[Interpol]
19 May
2001 Home | Search | Contact | Help
Company Checklist
This Information Technology (IT) crime 1. Management
prevention checklist focuses on a range of responsibilities
IT security topics to be considered in the 2. Organisation
field of threats, with criminal intent, to
Information Technology. 3. Personnel
(Employees)
The checklist is just a reminder of what to 4. Personnel
consider and not an instruction on how to (Other)
introduce certain security measures. Some 5. Information
of the topics may need assistance from classification
experts in that field to be understood and 6. Software
implemented. 7. Hardware
8.
If this checklist is copied and distributed Documentation
outside law enforcement, please fill in the 9. Computer
name of the contact person within the media
police. 10.
Identification
Police contact and Authorisation
person:
11. System
Security
12. Communication
13. Logging
14. Back-up
15. Physical
Protection
16. Incident
handling
17. Contingency
planning
1. Management responsibilities [Top]
----------------------------------------------------------------
Nr Question Comment Yes/No
1 Information Security No Policy = No
Policy? Does it exist resources.
and has it been
written and approved
by management?
2 Is there a process for It is a living document
scrutinising the and must be updated
policy?
3 Is there an initiative What are the threats
from management to do and the risk that they
a risk analysis? will be activated?
4 Is there a management To define how the
initiative to create a targets and the
security plan? intention in the policy
document should be
realised
5 Is there a management The security
initiative to create a architecture is a high
security architecture? level description of
technical security
functions and
organisational needs to
fulfil the security
demands.
6 Is there any Internet connections
management policy for tend to grow
external communication uncontrolled
like the Internet?
7 Do all management
staff know the
contents and
intentions of the
policy?
8 Is the organisation
for Information
Security work defined
in the policy
document?
9 Is there any
Information Security
training plan?
10 Are Information
Security topics a part
of the introduction
plan for new members
of the staff?
2. Organisation [Top]
----------------------------------------------------------------
Nr Question Comment Yes/No
1 Is there an Someone must have the
Information Security responsibility to put
officer? the management policy
into practice.
2 Does an Information
Security Handbook
exist? has it been
approved by the
management?
3 Is there an Information Security
organisation and plan training is not a
to train the staff once-and-for-all
regularly in security training.
matters?
4 Is there an
organisation for the
'Identification and
Authorisation' system?
5 Is there an
organisation for
contingency planning
and handling?
6 Is there an The organisation must
organisation plan for be prepared for
handling incidents? incidents
7 Is the responsibility
and authority defined
in the organisation
plan, or in a job
description document?
8 Does an organisation Different categories
plan exist to explain need different
the different staff training and handbooks
categories in the IT in Information
process? E.g. IT Security matters
Security Manager,
Developers, Operators,
Users etc.
3. Personnel (Employees) [Top]
----------------------------------------------------------------
Nr Question Comment Yes/No
All
1 Are new members Must be done before.
checked before After it might be too
employment? late.
References, education,
security clearance
etc.
2 Are new staff informed
of secrecy
regulations?
3 Do they sign a secrecy
certificate?
4 Are 'key-persons'. Backup available for
identified? those?
5 Does the staff get Information Security
appropriate security training is not a
training on a regular once-and-for-all
basis? training.
6 Are all staff informed Security violation.
on the consequences of
breaking the security
regulations?
7 Are there any routines There are many things to
for employees who clean up in IT- systems
leave? to remove their
authorities.
Systems Administration Personnel
8 Are they informed on A 'root'-privilege does
specific security not imply they have
regulations for authority to access of
Developers, Network all data/information.
Administrators etc.?
Users
9 Are there very short, Maximum 1 page
written security
instructions for
users?
4. Personnel (Other) [Top]
----------------------------------------------------------------
Consultants
Service engineers
Other service staff (guard, caretaker, cleaning service etc.)
Nr Question Comment Yes/No
1 Are there written
contracts/agreements
with Third Party
companies?
2 Are those personnel They should sign a
categories informed document to
about security routines? acknowledge that they
understand the rules.
3 Are those personnel Security clearance
categories 'security
checked'?
4 Are the companies they Security clearance
work for (their
employer) 'security
checked'?
5 Are 'key-persons' Backup available for
identified? those?
6 Are those personnel
categories informed of
the consequences of
breaking the security
regulations?
7 Are there any routines There are many things
for end of assignments? to clean up in IT-
systems to remove
their authorities.
5. Information classification [Top]
----------------------------------------------------------------
Nr Question Comment Yes/No
1 Is there a system for To make it possible
information to apply the most
classification according effective security
to the appropriate level measures
of availability? (E.G.
open, confidential,
secret).
