Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 422
  • Last Modified:

Security & Sensitive Data Review Checklist (internal and external)?


I need to develop a security and sensitive data review checklist - both for internal (behind the customer's firewall) and external (outside the customer's firewall).  For example, as an internal checklist we would look at things such as are laptop hard drives encrypted?  Do employees carry any sensitive data on their laptops?  Are workstation screen savers enabled with password protection? etc.  For external I would look at things like do they have a wireless access point?  If so, is WEP or WPA enabled?  Is the broadcast of the SSID turned off?  Have they had anyone do a probe of their main firewall to look for holes? etc.

Rather than start from scratch I was hoping someone could point out a list or online document that might match the criteria I've set forth above - something I could leverage as a starting point.

Any pointers are appreciated.  Thanks!
1 Solution
With a wireless AP: SSID broadcast should never be turned off as it is non-standard, breaks access, compromises proper wireless performance, and doesn't improve security. Use of WEP is a security risk; I can crack a 40-bit WEP key in less than 12 hours. At a bare minimum; WPA2 with AES should be used,  or the Wireless AP should be outside the firewall with clients using VPN for access to internal networks.

Thus is the problem with security checklists; they tend to accumulate ad-hoc measures that don't actually improve or ensure security.   WEP may have been secure 5 years ago, but not today.
There are multiple right ways to do things (no one checklist applies to all situations)

A checklist would need to be painstakingly reviewed to be useful, otherwise there will be a lot of resources wasted implementing the wrong measures for the situation and still missing important security measures that should be implemented.

Some starting points might be...

  (a)  Is data kept on physically secured servers whenever possible?  
         And never on workstations in an open area.
  (b) Are clear policies in place to define on what conditions users have access
        to what information?        
  (c) Are those policies actually implemented by fine-grained access control
       setup on all servers and network equipment?
        * Are proper controls in place to prevent a user from obtaining and keeping
           more permissions than they need?
  (d) Are clear audit logs kept in a secure place to clearly indicate when an
       authorized user gains access to any workstation, network device, server, file,
       or item of sensitive information?
         * Are individual usernames used for all system administration?
            (No single username and password that all administrators use)
         * Are the audit logs kept in a manner that prevents unauthorized deletion?
         * Is it someone's job to regularly review system audit logs for unusual activity?
         * Is accountability in place to ensure the person is actually reviewing the logs
            and will recognize  and report suspicious activity?
  (e) Are measures in place to enforce that any vendor security updates will be
       applied to all server and workstation software?
  (f) Are servers with sensitive data behind firewalls separate from workstations,
       and in a more secure security zone?  (To protect against attacks originating
       at a workstation)
  (g) Are all unnecessary network services turned off on all servers and workstations?
  (h) For windows workstations:    
       * Are they Windows XP or higher?
       * Are EFS and full disk encryption in use for any situation where sensitive data is stored on the PC itself?
       * Is quality antivirus software installed, such as eeye blink or eset?
          * Is use of AV software enforced by system policy, managed from a  
             central location, and not able to be uninstalled, disabled, or overriden
             by an end user?
       * Are time-of-day login restrictions in place, to prevent say, a hacker
          from breaking in and logging in as a user during the night?
       * Are ALL windows workstations a member of a domain?
       * Are strong password policies enforced, to prevent insecure passwords?
       * Is software update service deployed, and are update deployments enforced?
       * Is domain group policy configured  to enforce a secure configuration?
            Per the Microsoft security baseline analyser guidelines.
       * Is domain group policy configured to limit access to tamper with security
          settings or install or run unauthorized software?  (such as unknown keyloggers, or arbitrary executables, for example)
   (i) For each windows server:
        * Is it physically secure?
        * Is suitable drive encryption setup?
        * For domain controllers: is SYSKEY setup with a secure passphrase?
        * Is network interactive login to all servers restricted to Administrators?
        * Is all server login activity logged and closely monitored?
        * Are they secured according to the Baseline security analyser guidelines?
        * Are any local admin passwords different for every server?
        * Is encrypting filesystem (and other suitable measures) deployed?
        * Is a secure key recovery agent for encrypting filesystem deployed?

   (j) Is a network IDS deployed to detect and alarm on suspicious activity on
        the internal LAN?

   (k) Is a security standard config'ed on network switches to prevent unauthorized
        devices being plugged into the LAN?
        e.g.  802.1x,  MAC address filtering, port security  (on switch ports)
   (l) Are workstations and servers used by users of different departments,
        trust levels, or security domains placed in different VLANs  or behind
        their own fierwall?
   (m)  Is a clear network policy in place defining acceptable usage, and
          restricting access to risky sites that might lead to security compromise
          of a workstation?
          * Is this policy enforced by equipment at the border?
             I.E. is a web filter in place to block access to hacking-related sites,
             or sites that are likely to contain trojaned executables.
   (n)   Is a fully vendor-supported firewall with any and all security patches
           in place at the network border?
           *   Are all unnecessary network services turned off on the firewall?
           *   Is all access from the outside restricted except where absolutely needed?
                For example: every internal service that does not have a specific
                need for access to or from the outside, should not have that access.
           *   Is  suitable filtering of all outbound traffic in place to prevent use
                of any internet service or any internet activity other than the
                internet services needed for business reasons
                That HAVE to be done from workstations with sensitive data access.

        *      Where possible workstations without sensitive data access should be
                segregated,  and internet access should be utilized only on "less secure"

           *   Are all servers accessible by the public isolated from the sensitive
                network  (by placing them in a DMZ or separate security zone) ?
           *   Is user access to the internal network limited to access by VPN ?
               * Are VPNs rigidly configured so only the necessary remote activity
                  is allowed?
                  For example: only the files and servers that need to be accessed
                  remotely by that user should be accessible.
                * Are VPN  access credentials changed regularly?

    (o)     Are inactive users periodically purged?
    (p)     Are user permissions regularly reviewed, and permissions that
             are no longer absolutely needed or can no longer be justified removed?


Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now