Open this portion of the document in Word (54 KB)

Information Type: Company-Wide Sample Format

This checklist is to be used in lieu of other methods for risk analysis of networked, or multi-user, computer systems that will process sensitive information. Most questions are structured to elicit a 'yes' answer; a 'no' response usually indicates an inadequate or questionable level of security. 'NO' responses in the final risk analysis document do not necessarily mean your system cannot or will not be approved. However, if any 'NO' response cannot be eliminated, please do the following:

a. Call your Assurance Protection Office (APO) discuss the importance or security impact of a specific 'NO' answer.

b. Legibly annotate the checklist immediately below each question explaining why you believe that the 'NO' answer will not seriously affect the security posture of the system. If additional space is required please provide this information on a separate piece of paper. Please be sure to reference the question you are explaining.

Items preceded by "(C2)" indicates an item that must be true if the system is to achieve C2 Certification. C2 is mandated by DOD DIR 5200.28 for all MULTI-USER COMPUTER SYSTEMS.

BACK

1. Are the Computer System Manager (CSM), Computer
System Security Officer (CSSO), and Network Manager (NM)
Aware of their responsibilities? Have they established policy
and control standards to ensure systems/networks are secure and
well controlled? Y N NA

2. Have a Computer System Security Officer (CSSO) and
Network Security Officer (NSO) been appointed in writing
by the using organization to be responsible for the
security of this system? Y N NA

3. Are the CSSO and NSO trained and familiar with the security
plans and procedures? Y N NA

4. Do the security procedures prepared by the CSM and
NM cover each of the security disciplines (physical, personnel,
information, communication security, software, hardware and procedural)? Y N NA

5. Do the communications-computer system security
procedures and security training programs cover the
security needs of all persons accessing the network
computer system? Y N NA

6. Has the CSM assessed the potential impact of the
loss of data files, or loss of integrity of the data
files, referred to as the Sensitivity and Criticality Assessment? Y N NA

7. As a result of this assessment, has a contingency plan
been developed? Y N NA

8. Are the security mechanisms of the system/network
tested and found to be working as described in the system
documentation. (the Security Test & Evaluation (ST&E)
should validate that there are no obvious ways for an
authorized user to bypass or defeat the security
mechanisms of the system/network)? Y N NA

9. Is the Network Architecture properly documented? Y N NA

10. Is the Network Architecture document reviewed periodically Y N NA

and updated to reflect changing conditions?

BACK

1. What methods are employed to restrict entry to the
network/computer facility or office (Check Y for methods used)?

a. Combination dial lock? Y N NA

b. Cipher or electromechanical locks? Y N NA

c. Access point guard? Y N NA

d. Fence? Y N NA

e. Alarm System? Y N NA

f. Electronic badge system? Y N NA

g. Photo badge system? Y N NA

h. Access list? Y N NA

i. Key locks? Y N NA

(1) Has a key control system been established? Y N NA

(2) Is issue of keys kept to a minimum and on
an as needed basis? Y N NA

(3) Is a key sign out log maintained? Y N NA

2. Are restricted and controlled area boundaries posted with Y N NA
signs?

3. Is the network/computer facility manned 24 hours a day,
seven days a week? Y N NA

4. Is the network/computer facility manned by at least two
personnel during operating hours? Y N NA

5. How is access to remote terminals and servers
controlled (check Y)? Y N NA

a. Combination dial locks? Y N NA

b. Dead-bolt locks? Y N NA

c. Locking terminals? Y N NA

d. Cipher or electromechanical door locks? Y N NA

e. Alarm System? Y N NA

f. Access point guard? Y N NA

g. Electronic badge system? Y N NA

h. Access list? Y N NA

i. Passwords? Y N NA

j. Other Y N NA

6. Is the equipment arranged to prevent unauthorized
viewing of sensitive unclassified information through
windows, doorways, over partitions, etc.? Y N NA

7. Obtain and compare lists of all people who have
access to the network/computer facility by passwords, badges,
combinations, keys, etc. Are there any discrepancies
among these lists? Y N NA

