1.

Are operations monitored for compliance with schedule for:

a.

Classified periods processing?

Y

N

NA

I

b.

Preventive and remedial maintenance?

Y

N

NA

I

c.

Block time requests?

Y

N

NA

I

d.

Normal processing, if scheduling is used?

Y

N

NA

I

e.

Taking saves/dumps of the system for backup/recovery purposes?

8-2.b.(3)

Y

N

NA

I

2.

Are all periods of downtime verified?

8-2.b.
(derived)

Y

N

NA

I

3.

Is a Standard Operating Procedure (SOP) manual used for configuring the system/network hardware for secure operations?

A11-10

Y

N

NA

I

a.

Are switch settings specified for each hardware department connected on the system/network?

Y

N

NA

A

b.

Are remote terminal connections ever disturbed while they are processing on-line?

Y

N

NA

A

c.

Does system verify terminal ID when line break occurs or on demand?

Y

N

NA

A

4.

Is unique individual password protection employed for gaining remote access to the computer system?

8-2.a, 8-2.d

Y

N

NA

I, D, T

a.

If so, are they changed at least annually or quarterly (depending on the criticality factor), or when compromise is suspected?

8-2.d.(7)(d-e)

Y

N

NA

I

5.

Are terminal users restricted to high level languages? (i.e. not allowed to machine or assembly languages)

8-3.e

Y

N

NA

A, T

6.

Are remote terminals protected and available only to authorized individuals?

6-4.b

Y

N

NA

I, D

7.

Is the location of terminals within the facility such that each user's need-to-know is assured?

A11-5.b.
A14-4.b.

Y

N

NA

I

8.

If terminals produce a hard copy of the login sequence, are users is the user required to dispose of that portion of their terminal output in a secure receptacle?

6-4.g.
6-4.H.

Y

N

NA

I

9.

Are remote terminals lockable?

A11.5.b

Y

N

NA

I

a.

Are the keys tightly controlled?

13-5.g

Y

N

NA

I

b.

Are the locks changed when the keys are lost or stolen?

Y

N

NA

I

10.

During duty hours, are remote terminals and their areas protected at the highest sensitivity and criticality level of data that the central system is processing or storing on-line during any period in which the remote terminal is connected?

9-3.a
A11-5.b.
A14-5.b.

Y

N

NA

I

11.

Are all remote terminals and areas secured during non-use hours, at the remote data processing facility (RDPF) when sensitive information is processed at the central CDPF?

6-4.g
A11-5.b.

Y

N

NA

I

12.

Are all prescribed COMPUTER SECURITY measures for remote terminals and areas implemented prior to connecting to the computer system?

13-3.a
13-12

Y

N

NA

I, D, T

13.

Is the physical security for remote terminal processing areas commensurate with the highest level of sensitive or critical information to be processed by the system?

9-3.a.
A14-4.b.

Y

N

NA

I

14.

Do all remote terminals have a Terminal Area Security Officer (TASO) or alternate on duty or on call when the remote site is on-line to the RDPS?

A14.5.b.

Y

N

NA

I

15.

Have all dial-up communications lines been approved?

2-6.c(2)
7-3.n(9)

Y

N

NA

I

16.

Can operating system development activities be performed through remote terminals?

Y

N

NA

I, T

17.

Is access to programs and software systems restricted to a need-to-know basis by file passwords and file permissions?

8-2.c(1)

Y

N

NA

I, D, T

a.

Does this restriction apply to copies kept in off-site storage?

8-2.d.(23)

Y

N

NA

18.

Are data bases, files or data sets subjected to data integrity and/or segregation requirements, so that individual access is controllable?

6-4.d.
8-2.c.(5)

Y

N

NA

I

19.

Is access to keyword, lockword, or password files severely restricted and encrypted, where applicable?

8-2.d.(10)

Y

N

NA

I, T

20.

Are security override procedures protected at the same category of sensitivity or classification level as the data that can be accessed by their users?

Y

N

NA

I, D

a.

Is the use of security overrides strictly controlled and closely monitored?

Y

N

NA

I, D

21.

Are users required to logoff/disconnect their terminal from the system when leaving the immediate vicinity of the terminal?

9-3.e.
(derived)

Y

N

NA

I

22.

Are terminal passwords or similar access controls unique for each individual?

8-2.d.(5)(a)

Y

N

NA

I

a.

