TUCoPS :: General Information :: company.txt

Interpol document: Company Checklist

  19 May
   2001                                    Home | Search | Contact | Help

           Company Checklist

           This Information Technology (IT) crime         1. Management
           prevention checklist focuses on a range of   responsibilities
           IT security topics to be considered in the     2. Organisation
           field of threats, with criminal intent, to
           Information Technology.                        3. Personnel
           The checklist is just a reminder of what to    4. Personnel
           consider and not an instruction on how to    (Other)
           introduce certain security measures. Some      5. Information
           of the topics may need assistance from       classification
           experts in that field to be understood and     6. Software
           implemented.                                   7. Hardware
           If this checklist is copied and distributed  Documentation
           outside law enforcement, please fill in the    9. Computer
           name of the contact person within the        media
           police.                                      10.
           Police contact                               and Authorisation
                                                        11. System
                                                        12. Communication

                                                        13. Logging
                                                        14. Back-up
                                                        15. Physical
                                                        16. Incident
                                                        17. Contingency

           1. Management responsibilities                            [Top]

           Nr     Question               Comment                  Yes/No

           1      Information Security   No Policy = No
                  Policy? Does it exist  resources.
                  and has it been
                  written and approved
                  by management?

           2      Is there a process for It is a living document
                  scrutinising the       and must be updated

           3      Is there an initiative What are the threats
                  from management to do  and the risk that they
                  a risk analysis?       will be activated?

           4      Is there a management  To define how the
                  initiative to create a targets and the
                  security plan?         intention in the policy
                                         document should be

           5      Is there a management  The security
                  initiative to create a architecture is a high
                  security architecture? level description of
                                         technical security
                                         functions and
                                         organisational needs to
                                         fulfil the security

           6      Is there any           Internet connections
                  management policy for  tend to grow
                  external communication uncontrolled
                  like the Internet?

           7      Do all management
                  staff know the
                  contents and
                  intentions of the

           8      Is the organisation
                  for Information
                  Security work defined
                  in the policy

           9      Is there any
                  Information Security
                  training plan?

           10     Are Information
                  Security topics a part
                  of the introduction
                  plan for new members
                  of the staff?

           2. Organisation                                           [Top]

           Nr    Question                Comment                  Yes/No

           1     Is there an             Someone must have the
                 Information Security    responsibility to put
                 officer?                the management policy
                                         into practice.

           2     Does an Information
                 Security Handbook
                 exist? has it been
                 approved by the

           3     Is there an             Information Security
                 organisation and plan   training is not a
                 to train the staff      once-and-for-all
                 regularly in security   training.

           4     Is there an
                 organisation for the
                 'Identification and
                 Authorisation' system?

           5     Is there an
                 organisation for
                 contingency planning
                 and handling?

           6     Is there an             The organisation must
                 organisation plan for   be prepared for
                 handling incidents?     incidents

           7     Is the responsibility
                 and authority defined
                 in the organisation
                 plan, or in a job
                 description document?

           8     Does an organisation    Different categories
                 plan exist to explain   need different
                 the different staff     training and handbooks
                 categories in the IT    in Information
                 process? E.g. IT        Security matters
                 Security Manager,
                 Developers, Operators,
                 Users etc.

           3. Personnel (Employees)                                  [Top]

           Nr    Question               Comment                   Yes/No


           1     Are new members        Must be done before.
                 checked before         After it might be too
                 employment?            late.
                 References, education,
                 security clearance

           2     Are new staff informed
                 of secrecy

           3     Do they sign a secrecy

           4     Are 'key-persons'.     Backup available for
                 identified?            those?

           5     Does the staff get     Information Security
                 appropriate security   training is not a
                 training on a regular  once-and-for-all
                 basis?                 training.

           6     Are all staff informed Security violation.
                 on the consequences of
                 breaking the security

           7     Are there any routines There are many things to
                 for employees who      clean up in IT- systems
                 leave?                 to remove their

                           Systems Administration Personnel

           8     Are they informed on   A 'root'-privilege does
                 specific security      not imply they have
                 regulations for        authority to access of
                 Developers, Network    all data/information.
                 Administrators etc.?