8. Are network access control lists monitored and updated
on regularly scheduled basis? Y N NA

9. Review the last security penetration and fire drill
exercises; have corrective actions been implemented? Y N NA

10. Is the structural security of the facility or office
deficient? (Look for entry doors, sky lights, windows,
false walls, or false ceilings which could be used to
gain unauthorized access to the facility or office--
especially facilities not manned continuously. Y N NA

11. Are magnetic storage media and libraries protected? Y N NA

12. Are local area network communications lines and
equipment secure? Y N NA

13. Are the local area network communications lines
shielded? Y N NA

14. Is access to the system's patch panel controlled? Y N NA

BACK

1. Will all personnel with unrestricted access into the
immediate system/network area have a need-to-know for the
data being stored or processed in the system? Y N NA

2. Will visitors be monitored while in the immediate
terminal and/or system/network area? Y N NA

3. Do all personnel having unescorted access to the system/
network have a need to know for the highest sensitivity of
information being processed during their access? Y N NA

4. When employees or functional users are relieved of duty
or moved to another job:

a. Are their special authorizations terminated? Y N NA

b. Are they immediately denied access to system/network
terminals/PCs, the computer facility or office? Y N NA

c. Are passwords, locks, combinations, etc., changed
promptly (i.e., end of day, within 24 hours, immediately)? Y N NA

5. Are unknown personnel challenged for entry into the
computer/network facility or office area? How well
was your security test entry challenged? Y N NA

BACK

1. Is there a designated central point for receiving and
disseminating sensitive data? Y N NA

2. Are couriers briefed on their responsibilities for
handling sensitive information? Y N NA

3. Are couriers' identification and need to know verified
before sensitive products are released to them? Y N NA

4. Has someone been designated an accountable custodian for
disseminating and destroying sensitive data? Y N NA

5. Are there procedures for accounting for any
removable magnetic media? Y N NA

6. Are tapes and disks kept in their containers until
actually placed in use? Y N NA

7. Are magnetic media tested periodically for read-write
problems and bad sectors? Y N NA

8. Are output products containing sensitive information
separated from other products? Y N NA

9. Is waste-products disposal consistent with its
sensitivity? Y N NA

10. Do your policies make the customer responsible for:

a. Verifying that no extraneous data are included in
their output products? Y N NA

b. Reporting all security discrepancies to the CSSO,
TASO, or their designated representative? Y N NA

11. Are sensitive/critical tapes and disks degaussed or
purged when no longer required by the user? Y N NA

12. Are tapes and disks appropriately labeled? Y N NA

13. Does the CSSO or authorized individual approve and
verify the clearing of sensitive unclassified from all
previously sensitive equipment or media? Y N NA

14. When sensitive unclassified information is processed,
are all products and media labeled and marked as such? Y N NA

15. Are all sensitive products and waste properly disposed
of by shredding or burning? Y N NA

BACK

1. Has the sensitivity of aggregated data been considered
in determining network security requirements? Y N NA

2. Does security protection correspond to the sensitivity
level of the information processed by the network? Y N NA

3. Are network configuration changes reviewed by the
Network Security Manager (NSM) or Network Security Officer
(NSO) for possible network security impacts? Y N NA

4. Are all access attempts recorded, including dial-ins? Y N NA

5. Are users locked out after three invalid attempts
to log-in? Y N NA

6. Does the NSO authorize reinstatement after a user
has been locked out of a network processing sensitive
unclassified data? Y N NA

7. Are all network interconnections with other networks or
documented in an interconnection agreement? Y N NA

8. Are all interconnected networks operating at the same
security level? Y N NA

a. If not, are proper security filters, guards, gateways
in place? Y N NA

9. Does network support and provide necessary encryption
mechanisms and security protocols? Y N NA

10. Are Dial-in accesses controlled as follows:

a. Have they been approved on an individual basis? Y N NA

b. Are dial-ins centrally controlled? Y N NA

c. Are controls adequate for the number of dial-ins allowed? Y N NA

d. Is the number of dial-ins strictly controlled and
monitored? Y N NA

BACK

1. Are modifications and updates to the operating system formally
approved, documented, and verified by the appropriate
authority prior to entering into operational status? Y N NA

