of the building is the computer area located?


How many entrances to the computer area are there?


How is entry to the space between the suspended ceiling and the structural ceiling in the computer area controlled?

Structure



Do barrier(s) (such as walls, partitions, or partial walls, even if the area is an integral part of the computer area) separate the computer area from the rest of the building?


Is the barrier separating the computer area from the rest of the building a firewall?


What best describes the room-barrier's construction: Attached partial walls? Standard walls? Concrete? Moveable walls? Chain-link fence? Other?


Are the computer area walls extended above the suspended ceiling either to the structural ceiling or to the roof?


Does the computer area have a suspended ceiling?


Is entry to the space between the suspended ceiling and the structural ceiling in the computer area controlled in some way?


Is entry to the space between the suspended ceiling and the structural ceiling in the computer area obvious to the casual observer?


Is the area between the suspended ceiling and the structural ceiling in the computer area kept free of dust and dirt?


Is the structural ceiling of the computer area constructed to conduct water from higher levels away from all hardware?


Is there a space large enough to hold a person between the suspended ceiling and the structural ceiling of the computer area?


Do computer area doors or gates fit flush into the framework?


Do computer area doors or gates have a large open space above them, as in a "Dutch" door?


Does the computer area have doors/portals designated solely for emergency use (i.e., emergency exits)?


Are openings to all ducting blocked securely to restrict entry to the computer area by means of the ducting?


Are the exterior doors, windows, and entryways leading into the computer area watertight?


Are there exterior doors, windows, or entryways that give direct visual or physical access to the computer area from outside the building?


Are emergency exits from the computer area operable only from within?


Can computer area emergency exits be operated from outside the computer area?


Are floor drains in the computer area fitted with anti-back-flow valves?


Are floor tile removers available in the computer area near operations personnel?


Are the locations of floor tile removers clearly marked and visible above equipment?


Have overhead steam or water pipes (except sprinklers) been eliminated from the computer area?


Are any interior computer area windows used as pass-through (such as for distributing output or accepting input)?


Are exterior computer area windows barred or screened with heavy metal mesh?


Are exterior computer area windows large plate-glass windows?


Are interior computer area windows barred or screened with heavy metal mesh?


Are interior computer area windows large plate-glass windows?


Are interior computer area windows that are used as pass-through kept locked or otherwise controlled when not in use?


Are the windows translucent to preclude outside visual observation of sensitive data?


Are windows leading to computer areas alarmed?


Do exterior computer area windows contain embedded wire support to mitigate shattering?


Do exterior computer area windows provide a view of computer operations from outside the building?


Do interior computer area windows contain embedded wire support to mitigate shattering?


Do interior computer area windows provide a view of computer operations from the surrounding area within the building?


Does the computer area have exterior windows?


Does the computer area have interior windows?


Are pipe and wire penetrations into the computer area water-tight?


Are all cables entering and exiting the computer area clearly marked and uniquely identified?


Are all computer area electrical cables and wiring located away from normal traffic paths or protected from being disturbed by traffic?


Is there drainage in the computer area?

Raised Floor



Does the computer area have a raised floor?


How often is the under-floor area beneath the computer area raised floor cleaned?


Is the under floor area beneath the computer area raised floor kept clean of dust and dirt?


Is the area under the computer area floor blocked to restrict entry from outside the computer area?


Is the floor upon which the computer area is located either at or below grade?


Is the drainage from the computer area sufficient to prevent water overflow from adjacent areas?


Is all computer area equipment installed on or above the raised floor?


Is there space for a person to crawl under the floor in the computer area?


Has the raised floor in the computer area adequate strength to support both the total and the local loads that will be imposed by the various items of equipment?


Are all cables and wiring in the computer area located under the raised floor?


Are all cables and wiring under the raised floor in the computer area water-tight or otherwise protected from water damage?


Are all cables under the raised floor clearly marked and uniquely identified?


