What do all these security "items" mean in the colorchart - can you
please explain each item to some extent so both Managers as well as
Systems Administrators have a "common ground" for definitions.??????

------------------------------------------------------------------------

revID:4r  16_July_98   by: Bill Schell (e-mail: rhk657@email.mot.com)

------------------------------------------------------------------------

Basic OS Security: - key security risks that are part of the OPERATING
SYSTEM (Windows 95, Unix, MacOS, WindowsNT, Linux, VMS, CMS, Ultrix,
etc. etc.)


User Account Forms: - does each user account on system have an
auditable document with suitable authorization by management.

Annual Review: - is this document periodically reviewed as to
applicability & continued management support.

paper or elec forms for ALL: -  is there paper or electronic
(auditable(legal)) documentation for all and are all signed, dated,
etc.

Password Aging: - is password aging rigourously enabled on all accounts, both user and root

Logs reviewed monthly ? - does a human (periodically) review the log
or review a grep'd or awk'd reduced file to determine anomalies & is
this review documented in an auditable manner

FTP fm/to Root: - is ftpin to/from root disabled on all root accounts?

Access to Root only via  'su': - is this restriction enabled on all root accounts?

Root access log review & doc: - does a human (periodically) review the
log or review a grep'd or awk'd reduced file to determine anomalies &
is this review documented in an auditable manner

Periodic System Log Review: does a human (periodically) review the log
or review a grep'd or awk'd reduced file to determine anomalies & is
this review documented in an auditable manner

CERT logged & reviewed: Is the site on a CERT mailing list, are the
receipt of the CERT Alerts logged, and is the review of the alerts
logged?

CERT patches done & logged: are CERT alert updates / changes / patches
logged and documented.

S/W License Inventory:  does the organization have a software
inventory?

periodic review & doc: - is the inventory (periodically) checked
against reality & is the check documented & are anomalies logged,
documented, and fixed, with those steps also logged & documented? >H/W
Inventory: same as for s/w inventory

periodic review & doc: - same as for s/w inventory

we use "ISS" to evaluate LAN vulnerabilities and desire a 100% check
on all systems: - Any of the MANY publically avaliable & "for money"
tools can be substituted here, but the concept of a rigourous
application of A TOOL  to get metrics on "where we are" is key to
understand the "now" and the "future desired state" of the network
security.

ISS license, install, run: do we have the tool's license, is it
installed, and has it been run (at least once)

ISS periodic run: is it run periodically & is / are those runs
documented

ISS  period review & doc: are the runs' logs reviewed & documented

ISS HTML logs to Net Opns: are the "reduced logs" sent to a central
network monitoring / management group for review & consolidation
across the whole organization

ISS vulner fixed & doc'd: are the vulnerabilities discovered in the
runs fixed, and those fixes documented in an auditable manner

Audit-Compliant (1yr) Docs: - most "audit groups" want 1 year of
documentation to yield an "acceptable" audit finding.



WAN Router Restrictions: - the Wide Area Network (WAN) router is the
"main gateway" to / from the exterior environment - and therefore the
main "risk of penetration from outside sources...

Department Router Installed: do you have the router, on site, plugged
in, configured, and operational

Department Generic IP ACLs: are ACLs implemented for e-mail, web, DNS,
etc. etc.

Detail ACLs process & active: are ACLs implemented for specific
node-to-node accesses, with management sign-off & "need to know"
authorization

annual review of ACLs: is each and every ACL annually reviewed &
re-authorized by suitable level of management or removed - all in an
auditable manner

Audit Compliant (1yr) Docs: has the organization been doing this for
at least 1 year

Firewall? does a firewall to the external world exist.

Same issues regarding both "generic" ACLs as well as detailed ACLs

Same issues regarding review of logs - as with CERTs and root-log &
systems log reviews



Web Access Controls:  Web-access is really just a "specialized case"
of the above Router issue - it is a specialized application.

Cacheing Proxy installed:  yes / no

Appropriate Use form signed: this is a similar form to the above "user
account form" (similarly worded but specifics about Web-Access issues)
- being "appropriate to (your company) business & what you pay our
employees to do"

Annually reviewed?: is each employee's form annually reviewed &
re-signed by both employee and management

X.500 accts (or equiv): does the company use X.500 &/or some similar
directory structure - and is this structure updated and/or accounts
disabled within a defined time-frame when/if people leave the
organizaton?

users awareness of logging: have users been warned of logging of their
web-accesses to outside sites & the detail offered by the logs

web access logging turned on: is web-access logging turned on?

periodic log review: periodic reviews of logs &/or grep'd / awk'd logs
and where is this documented in an auditable manner?

discipline in place: have employees been informed of the results of
failure to comply with activities documented in "Appropriate Use"
document.  IS MANAGEMENT WILLING & ABLE TO EXECUTE ON THIS/THESE
GUIDELINES.

Audit Compliant (1yr) Docs: has the organization been doing this for
at least 1 year





Backup-Recovery Plan & Process:

Offsite Backup Storage: is a copy of the backup tapes stored off-site

doc & user list & process: is the documentation & data for data
recovery stored off-site, along with a list of users able and
authorized to execute this recovery strategy.

Backup docs-procs offsite:

"twins" tapes run: - see item 1 - one copy of backup tapes stored
off-site.

secondary recov admin assigned: is / are there more than 1 person
qualified & "bought-in" to do recovery & does management support that
role.

Audit Compliant (1yr) Docs: has the organization been doing this for
at least 1 year



Disaster Recovery Plan:

Have done BIA(Business Impact Analysis) & is it documented?

BIA periodically reviewed  if organization is over 100 people: (to
ensure that currently "key" projects are the ones to be restored
first, in event of disaster.

Have Draft Plan: ?

Have complete Plan?

Is there a distribution-list, is there documentation & is that
periodically reviewed.  Are all copies on the distribution list
collected & owners given new copies upon updating.

Tested Plan: has the DRP(Disaster Recovery Plan) been (FULLY) tested?

Test has documented & a (failure-list) has a correction plan: ?

Re-Test's scheduled / periodic:  is there evidence of periodic
retesting?  Is it auditable?


Audit Compliant (1yr) Docs: has the organization been doing this for
at least 1 year



Miscellaneous:

Annual Network arch review:  A network designed & built last year may
not meet your business needs next year - at least once a year someone
needs to review & ask the question: "Is this network architecture
applicable to the way we do business today & for the next year"?



Physical Security: - a whole plethora of questions - most of which are
dependent on organizational requirements...

Server room has auditable lock: (yes/no)

if it has auditable lock - does periodic review of the logs from the
auditable lock have documentation that is auditable quality.



>Year 2000 Compliance: >Awareness Video by all? >Focused
Champion/Team? >Inventory of OS/Apps/etc? >Plan?