2. Are modifications to software/control info coordinated/
synchronized with other nodes in the network where multiple
ownership is present? Y N NA

3. Is the Network Operating System and components properly
backed up prior to any modifications? Y N NA

4. Do you control access to data files:

a. At the file level based on need to know? Y N NA

b. By logical partitions within a file
(i.e. by block, record, field, or characters)? Y N NA

c. By specific permission (i.e. read only, write only,
update, etc.)? Y N NA

5. If the multi-user system processes sensitive
unclassified, does the system provide access control
for transactions by type of application and
at the file level, record level or element level? Y N NA

6. Do authorized users specify and control sharing
of files and programs with individuals, authorized
groups, or both? Y N NA

7. Does the system provide controls to limit
propagation of access rights? Y N NA

8. Is the security mechanism capable of excluding or
including access to files and programs to the level of
a single user? Y N NA

9. Does the system provide a domain for its own
execution that protects it from external interference or
tampering (e.g. by modification of its code or data structure)? Y N NA

10. (C2) Are the resources controlled by the system isolated
so that they are subject to access control and auditing? Y N NA

11. Do you use automated audit trails to monitor:

a. (C2) Unauthorized attempts to log onto the system? Y N NA

b. (C2) Unauthorized attempts to access protected files
or data? Y N NA

c. Password changes or locking of user ID due to
password expiration? Y N NA

d. (C2) Terminal ID, user ID, time and date, records
accessed? Y N NA

e. (C2) Deletion of objects (files and programs),
including the object name? Y N NA

f. Actions taken by computer operators, system
administrators, and/or system security officers? Y N NA

g. (C2) Is the NSM able to selectively audit the
actions of any one or more users based on individual identity? Y N NA

h. Dial-in attempts? Y N NA

12. Is the number of people who have access to audit trail
information kept to a minimum? Y N NA

13. (C2) Are audit trail routines ever turned off?
By whom? By whose authority? Why? Y N NA

14. (C2) Are audit files protected to ensure only
authorized access by the CSO or NSO? Y N NA

15. Are on-line diagnostics used? Y N NA

Are they tracked in the audit trail records? Y N NA

16. Are audit trails reviewed by the CSSO/NSO daily to
determine unusual patters, anomalies, or exceptions? Y N NA

17. (C2) Are initial passwords generated and distributed from a
single, automated source that regularly issues new passwords? Y N NA

18. (C2) Are passwords in compliance with INTEK-SSI 5013, Y N NA

Identification and Authentication?

a. Are passwords at least eight characters in length? Y N NA

b. Is the individual's personal password and user ID
deleted by the end of the individual's last duty day? Y N NA

c. Are passwords changed immediately upon discovery of a
possible compromise or mishandling of the password? Y N NA

d. Are automated passwords changed at least
semiannually? Y N NA

e. Does the system lock out a user ID, terminal, or
both after a maximum of three unsuccessful attempts
to enter a password? Y N NA

f. Are users able to request a password change on-line? Y N NA

19. Does the host system detect periods of inactivity and
automatically log out the user after thirty minutes or less? Y N NA

20. Is an auto log-out time of thirty minutes being
enforced on the system? Y N NA

21. Do the CSSO and NSO receive system configuration
change notices or are they members of the CCB? Y N NA

22. (C2) Has the ST & E included a search for obvious
flaws that would permit unauthorized access to the audit
or authentication data? Y N NA

23. Is the first display a user sees a warning message indicating
this system is for official government use only and is subject to
monitoring? Y N NA

24. Do Network Protocols that perform code or format
conversion, preserve integrity of Data and Control information? Y N NA

25. Does Network perform integrity checks to insure information
is accurately transmitted from source to destination regardless of
number of intermittent points? Y N NA

26. Does Network software provide non-repudiation, i.e.-
ability to prove that a data-unit was actually sent and received? Y N NA

27. Is Network software able to counter actions by persons
and processes not authorized to alter data? Y N NA

BACK

1. Does the network have hardware architectural controls
or features which identify errors in critical functions? Y N NA

a. Memory access controls for those programs which do
not have permission to use certain instructions or memory
locations? Y N NA

b. Parity and boundary checks and register comparisons? Y N NA

c. Hardware and/or software features provided that can
be periodically used to validate the correct operation of the
system? Y N NA