Are there electrical outlets under the raised floor in the computer area?


Are all electrical outlets and connectors under the raised floor in the computer area watertight?

Entry Security



Are authorization lists and control mechanisms allowing entry into the computer area updated when a person's authorization for entry has been revoked?


Are combinations for the computer area cipher locks changed on a regular basis?


Are computer area doors and gates checked periodically to ensure that they are locked?


Are computer area doors and gates kept locked or otherwise controlled: At all times? During emergency situations? During normal working hours? Outside of normal working hours?


Is after-hours access to computer areas documented?


Is entry to the computer area controlled: Separately from the building or computer area controls?


Is entry to the computer area controlled: When the computer itself is unattended?


Are there effective procedures for authorizing area entry?


Is access to area resources denied quickly enough to prevent damage to the resources by a person whose area entry authorization has been revoked?


Are there surveillance monitors (i.e., CCTV, guards, etc.), intrusion sensors, or alarms for the computer area entrances?


Are vendors and visitors required to wear identification badges at all times while in the computer area?


Are visitors and vendors required to sign in before entering the computer area?


Are visitors escorted when in a computer area?


Do computer area entrance monitors, sensors, and/or alarms transmit to a location where timely action will be taken?


Does the area entry/exit record provide notation for time in, time out, identification of entrant and authorization mechanism?


How are security personnel notified of employees who are permitted to enter the computer area outside of normal working hours?


Does the guard or other individual control computer area entry by: Badge with photo? Badge with no photo? Verifying ID from a list? Visual recognition? Other (specify)?


What type of access system provides entrance into the computer area?


If automated access control systems are not feasible, are physical access control systems implemented to limit accessibility to the computer system?


Is there a physical access control system limiting access to the computer areas?


Is computer area entry controlled by a key or key over-ride to another access control locking system?


Is computer area entry controlled by magnetic badge/card/key-card readers? Cipher locks? Guard or other responsible non-computer area individual?


The means used to record employee entries to and exits from the computer area are: Magnetic key card? Sign-in registry? Other (specify)?


Is ingress and egress by non-employees to the computer area: Recorded? Recorded duirng normal working hours? Recorded during emergencies and non-normal working hours?


The means used to record non-employee entries/exits to the computer area are: Magnetic key card? Sign-in registry? Other (specify)?


Is it difficult to duplicate computer area keys (i.e., do keys have engraved instructions to prohibit their duplication, are they made on special blanks not available to others, etc.)?


Is there a designated individual responsible for authorizing area entry for each work shift?


Is there a procedure to control badges, keys, combinations, and/or cards used for entry to the computer area?


What is the procedure for controlling badges, keys, combinations, and/or cards used for entry to the computer area?


The construction of the computer area doors and/or gates is/are: Glass? Hollow-core wood? Metal or metal clad? Openwork metal? Solid wood? Vault doors? Wood, metal, and glass? Other (specify)?


How often is it verified that computer area doors or gates are locked?


Is someone responsible for verifying that computer area doors or gates are locked?


What happens if a computer area door or gate is found unlocked? Building security notified? Police notified? Locked by finder? Documented in written report? Other (specify)?


When an individual's computer area entry authority is revoked, are Authorization lists revised? Are Badges, keys, and cards surrendered? Are Locks/Combinations changed? Other (specify)?

Security



Is there an inspection system to check briefcases, lunch pails, and other containers leaving the computer areas?


Is there an inspection system to check briefcases, lunch pails, and other containers leaving key sensitive material areas?


What steps are taken to ensure protection of the computer area (segregation, security alarm systems, security officers, CCTV, etc.)?


Which surveillance or sensor devices are used in the computer area: Breakwire sensors? Closed-Circuit TV? Door switches? Motion detectors? Vibration sensors? Other (specify)?


Is output from the computer area surveillance or sensor devices transmitted outside the computer area?


To where do the computer area entrance monitors, etc., transmit? Security station in same building? Security station in different building? Security station off-site? Other (specify)?