Are passwords or similar controls configured so that their contents are difficult to determine (i.e., not valid words from the dictionary)?

8-2.d.(3)

Y

N

NA

I

23.

Are passwords or similar access controls changed or deleted for an individual user when:

a.

Their access is withdrawn for any reason?

8-2.d.(7)(b)/
(c)

Y

N

NA

I

b.

There has been a compromise or a suspected compromise of the password or access control?

8-2.d.(7)(a)

Y

N

NA

I

c.

90 days have elapsed since the last LOG-IN?

8-2.d.(7)(c)

Y

N

NA

I

24.

Whenever more than one site is involved in a network, are other sites notified when one of the conditions in 23a., b., c. occur?

9-2.a.(1)
(derived)

Y

N

NA

I

25.

Have persons using access controls been instructed on the regulations pertaining to their responsibilities of the security of ADP information?

16-2

Y

N

NA

I

26.

Have users signed for their initial user-id/password?

8-2.d.(4)

Y

N

NA

I

27.

Are file OPRs required to use specific permission to access their files or catologs?

8-2.c.(1)(2)
A14-2.b.

Y

N

NA

I, T

28.

Are any general (universal) permissions prohibited on files or catologs containing classified, sensitive, or critical data?

8-2.c.(1)
(derived)
A14-2.b.

Y

N

NA

I, T

29.

Is a local system access revalidation performed at least annually, to include the central site and all remote terminal facilities?

8-2d(7)(b)
INTEK-MC Sup 1

Y

N

NA

I

30.

Where applicable, is a network access revalidation performed at least annually?

Y

N

NA

I

31.

For sensitive or classified systems, are passwords or similar access controls protected at the same sensitivity/criticality category or classification level as the data accessed by the password or control?

8-2.a.(1)
8-2.d.(8)
A14-2.c.

Y

N

NA

I, D, T

32.

Do local procedures require that a system access and activity be monitored (audit trail)?

6-4.a.
8-2.d.(13)

Y

N

NA

I, D, T

a.

Do three failed access attempts lock out the user-id and/or the terminal? These attempts include successive attempts even though they are interrupted by the user logging of the system or powering off the terminal?

8-2.d.(9)

Y

N

NA

I, D, T

b.

Are terminals unlocked and/or user-id reset by CSSO after proper explanation and authentication?

Y

N

NA

I, T

33.

Are there procedures for daily audit log review?

8-2.d.(15)

Y

N

NA

I

34.

Can passwords be seen during log-in?

8-2.d.(11)

Y

N

NA

I, T

35.

Are internal security controls used to control access within the ADPS?

8-2

Y

N

NA

I, T

a.

Is every file, data set, or data base protected by an explicitly defined set of access controls?

6-4.d

Y

N

NA

I

b.

Are access controls used to limit what users can do to files?

8-2.c.(1)

Y

N

NA

I

36.

Is the operating system software protected and controlled against unauthorized modification?

8-2.d.(28)

Y

N

NA

I

37.

Does the system contain an automated audit log capability to trace the activities of each user?

8-2.d.(13)

Y

N

NA

I, T

a.

For each event traced (including system access, jobs processed, use of privileged instructions, and job aborts), does the audit trail contain user ID, terminal ID, object of violation attempt, and date and time of event?

8-2.d.(14)

Y

N

NA

I, T

b.

Does CSO review log daily?

8-2.d.(15)

Y

N

NA

I

c.

For each authorized, unsuccessful, or unauthorized attempt to access a file, does the audit trail also include the file's name and the type of permission asked for?

8-2.b

Y

N

NA

I, T

38.

Are users permitted to submit jobs for anyone other than themselves?

A14-2
(derived)

Y

N

NA

I

39.

Are USERID access cards, or similar media containing access control data, clearly marked for easy identification, removal and protection?

A14-3.b.(3)
(derived)

Y

N

NA

I

40.

Is each job submitted and controlled as a separate department?

A14-2
(derived)

Y

N

NA

I

41.

Is all job output returned to the properly identified owner?

A14-3
(derived)

Y

N

NA

I

42.

Is all output properly marked with the appropriate sensitivity/criticality or classification caveats (i.e., privacy act, etc.)?

A11-4
A14-3

Y

N

NA

I, T

43.

Is access authorization verified prior to permitting processing to begin?

