Unit Name: ___________________ Sub-Unit Name: ___________________ |
|||
Risk Assessment Questions: General |
|||
|
Yes | No | Documentation location or explanation for not following |
A. Physical Security |
|||
1. Are all computers located in areas that are not easily accessible to outsiders? |
|
|
|
2. Are mission critical systems located in a locked location to which access is restricted to authorized personnel only? |
|||
3. Are faculty and staff taking responsibility for locking doors and windows where computers are housed? |
|
|
|
4. Has physical security been reviewed with the University Police and Facilities Management? |
|
|
|
5. Are department desktops and notebooks equipped with anti-theft devices? |
|
|
|
6. Are authorized personnel the only ones with access to departmental keys?
|
|
|
|
7. Are department servers physically secure in a separate area?
|
|
|
|
8. Are servers in environmental control areas? Smoke detectors? Water detectors? Fire suppression systems? Temperature sensors? |
|
|
|
9. Are servers stored near a large auditorium, which could be targeted by pranksters or terrorists? |
|
|
|
10. Are uninterruptible power supplies (UPS) with surge protection used on servers and other important hardware? |
|
|
|
11. Are surge protectors (at least) used on desktop computers? |
|
|
|
12. Are individual firewalls installed on any desktops, laptops or servers in the department? |
|
|
|
13. Are hacker attempts on desktops, laptops and servers reported to abuse@virginia.edu? |
|
|
|
14. Is there an accurate inventory of all computing equipment and software? If so, is a copy of the inventory stored off-site?
|
|
|
|
B. Account & Password Management |
|||
1. Do you have defined documented criteria for granting access based on job responsibilities? |
|
|
|
2. Are all sensitive data used for authenticating a user, such as passwords, stored in protected files? |
|
|
|
3. Are users authorized to access only those resources required to perform their jobs and nothing more? |
|
|
|
4. Does the department deactivate accounts for terminated or transferred employees in a timely manner? |
|
|
|
5. Does the department periodically review current employee accounts that have not been used in a long time and consider deactivating them? |
|
|
|
6. Does the department disallow shared accounts? (For email, use mailing lists rather than shared accounts if multiple people need to review the same messages; for file servers, use group memberships rather than generic accounts.) If not, is use of shared accounts audited frequently? |
|
|
|
7. Has the department emphasized to users that their password, along with their computing ID, is the key to their electronic identity? |
|
|
|
8. Does the department have a policy on keeping passwords confidential? (See Responsible Computing Handbook and Oracle User Responsibility Acknowledgement and Agreement.) |
|
|
|
9. Does the department assist users in selecting passwords that will ensure privacy while promoting regular use? (See ITC and/or HS/CS guidelines.) |
|
|
|
10. Does the department require that passwords not be written down or shared, except for purposes of escrow? |
|
|
|
11. Does the department securely escrow passwords for accounts that may need to be accessed in the absence of their normal administrator or in an emergency situation? (A short overview of and rationale for password escrow is available here.) |
|
|
|
12. Does the department require that passwords be periodically changed? |
|
|
|
13. Is there a reasonable “previous used” password history list to deter users from repetitive use of the same password? |
|
|
|
14. Does the department require passwords for access to department workstations and servers? |
|
|
|
15. Does the department require the use of password-protected screen savers, automatic application timeouts and automatic network log-offs? |
|
|
|
16. Does the department log and review multiple tries to enter a password for a given account? (The U.Va. Audit Department suggests locking out a user after three unsuccessful log-in attempts.) |
|
|
|
17. Does the department disallow modems attached to servers and desktops that can receive calls? |
|
|
|
C. Virus Protection |
|||
1. Is Norton or other anti-virus software installed on all department computers? |
|
|
|
2. Is a procedure for updating the anti-virus software in place? For personal systems, if this is up to the user, are instructions and recommended update intervals provided? |
|
|
|
3. Does the department remind users to scan regularly in addition to updating? |
|
|
|
4. If users become infected with a computer virus, do they know what to do? |
|
|
|
5. Does the department advise users to check the Norton Anti-Virus setting “Enable File System Real-time Protection”? |
|
|
|
6. Has automatic execution of Microsoft Office macros and Visual Basic Scripting programs been disabled on all department computers? |
|
|
|
7. Has the department reminded users to open only attachments they are expecting? |
|
|
|
8. Does the department advise users that the setting “View my Active Desktop as a web page” can generate virus contamination if visiting a Web site that has a virus? |
|
|
|
D. Data Backup and Recovery |
|||
1. Are faculty and staff aware of their personal computer backup options? Do they have instructions for the options and recommended backup cycles? |
|
|
|
2. Does the department regularly back up department servers? Does the server backup procedure include secure off-site storage? |
|
|
|
3. Does the department periodically test restoration of personal and server files? |
|
|
|
4. Do users store all local data in a single directory to simplify backup of personal data and ensure all data is captured? |