Who is responsible for verifying locked computer area doors? Building security? Computer operations? Site security? Hired off-site security? Municipal police? Other (specify)?


Who is responsible for the operation of the computer area access control systems?


Who is responsible for responding to computer area intrusion alarms?


Is the status of all emergency exits from the computer area monitored (i.e., by CCTV, guards, operations staff)?


Are computer area emergency/security systems backed up with battery power so they can continue operating if a power failure occurs?

Computer Room Management



Is computer area management always included in establishing overall facility security procedures as well as computer area security procedures?


Are all "problems" found in the computer area documented?


Are there designated individuals who are responsible for monitoring quality assurance issues in the computer area?

Computer Operation



Are any authentication devices required for operating a terminal?


Are individual terminals used at the computer area?


Is output-file encryption used at the computer area?


Is the computer area staffed 24-hours per day?

Emergency Response



Are all emergency response procedures for the computer area reviewed at least annually with computer area personnel?


Are location identifiers and emergency phone numbers posted in the computer center for fire, flood, police, on-site security, and medical assistance?


Does the computer area have non-standard hardware that may cause conflicts or failures in emergency operations?

Employee Education



Are computer area staff, users, management and custodial personnel educated about security practices and encouraged to be alert to possible security deficiencies while performing their normal duties?

Fire Rating



What is the fire rating (in hours) of the computer area's walls and their penetrations?

Identification



Are employee identification badges worn at all times in the computer area?


Are personnel work areas within the computer area monitored for unauthorized use?


Do employees challenge persons in the computer area if these persons are not properly identifiable?

Inventory



Is there a current inventory list of system, application, and data files for which the computer area has responsibility?


Is there a current inventory list of the major equipment within the computer area?

Maintenance



During facility maintenance or area cleaning, is sensitive data protected? How?


During system maintenance or area cleaning, is sensitive data protected? How?


Who conducts repair, cleaning and maintenance of the computer system components or equipment in sensitive material areas?

Media Library



Is there a separate room or vault used as a storage media library?


Is entry to the storage media library restricted to authorized personnel?


Are beverages or food permitted in the storage media library?


Is smoking permitted in the storage media library?


Is the tape library segregated from the main computer area (or main computer equipment)?


Who controls tape mounts (and the tape library)?


Is there a system to track, maintain, control and audit storage media inventories? What is it?


Are caustic or flammable cleaning agents permitted in the storage media library?


Are the caustic or flammable cleaning agents in the storage media library kept in approved containers?


Are the caustic or flammable cleaning agents in the storage media library kept in small quantities?

Procedures



Are there enforced procedures for controlling: Document removal from the computer area? Document removal from sensitive material areas?


Are there enforced procedures for controlling: Equipment parts removal from the computer area? Equipment parts removal from sensitive material areas?


Are there enforced procedures for controlling: Equipment removal from the computer area? Equipment removal from sensitive material areas?


Are there enforced procedures for controlling: Storage-media and storage-device removal from the computer area? Storage-media and storage-device removal from sensitive material areas?


Sheet 10: System Administration

SYSTEM ADMINISTRATION

ANSWER
Access Control



Is there an access control program that allows assigned users different layers of access (user, super user, system operator)?

Anomolies



Who is responsible for reviewing anomalies found in the computer system (console logs, error listings, repeated unsuccessful log-on attempts)?

Applications



Is there a list recording all programs on the system available?


Is there a list recording all systems and the responsible operator available to the users?

Authorization



Is there an authorization list for who may: Maintain computer equipment? Maintain or modify system software? Maintain or modify system applications programs and data files?


Is there an authorization list for who may: Modify/update computer-related documents (input sheets, reports, documentation, output, program listings, etc.)?


Is there an authorization list for who may: Operate the computer? Use system software? Use system application programs and data files? Use computer related documents? Request and use system dumps?