2 Does the classification
system require
encryption for any class
or type of information?
3 Is there a
classification checklist
to make it easy for the
user to determine
information class?
6. Software [Top]
----------------------------------------------------------------
Nr Question Comment Yes/No
1 Are there any
instructions for
bringing outside
software/data into the
organisation?
2 Are policy documents and Security features must
security guidelines be implemented from
considered during the beginning.
developing systems?
3 Are security The requirements must
requirements included in be included from the
the demand specification beginning.
when buying or
developing systems?
4 Are system tests and Avoid compilers and
development separated editors in production
from production systems? systems.
5 Are security-related Routines for this must
patches from developers exist.
and/or vendors
implemented as soon as
possible?
6 Is a security validation New software might
approval done before create new holes in
introducing new the system.
software? Individual
users should not be
allowed to introduce new
software.
7 Is there a routine for This is the most
installing a new critical software and
operating system? all configuration
parameters must be
checked before
rebooting.
8 Is it a classified According to ITSEC,
operating system? TCSEC, Common Criteria
9 Are security options in
the operating system
activated?
10 Are there any routines
to change all security
related default
parameters in the
operating system?
11 Is it the same type of To change defaults and
routine for application to set security
software? parameters.
12 Are additional (e.g.
hacks) and
self-developed software
well documented?
13 Are there any routines To prevent hacking
to request all patches possibilities.
that are needed to
preserve the security?
14 Are 'system-tools' Software to administer
protected? and service the
system.
15 Are the use of
'system-tools'
restricted to just a few
persons?
16 Is all use of
'system-tools' logged?
17 Is anti-virus software
installed and activated?
18 Do the users know how to
handle viruses?
19 Are there any extended
controls of software
downloaded from WAN such
as Internet?
20 Are the users informed
about software licenses,
as to what extent they
are allowed to copy them
and use them in other
equipment? If they are
allowed to use them for
private use at home
etc.?
21 Is loading of new
software regulated?
22 Is critical software
backed up and stored in
another safe place?
23 Is critical software
protected by checksums.
24 Is all software from Special notice on
well-known sources? encryption software
7. Hardware [Top]
----------------------------------------------------------------
Nr Question Comment Yes/No
1 Are there any
instructions for
bringing equipment
outside the
organisation?
2 Are there instructions
on how to discard
equipment?
3 Is it made clear that
the equipment is for
business use only and
not for private use by
the user?
4 Are policy documents and
security guidelines
considered during
introduction of new
equipment?
5 Are security The requirements must
requirements included in be included from the
the demand specification beginning.
when buying or changing
equipment?
6 Is a security validation New hardware might
made before introducing create new holes in
new hardware? the system.
7 Is there a person
responsible for each
workstation/personal
computer?
8. Documentation [Top]
----------------------------------------------------------------
Nr Question Comment Yes/No
1 Is the management policy
document printed and
distributed to all
members of staff and
subsequently to new
members?
2 Is there an Information
Security handbook?
3 Are systems and manual To prevent the
routines well dependence on key-
documented? persons.
4 Are there documents
describing:
* Hardware
* Software
* Applications
* Communication
Are they up to date?
5 Do handbooks for each
staff category exist?
* Developer
* Administrators
(network, database
etc.)
* Users
* Helpdesk
* etc.
6 Are there any written
rules defining
responsibility and
authority for each staff
category?
7 Are system documents
stored in a safe place?
8 Is the access to the
system documents
restricted?
9. Computer media [Top]
----------------------------------------------------------------
Nr Question Comment Yes/No
1 Are there any routines
for labelling media?
2 Are all media listed
in an inventory?
3 Are media handed over
with receipts?
4 Is the existence of Media in the inventory
media checked on a list.
regular base?
5 Are there any routines
to handle missing
media?
6 Are there any routines
for archiving media?
7 Are there any routines
for transporting
media?
8 Are there any routines
for destroying media?
9 Are there any routines Don't leave media
for how to handle unattended during
media during service? service and don't let
media with secret
information leave your
organisation
10. Identification and Authorisation [Top]
----------------------------------------------------------------
Nr Question Comment Yes/No
Identification/Authorisation
1 Is there an Should be.
Identification/Authorisation
system that controls both
users and resources?
2 Is the system built on A system with both
'something you know and password/PIN and
something you have'? something the users
have (Smart-
card/Biometrics) is
preferable.
3 Does the system include Preferable.
logging and alarm functions? Necessary to be
able to trace
incidents and to
get quick alerts.
4 Is there an organisation to Shouldn't be the
administer the computer
Identification/Authorisation department.
system?