8-2.c.(1)

Y

N

NA

I

44.

Do policies make the user responsible for reporting all security discrepancies or incidents to the CFM, CSO, CIO, CFO, CEO or their designated representative?

2-8-11
A11-8
A14-7

Y

N

NA

I, A

45.

Do procedures require that input received from unusual or unexpected sources or extraordinarily large (or small) inputs be questioned?

A11-8

Y

N

NA

I

46.

Is an input/output control activity used?

A14-5.a
(derived)

Y

N

NA

I

47.

When privileged instructions (supervisory, master mode, or control state instructions) are used:

Y

N

NA

I

a.

Does the system control their use?

Y

N

NA

I, T

b.

Is an operator "go ahead" required before the instructions can be used?

Y

N

NA

I

48.

Are the front and back of all printer listings marked with the highest classification level of information being processed on the ADPS?

A14-3.a.

Y

N

NA

I

49.

Are video display terminals (VDTS) marked with the classification of the system they are attached to?

A14-3.b.(6)

Y

N

NA

I

50.

Is there a procedure for accounting for all:

a.

Fixed mass storage media (disk, core, system files)?

7-3.1, 10-6

Y

N

NA

I, A

b.

Removable mass storage media (disk, tape)?

7-3.m,10-6

Y

N

NA

I, A

51.

Are all media used for restoration of the operating system (i.e., Bootstrapping, warm booting, cold booting, etc) and the audit trail protected against unauthorized alterations?

8-2.b
8-7.b.(2)
A14-3c.(2)

Y

N

NA

I

52.

Are all storage media (tapes/disks, etc.) stored properly?

A12-2.f.(1)/
(2)

Y

N

NA

I

53.

Are Privacy Act and other sensitive-unclassified tapes and disks degaussed or cleared when no longer required by the user?

A10-1.b.

Y

N

NA

I, T

54.

Are all types of tapes and disks labeled internally by the system software?

A11-4.c
A14-3.c.(2)

Y

N

NA

I, A, D

55.

Are all types of tapes and disks and containers labeled externally?

A11-4.b.

Y

N

NA

I

56.

Are all removable magnetic media controlled at the highest classification level or sensitivity/criticality category of the information they contained?

A10-1.c

Y

N

NA

I

57.

Is each memory location, working storage or temporary file space used for storage of classified data overwritten when it is no longer required before reuse by the system, or before the contents of a location may be accessed by subsequent processes?

6-3
A10-2.e

Y

N

NA

I, A, D

58.

Are the necessary programs, equipment, and procedures available and adequate for the clearing of Automatic Data Processing Equipment (ADPE)?

A10-2.

Y

N

NA

I, A, D

59.

Does user's magnetic tape erase equipment (degaussed) meet the National Security Agency (NSA) specifications detailed in DoD manual 5200.28-M, Section VIII, Paragraph 8-301, and is it one of the NSA approved models listed ?

A10-3.b.
(1-2)

Y

N

NA

I

60.

When no longer needed or useful, do users ensure that all removable magnetic media used to store sensitive unclassified information is cleared, declassified, or destroyed?

A10-1.b.

Y

N

NA

I

61.

Are output products reviewed and downgraded before they are distributed to personnel who do not have the clearance and need-to-know for the highest level of data in the computer?

A14-3.b.(1)

Y

N

NA

I

62.

Are programming changes and maintenance well controlled and documented?

8-3.d.

Y

N

NA

I

63.

Are procedures established to evaluate, test, and validate an application prior to placing it, or any changes to, into operational or production status?

8-3.d

Y

N

NA

I

64.

Is CSO approval of site unique patches that might impact on the security of the system required?

8-3.h.(1)

Y

N

NA

I

65.

Do all communications links meet the requirements for the transmission of the highest sensitivity/criticality category or classification level of data?

Y

N

NA

I

66.

Is there a positive approved disconnect procedure for all communication ports?

A11-5.b.

Y

N

NA

I, T

67.

Are scramblers or other encryption techniques utilized on communication lines for the protection of classified information?

10-2.c.

Y

N

NA

I

a.

For sensitive/unclassified information?

10-2.c.(3)

Y

N

NA

I

68.

Is access to the computer facility restricted to selected personnel who have a justifiable need to be there?

A11-6.a

Y

N

NA

I

69.