Are backup copies of current authorization lists of who may request and use system dumps kept at an off-site location?


Are backups of current authorization lists for computer use, operation, and maintenance kept at an off-site location?


Are backups of current authorization lists of who may use, modify, or update system software, data, and applications programs kept at an off-site location?


Is use of files from unauthorized terminals prevented?


What happens when authorizations to use, operate, and maintain computer equipment are revoked: Keys/cards/badges surrendered? Authorization lists revised? Locks and/or combinations changed? Other (specify)?


What happens when authorizations of who may use, modify, maintain, or update system and system applications software are revoked: Keys/cards/badges surrendered? Authorization lists revised? Locks and/or combinations changed? Other (specify)?


What happens when authorizations to use, modify, and/or access documents are revoked: Keys/cards/badges surrendered? Authorization lists revised? Locks and/or combinations changed? Other (specify)?


What happens when system dump authorization is revoked: Keys/cards/badges surrendered? Authorization lists revised? Locks and/or combinations changed? Other (specify)?


Who is responsible for authorizing access to the computer?: System manager? System operator? System Security Officer? Other (specify)?


Are there authorization lists of who may use, modify, maintain, or update system and system applications software?

Backup



Is there an individual assigned to ensure back-ups are properly completed?


Who conducts the system back-ups?


Who is responsible for backing-up critical or sensitive information?


Is the integrity of the file backup system tested periodically by computer area management?

Computer Resources



Who supervises the use of computer resources?

Internal Quality Assurance



Is the internal quality assurance staff informed of changes to programs or documentation of applications?

Inventory



How many micro-computers, network systems (local area networks), minicomputers, and mainframe systems are contained in the facility?


Is there a separate inventory of computer associated equipment?

Operating System



Are checks of operating-system integrity made periodically at a frequency determined by site management?


Is the operating system stored in read-only memory?


What action does the operating system take for unauthorized security-table access attempts?: Disconnects user/terminal? Causes automatic log-off? Posts to log? Sounds alarm? Other (specify)?

Procedure



Is there a formal written procedure for upgrading and expunging old system and application software?

Records



Are all violations and attempted violations of protected files recorded?


Is there a record of cumulative accounting period activity?


Is there a record of cumulative job or session activity?


Is there a record of program or task activity?

Scheduling System



Is there a formal scheduling system in place (either manual or automated)?

Software Modifications



Must there be more than one person involved to make any modifications to system or multi-user software?

Software Update



Are all vendor-supplied software updates reviewed carefully before they are put on-line?

Technical Manuals



Is there a list of all technical manuals available to all users?


Sheet 11: Document Security

DOCUMENT SECURITY

ANSWER
Backup



Are data back-ups stored off-site specifically used to ensure the disaster recovery plan functions properly?


Is all data backed-up at least once a week (or earlier, if stated in the written computer security policy)?


Is more than one generation of all backup files kept at the off-site storage location?

Document Security



Are all negotiable or financial document sets numbered?


Are all negotiable or financial documents signed by the appropriate authority after being processed in the computer area rather than being pre-signed or pre-stamped?


Are all unusable or spoiled unusable negotiable or financial documents destroyed to prevent their misuse?


When negotiable or financial documents are produced, are there controls governing: Their accountability? Their issue? Their return?

Filing Cabinet



Estimate the number of filing cabinet drawers currently used by your department to house paper documents 1-10, 11-25, 26-50, 51-75, 75+
Media



Are input source documents or magnetic media retained after the information is stored online?


Are magnetic tapes used at the computer area?


Are malfunction logs kept for storage media in the library?


Are methods provided for correcting an error made by peripheral devices and storage media?


Are multiple copies of source documents or magnetic media maintained in general?


Are special storage vaults used for essential storage media and files?


Are storage media other than those required for computer operations kept inside the computer area instead of in a separate storage media library?


Are there periodic physical inventories made to assure that all storage media can be accounted for?


Are usage logs kept for storage media in the library?