2. Is the system adequately protected from power surges,
brown-outs or total failure? Is this protection provided by: Y N NA

a. Surge protectors Y N NA

b. Uninterrupted power supply Y N NA

c. Motor generator Y N NA

d. Backup generator Y N NA

3. Is there backup power available for:

a. Air Conditioning Y N NA

b. Entry control mechanisms Y N NA

c. Lighting Y N NA

d. Alarm systems Y N NA

4. Does the computer room use an approved fire
suppression system? What type _______________________ Y N NA

5. Does this geographic area have a history of:

a. Floods Y N NA

b. Earthquakes Y N NA

c. Hurricanes Y N NA

d. Tornadoes Y N NA

6. Are fire resistant/non combustible materials used for:

a. Buildings Y N NA

b. Partitions, walls, doors Y N NA

c. Furnishings Y N NA

d. Flooring Y N NA

7. Are systems located below the water grade provided
protection from flooding? Y N NA

8. Do overhead steam or water pipes exist? Y N NA

9. Does adequate drainage exist:

a. Under raised floor? Y N NA

b. On floor above? Y N NA

c. For adjacent areas? Y N NA

10. If dial-in diagnostics and maintenance are used, were
they evaluated for any impact to security mechanisms and
approved by the DAA? Y N NA

11. If dial-in diagnostics are used , are they disconnected
when not in use? Y N NA

12. Are Network Interface Units (NIU) trusted products? Y N NA

13. Is there hardware backup capability or facility to counter
equipment failures? Y N NA

BACK

1. Has the Computer System Manager (CSM) insured that
security procedures, in the form of a security plan or
Operating Instruction (OI), have been established for
central system as well as remote sites/terminals? Y N NA

2. Do the procedures address each of the following areas:

a. Responsibilities of CSSO, NM, NSO, system operators
and users? Y N NA

b. Access controls (i.e. use and protection of passwords,
file access)? Y N NA

c. Physical security? Y N NA

d. Reporting security incidents? Y N NA

e. Reporting technical vulnerabilities? Y N NA

f. Maintaining system sand configuration control? Y N NA

g. Disposal of computer products and media? Y N NA

h. Prohibiting smoking, eating, or drinking in the

vicinity of the system and/or terminals? Y N NA

i. Virus checking software on PCs? Y N NA

j. Authorized software. Is this verified at least annually? Y N NA

3. Have these procedures been thoroughly tested to ensure
that they are easy to understand and they accomplish the
intended results? Y N NA

4. Have all operators and users read and certified that
they understand the established security procedures? Y N NA

5. Are new security policies/procedures briefed immediately
upon their implementation? Y N NA

6. Does Network Security Policy define authorized connections
across the network? Y N NA

7. Are Security Procedures enforced? Y N NA

BACK

1. (C2) Does each Workstation/PC on the LAN have a operating
system/software subsystem installed that is listed in the
NSA Evaluated Products List? The selected operating system/
subsystem would provide the required Discretionary access
Control, Object Reuse, Identification and Authentication, Audit
and System Architecture security functionality of a C2 system. Y N NA

2. (C2) Are network procedures established to periodically
test the proper functioning of the network through the
transmission of prearranged "test messages?" This would
provide the required C2 System Integrity. Y N NA

3. (C2) Has a ST&E, in conjunction with this risk analysis
for the network, been performed IAW INTEK-SSI 5025 after the
security subsystem(s) has been installed? This would
provide the required C2 Security Testing requirement. Y N NA

4. (C2) Have the users been provided with and trained in use
of Security Operating Procedures while operating the PC LAN? Y N NA

5. (C2) Has a Security Features Users Guide been developed
and in use by a network administrator(s)? Y N NA

SIGN_______________________________________DATE_______________________

NAME__________________________________Organization________________

File Owner: Jim Tracy
Organization: INTEK
Phone: (314) 596-8750
E-mail: jimt@intek.net
Date Last Reviewed: NOV 2002

Open this portion of the document in Word (54 KB)