Are all computer management, operations, input/output control, and system programming personnel cleared for the highest level and most restrictive category of information in the system?

A14-5.

Y

N

NA

I

70.

Are all unescorted maintenance personnel cleared for the highest category of sensitive/critical information?

7-3.n.(6)
7-3.n.(7)

Y

N

NA

I

71.

Are escorts provided for maintenance personnel who are not appropriately cleared?

7-3.n.(6)

Y

N

NA

I

72.

Do all personnel who develop programs have clearance and need-to-know for all data stored or processed on the system, including military, civilian and contractor?

6-2

Y

N

NA

I

73.

Do user personnel have clearance and need-to-know for all the data that they can access under the security controls of the computer?

6-2

Y

N

NA

T

a.

Does each user have access to all the information he or she is authorized to access, but no more?

6-2.b.
(derived)

Y

N

NA

I, D, T

74.

Do user personnel have a clearance for the highest level of data stored or processed in the system while their jobs are active?

6-2.b.

Y

N

NA

I

75.

Have individuals been designated to be responsible for computer security?

2-9.b., 2-13.
2-10, 2-19f

Y

N

NA

I

76.

Are local policies and procedures for the ADP security:

a.

Available to the operating company?

Y

N

NA

I

b.

Being followed?

A11-10.

Y

N

NA

I

77.

Are individuals in positions to commit errors or perpetrate irregularities not in a position which would enable them to conceal the errors or irregularities?

A15-12.c.

Y

N

NA

I

78.

Is there an active Education, Training and Awareness Program?

16-2.

Y

N

NA

I

79.

Are the department head's and file OPRs apprised of any risks to the classified or sensitive data stored or processed in the system?

4-2a(4)

Y

N

NA

I

80.

Can systems programmers be trusted NOT to circumvent normal access procedures by use of special coding, thus violating the integrity of the system? Is CSO written permission obtained to use utilities/compilers, etc. that bypass security checks and controls?

A15-12.c
(4)(a)

Y

N

NA

I

a.

Are controls in place to determine if security controls are being circumvented?

8-3h(1)

Y

N

NA

I, T, D

81.

Is the security hardware and software configuration recorded for:

a.

Routine or normal operations?

Y

N

NA

I

b.

"Other" operations?

Y

N

NA

I

82.

Is approval required for hardware and software configuration changes?

8-3.d.

Y

N

NA

I

83.

Has the network manager (NM) been designated?

2-14

Y

N

NA

I

84.

Has the NM:

Y

N

NA

I

a.

Established network security policy and procedures?

2-14.a.

Y

N

NA

I

b.

Obtained CEO/CSO approval to process?

2-14.a.

Y

N

NA

I

85.

Has the NM appointed a Network Security Manager, in writing?

2-14.b.

Y

N

NA

I

86.

Has the NM approved security procedures?

2-14.c.

Y

N

NA

I

87.

Has the NM approved security procedures for remote terminals and workstations?

Y

N

NA

I

88.

Did the NM approve the initial connection and continued operation of remote terminals and workstations?

2-14.c.

Y

N

NA

I

89.

Did the NM conduct a network risk analysis?

2-14.d.

Y

N

NA

I

90

Did the NM identify and document all assumptions and constraints?

2-14.d.

Y

N

NA

I

91.

Did the NM provide written certification to the CEO/CSO that the network can satisfy specs. for the highest sensitivity and criticality that the network processes?

2-14.e.

Y

N

NA

I

92.

Does the NM recertify the adequacy of network security at least every three years or upon significant modification?

2-14.f.

Y

N

NA

I

93.

Are all network users given security training before they are given access to the network?

2-14.g.

Y

N

NA

I

94.

Is all network security training documented?

2-14.g.

Y

N

NA

I

95.

Does the NM maintain a current Network Security Plan (NSP)?

2-14.h.

Y

N

NA

I

96.

Is the NSM on duty or on call whenever the network processes classified data?

2-15.

Y

N

NA

I

97.

Is the Network Security Officer (NSO) appointed in writing for all remote areas NOT under the NSMs management control?

2-15.a.

Y

N

NA

I

98.

Does the NSM monitor activities on the network and ensure compliance with security procedures?

2-15.b.

Y

N

NA

I, T

99.

Does the NSM monitor activities on the network and if necessary deny access to the network?

2-15.c.

Y

N

NA

I