How is the media stored and secured?


Is a mechanism available to prevent someone from reading released storage media? What is it?


Is access for storing, transmitting, marking, handling, and destroying of storage media granted only to authorized personnel? How is this ensured?


Where are multiple copies of source documents or magnetic media kept?

Security Vulnerabilites



Are any unusual security vulnerabilities evident in regards to company sensitive information?

Sensitive Information



Are all confidential paper documents shredded when discarded?


Are all personnel required to sign a statement of understanding of their information security responsibilities before access to sensitive information is granted?


Are caveats utilized in marking company sensitive information (proprietary, limited, company sensitive, secret)?


Are photographic negatives, slides, photographs, and other company sensitive material properly marked (top/bottom caveats) and secured at all times?


Are printer ribbons used for sensitive or classified output destroyed?


Are sensitive or classified waste printouts and forms shredded, burned, or otherwise destroyed?


Are the carbons used to print multiple forms for sensitive or classified applications destroyed?


Are the proper caveats automatically affixed (or printed) on the top and bottom of each page?


Are there controls for distributing reports and output containing sensitive, proprietary, or classified information?


Are waste magnetic media that contain sensitive or classified information disposed of as sensitive waste in a manner commensurate with their sensitivity?


Are waste punched cards used in sensitive or classified applications destroyed?


Can access to sensitive information result in competitive advantage to other companies?


How is proprietary or competitive sensitive information moved outside the facility?


How is sensitive information waste destroyed?


How is sensitive information waste stored to preclude unauthorized access?


How is unattended, automatically generated sensitive material protected from compromise (i.e., faxes, off-hour generated reports)?


Is a commercially encrypted facsimile unit used when sensitive material is faxed out of the facility?


How often is sensitive information waste collected?


Is a log maintained to record sensitive information waste destruction?


Is all company sensitive material access limited to a "need to know" basis?


Is computer generated sensitive material access limited to a "need to know" basis?


Is sensitive information waste shredded?


Is there a formal system for securely disseminating sensitive information?


Is there a formal system to log and disseminate small, easily lost sensitive information items?


Is there a policy and procedure for the disposal of sensitive information?

Transportation



Are documents, or magnetic media transported from one site to another (i.e., between buildings)?


Are data, documents, and magnetic media insured while in transit?


Are protective measures taken when transporting hard-copy data and documents?


Is a reputable courier service used to transport data, documents, or magnetic media from one site to another?


Describe the courier systems used for compartmented or special company sensitive information.

Vital Records



Are hard copies of vital records maintained in conjunction with the master files? Are copies maintained off-site as well?


Wyszukiwarka

Podobne podstrony:
Martin, George R R And Seven Times Never Kill Man
Antony, Craske, Barlow Mastering Your Fears and Phobias Workbook (terapia poznawczo behawioralna)
George RR Martin Ice and Fire 0 The Hedge Knight
George R R Martin Loaves and Fishes
George RR Martin Ice and Fire 4 Arms of the Kraken
George RR Martin Ice and Fire 4 Arms of the Kraken
George RR Martin Ice and Fire 0 6 The Sworn Sword
Martin Predicted and experimental results of acoustic parameters in the new Symphony Hall in Pamplo
Lockheed Martin s Disaster Recovery Knowledgebase
George R R Martin Loaves and Fishes
Peter Martin Sounds and society
George RR Martin Ice and Fire 0 6 The Sworn Sword
Levinas, Emmanuel Martin Heidegger And Ontology
Racism and the Ku Klux Klan A Threat to American Society
CCI Job Interview Workbook 20 w PassItOn and Not For Group Use
Scott, Martin Thraxas 05 Thraxas And The Sorcerers
Adobe Acrobat and Reader newclass invalid pointer vulnerability
Aaron Martin Crane Right and Wrong Thinking
Martini Celebre Gavotta [Saxophone Quartet Score and Parts]

więcej podobnych podstron