Security & Sensitive Data Review Checklist (internal and external)?

Posted on 2008-11-08
Last Modified: 2013-12-27

I need to develop a security and sensitive data review checklist - both for internal (behind the customer's firewall) and external (outside the customer's firewall).  For example, as an internal checklist we would look at things such as are laptop hard drives encrypted?  Do employees carry any sensitive data on their laptops?  Are workstation screen savers enabled with password protection? etc.  For external I would look at things like do they have a wireless access point?  If so, is WEP or WPA enabled?  Is the broadcast of the SSID turned off?  Have they had anyone do a probe of their main firewall to look for holes? etc.

Rather than start from scratch I was hoping someone could point out a list or online document that might match the criteria I've set forth above - something I could leverage as a starting point.

Any pointers are appreciated.  Thanks!
Question by:lumpalump
    1 Comment
    LVL 23

    Accepted Solution

    With a wireless AP: SSID broadcast should never be turned off as it is non-standard, breaks access, compromises proper wireless performance, and doesn't improve security. Use of WEP is a security risk; I can crack a 40-bit WEP key in less than 12 hours. At a bare minimum; WPA2 with AES should be used,  or the Wireless AP should be outside the firewall with clients using VPN for access to internal networks.

    Thus is the problem with security checklists; they tend to accumulate ad-hoc measures that don't actually improve or ensure security.   WEP may have been secure 5 years ago, but not today.
    There are multiple right ways to do things (no one checklist applies to all situations)

    A checklist would need to be painstakingly reviewed to be useful, otherwise there will be a lot of resources wasted implementing the wrong measures for the situation and still missing important security measures that should be implemented.

    Some starting points might be...

      (a)  Is data kept on physically secured servers whenever possible?  
             And never on workstations in an open area.
      (b) Are clear policies in place to define on what conditions users have access
            to what information?        
      (c) Are those policies actually implemented by fine-grained access control
           setup on all servers and network equipment?
            * Are proper controls in place to prevent a user from obtaining and keeping
               more permissions than they need?
      (d) Are clear audit logs kept in a secure place to clearly indicate when an
           authorized user gains access to any workstation, network device, server, file,
           or item of sensitive information?
             * Are individual usernames used for all system administration?
                (No single username and password that all administrators use)
             * Are the audit logs kept in a manner that prevents unauthorized deletion?
             * Is it someone's job to regularly review system audit logs for unusual activity?
             * Is accountability in place to ensure the person is actually reviewing the logs
                and will recognize  and report suspicious activity?
      (e) Are measures in place to enforce that any vendor security updates will be
           applied to all server and workstation software?
      (f) Are servers with sensitive data behind firewalls separate from workstations,
           and in a more secure security zone?  (To protect against attacks originating
           at a workstation)
      (g) Are all unnecessary network services turned off on all servers and workstations?
      (h) For windows workstations:    
           * Are they Windows XP or higher?
           * Are EFS and full disk encryption in use for any situation where sensitive data is stored on the PC itself?
           * Is quality antivirus software installed, such as eeye blink or eset?
              * Is use of AV software enforced by system policy, managed from a  
                 central location, and not able to be uninstalled, disabled, or overriden
                 by an end user?
           * Are time-of-day login restrictions in place, to prevent say, a hacker
              from breaking in and logging in as a user during the night?
           * Are ALL windows workstations a member of a domain?
           * Are strong password policies enforced, to prevent insecure passwords?
           * Is software update service deployed, and are update deployments enforced?
           * Is domain group policy configured  to enforce a secure configuration?
                Per the Microsoft security baseline analyser guidelines.
           * Is domain group policy configured to limit access to tamper with security
              settings or install or run unauthorized software?  (such as unknown keyloggers, or arbitrary executables, for example)
       (i) For each windows server:
            * Is it physically secure?
            * Is suitable drive encryption setup?
            * For domain controllers: is SYSKEY setup with a secure passphrase?
            * Is network interactive login to all servers restricted to Administrators?
            * Is all server login activity logged and closely monitored?
            * Are they secured according to the Baseline security analyser guidelines?
            * Are any local admin passwords different for every server?
            * Is encrypting filesystem (and other suitable measures) deployed?
            * Is a secure key recovery agent for encrypting filesystem deployed?

       (j) Is a network IDS deployed to detect and alarm on suspicious activity on
            the internal LAN?

       (k) Is a security standard config'ed on network switches to prevent unauthorized
            devices being plugged into the LAN?
            e.g.  802.1x,  MAC address filtering, port security  (on switch ports)
       (l) Are workstations and servers used by users of different departments,
            trust levels, or security domains placed in different VLANs  or behind
            their own fierwall?
       (m)  Is a clear network policy in place defining acceptable usage, and
              restricting access to risky sites that might lead to security compromise
              of a workstation?
              * Is this policy enforced by equipment at the border?
                 I.E. is a web filter in place to block access to hacking-related sites,
                 or sites that are likely to contain trojaned executables.
       (n)   Is a fully vendor-supported firewall with any and all security patches
               in place at the network border?
               *   Are all unnecessary network services turned off on the firewall?
               *   Is all access from the outside restricted except where absolutely needed?
                    For example: every internal service that does not have a specific
                    need for access to or from the outside, should not have that access.
               *   Is  suitable filtering of all outbound traffic in place to prevent use
                    of any internet service or any internet activity other than the
                    internet services needed for business reasons
                    That HAVE to be done from workstations with sensitive data access.

            *      Where possible workstations without sensitive data access should be
                    segregated,  and internet access should be utilized only on "less secure"

               *   Are all servers accessible by the public isolated from the sensitive
                    network  (by placing them in a DMZ or separate security zone) ?
               *   Is user access to the internal network limited to access by VPN ?
                   * Are VPNs rigidly configured so only the necessary remote activity
                      is allowed?
                      For example: only the files and servers that need to be accessed
                      remotely by that user should be accessible.
                    * Are VPN  access credentials changed regularly?

        (o)     Are inactive users periodically purged?
        (p)     Are user permissions regularly reviewed, and permissions that
                 are no longer absolutely needed or can no longer be justified removed?


    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Working settings for French ISP Orange "Prêt à Surfer" SIM cards for data connections only. Can't be found anywhere else !
    In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
    This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now