Security & Sensitive Data Review Checklist (internal and external)?


I need to develop a security and sensitive data review checklist - both for internal (behind the customer's firewall) and external (outside the customer's firewall).  For example, as an internal checklist we would look at things such as are laptop hard drives encrypted?  Do employees carry any sensitive data on their laptops?  Are workstation screen savers enabled with password protection? etc.  For external I would look at things like do they have a wireless access point?  If so, is WEP or WPA enabled?  Is the broadcast of the SSID turned off?  Have they had anyone do a probe of their main firewall to look for holes? etc.

Rather than start from scratch I was hoping someone could point out a list or online document that might match the criteria I've set forth above - something I could leverage as a starting point.

Any pointers are appreciated.  Thanks!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

With a wireless AP: SSID broadcast should never be turned off as it is non-standard, breaks access, compromises proper wireless performance, and doesn't improve security. Use of WEP is a security risk; I can crack a 40-bit WEP key in less than 12 hours. At a bare minimum; WPA2 with AES should be used,  or the Wireless AP should be outside the firewall with clients using VPN for access to internal networks.

Thus is the problem with security checklists; they tend to accumulate ad-hoc measures that don't actually improve or ensure security.   WEP may have been secure 5 years ago, but not today.
There are multiple right ways to do things (no one checklist applies to all situations)

A checklist would need to be painstakingly reviewed to be useful, otherwise there will be a lot of resources wasted implementing the wrong measures for the situation and still missing important security measures that should be implemented.

Some starting points might be...

  (a)  Is data kept on physically secured servers whenever possible?  
         And never on workstations in an open area.
  (b) Are clear policies in place to define on what conditions users have access
        to what information?        
  (c) Are those policies actually implemented by fine-grained access control
       setup on all servers and network equipment?
        * Are proper controls in place to prevent a user from obtaining and keeping
           more permissions than they need?
  (d) Are clear audit logs kept in a secure place to clearly indicate when an
       authorized user gains access to any workstation, network device, server, file,
       or item of sensitive information?
         * Are individual usernames used for all system administration?
            (No single username and password that all administrators use)
         * Are the audit logs kept in a manner that prevents unauthorized deletion?
         * Is it someone's job to regularly review system audit logs for unusual activity?
         * Is accountability in place to ensure the person is actually reviewing the logs
            and will recognize  and report suspicious activity?
  (e) Are measures in place to enforce that any vendor security updates will be
       applied to all server and workstation software?
  (f) Are servers with sensitive data behind firewalls separate from workstations,
       and in a more secure security zone?  (To protect against attacks originating
       at a workstation)
  (g) Are all unnecessary network services turned off on all servers and workstations?
  (h) For windows workstations:    
       * Are they Windows XP or higher?
       * Are EFS and full disk encryption in use for any situation where sensitive data is stored on the PC itself?
       * Is quality antivirus software installed, such as eeye blink or eset?
          * Is use of AV software enforced by system policy, managed from a  
             central location, and not able to be uninstalled, disabled, or overriden
             by an end user?
       * Are time-of-day login restrictions in place, to prevent say, a hacker
          from breaking in and logging in as a user during the night?
       * Are ALL windows workstations a member of a domain?
       * Are strong password policies enforced, to prevent insecure passwords?
       * Is software update service deployed, and are update deployments enforced?
       * Is domain group policy configured  to enforce a secure configuration?
            Per the Microsoft security baseline analyser guidelines.
       * Is domain group policy configured to limit access to tamper with security
          settings or install or run unauthorized software?  (such as unknown keyloggers, or arbitrary executables, for example)
   (i) For each windows server:
        * Is it physically secure?
        * Is suitable drive encryption setup?
        * For domain controllers: is SYSKEY setup with a secure passphrase?
        * Is network interactive login to all servers restricted to Administrators?
        * Is all server login activity logged and closely monitored?
        * Are they secured according to the Baseline security analyser guidelines?
        * Are any local admin passwords different for every server?
        * Is encrypting filesystem (and other suitable measures) deployed?
        * Is a secure key recovery agent for encrypting filesystem deployed?

   (j) Is a network IDS deployed to detect and alarm on suspicious activity on
        the internal LAN?

   (k) Is a security standard config'ed on network switches to prevent unauthorized
        devices being plugged into the LAN?
        e.g.  802.1x,  MAC address filtering, port security  (on switch ports)
   (l) Are workstations and servers used by users of different departments,
        trust levels, or security domains placed in different VLANs  or behind
        their own fierwall?
   (m)  Is a clear network policy in place defining acceptable usage, and
          restricting access to risky sites that might lead to security compromise
          of a workstation?
          * Is this policy enforced by equipment at the border?
             I.E. is a web filter in place to block access to hacking-related sites,
             or sites that are likely to contain trojaned executables.
   (n)   Is a fully vendor-supported firewall with any and all security patches
           in place at the network border?
           *   Are all unnecessary network services turned off on the firewall?
           *   Is all access from the outside restricted except where absolutely needed?
                For example: every internal service that does not have a specific
                need for access to or from the outside, should not have that access.
           *   Is  suitable filtering of all outbound traffic in place to prevent use
                of any internet service or any internet activity other than the
                internet services needed for business reasons
                That HAVE to be done from workstations with sensitive data access.

        *      Where possible workstations without sensitive data access should be
                segregated,  and internet access should be utilized only on "less secure"

           *   Are all servers accessible by the public isolated from the sensitive
                network  (by placing them in a DMZ or separate security zone) ?
           *   Is user access to the internal network limited to access by VPN ?
               * Are VPNs rigidly configured so only the necessary remote activity
                  is allowed?
                  For example: only the files and servers that need to be accessed
                  remotely by that user should be accessible.
                * Are VPN  access credentials changed regularly?

    (o)     Are inactive users periodically purged?
    (p)     Are user permissions regularly reviewed, and permissions that
             are no longer absolutely needed or can no longer be justified removed?


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.