|
|
|
5. Does the department comply with Commonwealth of Virginia Library archive requirements? |
|
|
|
6. Are backup needs periodically reviewed?
|
|
|
|
E. Operating Systems |
|||
1. Are only ITC and/or HS/CS-supported operating systems used? |
|
|
|
2. Are appropriate operating system updates and security patches being applied in a timely manner to all department computers and servers? |
|
|
|
3. Are servers and desktops periodically scanned by ITC for security vulnerabilities? |
|
|
|
4. Have unnecessary services and features in desktop and server operating system configurations been disabled? |
|
|
|
5. Is the use of shared drives or folders between desktop computers (peer-to-peer sharing) prohibited or restricted? |
|
|
|
6. Is it verified that file permissions are properly set on servers? |
|
|
|
F. Application Software |
|||
1. Are appropriate application software updates and security patches being applied in a timely manner to all department computers and servers? |
|
|
|
2. Has the macro security level been set to medium or high in MS Office applications? |
|
|
|
3. If not needed for department applications, has the automatic execution of Visual Basic Scripting (VBS) programs been disabled? |
|
|
|
4. Have faculty and staff been instructed to place on-line orders only through secure Web sites? |
|
|
|
5. If employees are allowed to install U.Va. and/or HS/CS licensed software at home, is it for work-related purposes only, and has the appropriate user acceptance form been completed and returned to the appropriate person? |
|
|
|
6. Does the staff have the appropriate level of access to applications based on their current responsibilities? |
|
|
|
7. Is application access promptly removed for employees who have left the department? |
|
|
|
G. Confidentiality of Sensitive Data |
|||
1. Are all locations of automated and manual sensitive data records in the department known? |
|
|
|
2. Is access to sensitive data under the department’s control restricted? |
|
|
|
3. Is ownership of data clearly defined? |
|
|
|
4. Do data owners determine appropriate levels of data security required?
|
|
|
|
5. Is access to information technology resources explicitly granted to personnel by data owners? |
|
|
|
6. Is sensitive data removed from hardware, software and media prior to reuse or disposal according to University policy? |
|
|
|
7. Have the faculty who are conducting research determined if the data they are collecting should be classified as sensitive?
|
|
|
|
8. Do the faculty and staff who administer sensitive data understand and follow appropriate federal, state, grant agency, or university regulations for protecting and backing up data? |
|
|
|
9. Are student workers given access to confidential teaching, research or administrative data? If so, is their use of such data monitored closely? |
|
|
|
10. Are authentication, authorization, and data security policies established by data owners protected from compromise during data sharing and systems interoperability? |
|
|
|
11. Are user agreements clearly stating required authentication and protection levels established with all external agencies and institutions with which data are shared? |
|
|
|
12. Is the unencrypted transmission of sensitive data or memos through e-mail discouraged? |
|
|
|
13. Do web-enabled transactions that require user authentication, transfer sensitive data, or transfer funds use encryption, such as SSLv3? |
|
|
|
14. For employees who have remote access to the University Mainframe, and/or the Medical Center Secure Network aware that a VPN must be running to access these areas? |
|
|
|
15. Are the employees who have VPN access aware they should be disconnecting from the VPN when not in use and when away from their desk? |
|
|
|
16. If the department has a wireless network, is the network encrypted? If so, what type of encryption is used?
|
|
|
|
17. Are cryptology technologies for data storage and transmission of data based upon open standards?
|
|
|
|
18. Are encryption key management policy and procedures in place to ensure the integrity and recovery of encryption keys? |
|
|
|
H. Security Awareness and Education |
|||
1. Do the faculty and staff fully understand their responsibility for computer security? |
|
|
|
2. Have all copies of department software been properly licensed and registered? |
|
|
|
3. Has the University’s copyright policy been distributed and discussed within the department? |
|
|
|
4. Have University and/or Medical Center and department-specific security policies and procedures been documented and shared with all faculty and staff? |
|
|
|
5. Are faculty and staff keeping current on University and/or HS/CS security issues and alerts? |
|
|
|
6. Are suspected violations of security appropriately reported to a designated system or departmental administrator?
|
|
|
|
7. Do your system administrators and LSPs have training commensurate with the level of expertise required, which may include ability to identify threats, vulnerabilities and risks specific to your information resources? |
|
|
|
8. Are individuals involved in information technology management, administration, design, development, implementation, and/or maintenance aware of their security responsibilities and how to fulfill them? |
|
|
|
9. Does training for these individuals enable them to identify and evaluate threats, vulnerabilities, and risks and understand best practices relevant to the systems components and resources for which they are responsible? |
|
|
|
I. Publicly Accessible Computers (Computing lab, public kiosks, etc.) |
|||
1. Are the computers created with a software image configured for the greatest practicable restrictions on disk access, software installation and user rights? |
|
|
|
2. Are the computers refreshed frequently (daily, if possible) to force reversion to the designated software image and the removal of personal data? |
|
|
|
3. Are log-in IDs required?
|
|
|
|
4. Is information posted (either by sign or log-in screen) warning users to log out of all applications, Web sessions, server connections, etc. to prevent access to their personal data by subsequent users? |
|
|
|
5. Are extensive anti-theft devices utilized, including locking down all peripherals and locking the computer case?
|
|
|
|
J. Review and Response |
|||
1. Is there a documented procedure for handling exceptions to security policies and standards? Does this procedure include higher management level review of exception approvals?
|
|
|
|
2. Are particularly sensitive systems and infrastructures formally identified on a periodic basis? |
|
|
|
3. Do procedures for development, installation, and changes to systems and infrastructures include review and approval steps for security implications and design features? |
|
|
|
4. Do you have a written process for handling known suspected breaches to security safeguards (e.g. intrusion detection)? |
|
|
|
5. Is a process in place to identify and evaluate threats and to assign appropriate action based upon risks? |
|
|
|
6. Does firewall technology have security logging turned on? |
|
|
|
|
Name: __________________________ |
Approved by: Unit head Name: _____________________________ Signature: __________________________ |
||
ITS-RM Home | Step 2.1 | Step 2.1: General - Step 2.1: HIPAA - Step 2.1: GLBA/FERPA | Step 2.2