5 Does the system include
access control to
resources/objects?
6 Is it quality tested on Don't allow too
password/PIN? short PW/PIN codes
or codes with just
alphabetic or
numeric characters.
7 Is it possible to reuse old Shouldn't.
passwords/PIN?
8 Is it possible to use the Shouldn't.
user id as password/PIN?
9 Are there any routines to Most software,
change software default including the
passwords? operating system
has a lot of
defaults known by a
lot of people. Must
be changed.
10 Is the number of log in Should be to
attempts limited? prevent hacking.
11 Is the change of password/PIN Should be.
compulsory after a certain
number of days?
12 Is the system administrator Should be.
password (root) changed
frequently?
13 Does the system block an Should be.
account if the password is
not changed within the time
limit or the account has been
remained unused?
14 Is it possible for a user to Shouldn't.
change their own privileges?
15 Is the password/PIN Should never be
encrypted? (one way transported or
encryption) stored in an
unencrypted way.
16 Is the user authentication so Preferable.
called 'strong'
authentication?
17 Is the password/PIN Must be.
individual?
11. System Security [Top]
----------------------------------------------------------------
Nr Question Comment Yes/No
1 Is there a routine to
ensure the correct date
and time in all systems
and are they
synchronised?
2 Are there enhanced
logging facilities in
critical systems?
12. Communication [Top]
----------------------------------------------------------------
Nr Question Comment Yes/No
Internal
1 Are there documented
procedures for
changing the network?
2 Are all changes to the
network documented?
3 Is access to
communication ports
for service protected?
4 Is the network
administrator
privilege restricted
to a few users?
5 Is all network
hardware (HUB,
Repeaters, Routers,
Gateways etc.) well
protected?
6 Is the software in the
network hardware well
protected? Use strong
authentication for
changing the software
or configuration.
7 Is an IDS (Intrusion To prevent 'insiders'
Detection System) from doing unauthorised
installed? things. Will not replace
the need for a firewall.
External
8 Is a firewall
installed?
9 Is there a routine for Setting up a firewall is
the administration of not a once-and-for-all
the firewall? job. It must be updated
constantly.
10 Is the use of Is there a trustworthy
encryption considered? algorithm and key
administration?
11 Is access to
communication ports
for service protected?
Are the safeguards (including encryption when needed)
considered regarding:
12 - E-mail
13 - Telnet Strong authentication
14 - FTP
15 - PPP
16 - EDI
17 - SNMP
18 - DNS-services
19 - Routing
20 - WEB-sessions
21 - Java, Javascript
22 - ActiveX
23 - Finger
24 - Rlogin
25 - Cookies
26 Are closed user group
used?
27 Are VPN (Virtual
Private Networks)
used?
13. Logging [Top]
----------------------------------------------------------------
Nr Question Comment Yes/No
1 Is the logging system
documented?
2 Are the log files
protected against
unauthorised access?
3 Is the system configured
in a way that the log
must be turned on?
What events are logged:
4 - Login
5 - Logout
6 - Failed login
7 - Exceptional behaviour User not acting
normaly. Might be
sorted out via an IDS
8 - Access violation Unauthorised access
to resources
9 - Activities in the New users, change of
Identification and privileges, remove of
Authorisation system? users etc
10 - Setting of date and
time
11 - Introduction/removal
of new hardware
12 - Introduction/removal
of new software
13 - Introduction/removal
of files
14 Are the log-files
archived in a proper
way?
14. Back-up [Top]
----------------------------------------------------------------
Nr Question Comment Yes/No
1 Are backups taken on a
regular basis?
2 Are backups stored and According to
archived in safe unauthorised access
place? and 'climate' (fire,
water etc.)
3 Are the backup
routines documented?
4 Are the backups
labelled?
5 Is encryption of
backups considered for
secret information?
15. Physical Protection [Top]
----------------------------------------------------------------
Nr Question Comment Yes/No
1 Are all premises
protected?
2 Are computers and
network components
placed in an
access-protected area?
3 Is all system
documentation
safeguarded?
4 Are communication lines
protected?
5 Is there an admission
and leaving control
system with a log?
6 Are the premises divided To restrict access
in different zones?
7 Is there an up to date
list with authorised
people?
16. Incident handling [Top]
----------------------------------------------------------------
Nr Question Comment Yes/No
1 Is there a plan for how
to handle incidents?
2 Do you know the police
unit responsible for
computer crime?
17. Contingency planning [Top]
----------------------------------------------------------------
Nr Question Comment Yes/No
1 Is there a contingency
plan? How to recover the
system after an incident
[Image]
Home | Search | Contact | Help
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