           9     Are there very short,  Maximum 1 page
                 written security
                 instructions for

           4. Personnel (Other)                                      [Top]

           Service engineers
           Other service staff (guard, caretaker, cleaning service etc.)

           Nr    Question                  Comment                Yes/No

           1     Are there written
                 with Third Party

           2     Are those personnel       They should sign a
                 categories informed       document to
                 about security routines?  acknowledge that they
                                           understand the rules.

           3     Are those personnel       Security clearance
                 categories 'security

           4     Are the companies they    Security clearance
                 work for (their
                 employer) 'security

           5     Are 'key-persons'         Backup available for
                 identified?               those?

           6     Are those personnel
                 categories informed of
                 the consequences of
                 breaking the security

           7     Are there any routines    There are many things
                 for end of assignments?   to clean up in IT-
                                           systems to remove
                                           their authorities.

           5. Information classification                             [Top]

           Nr     Question                  Comment               Yes/No

           1      Is there a system for     To make it possible
                  information               to apply the most
                  classification according  effective security
                  to the appropriate level  measures
                  of availability? (E.G.
                  open, confidential,

           2      Does the classification
                  system require
                  encryption for any class
                  or type of information?

           3      Is there a
                  classification checklist
                  to make it easy for the
                  user to determine
                  information class?

           6. Software                                               [Top]

           Nr    Question                  Comment                Yes/No

           1     Are there any
                 instructions for
                 bringing outside
                 software/data into the

           2     Are policy documents and  Security features must
                 security guidelines       be implemented from
                 considered during         the beginning.
                 developing systems?

           3     Are security              The requirements must
                 requirements included in  be included from the
                 the demand specification  beginning.
                 when buying or
                 developing systems?

           4     Are system tests and      Avoid compilers and
                 development separated     editors in production
                 from production systems?  systems.

           5     Are security-related      Routines for this must
                 patches from developers   exist.
                 and/or vendors
                 implemented as soon as

           6     Is a security validation  New software might
                 approval done before      create new holes in
                 introducing new           the system.
                 software? Individual
                 users should not be
                 allowed to introduce new

           7     Is there a routine for    This is the most
                 installing a new          critical software and
                 operating system?         all configuration
                                           parameters must be
                                           checked before

           8     Is it a classified        According to ITSEC,
                 operating system?         TCSEC, Common Criteria

           9     Are security options in
                 the operating system

           10    Are there any routines
                 to change all security
                 related default
                 parameters in the
                 operating system?

           11    Is it the same type of    To change defaults and
                 routine for application   to set security
                 software?                 parameters.

           12    Are additional (e.g.
                 hacks) and
                 self-developed software
                 well documented?

           13    Are there any routines    To prevent hacking
                 to request all patches    possibilities.
                 that are needed to
                 preserve the security?

           14    Are 'system-tools'        Software to administer
                 protected?                and service the

           15    Are the use of
                 restricted to just a few

           16    Is all use of
                 'system-tools' logged?

           17    Is anti-virus software
                 installed and activated?

           18    Do the users know how to
                 handle viruses?

           19    Are there any extended
                 controls of software
                 downloaded from WAN such
                 as Internet?

           20    Are the users informed
                 about software licenses,
                 as to what extent they
                 are allowed to copy them
                 and use them in other
                 equipment? If they are
                 allowed to use them for
                 private use at home

           21    Is loading of new
                 software regulated?

           22    Is critical software
                 backed up and stored in
                 another safe place?

           23    Is critical software
                 protected by checksums.

           24    Is all software from      Special notice on
                 well-known sources?       encryption software

           7. Hardware                                               [Top]

           Nr    Question                  Comment                Yes/No

           1     Are there any
                 instructions for
                 bringing equipment
                 outside the

           2     Are there instructions
                 on how to discard

           3     Is it made clear that
                 the equipment is for
                 business use only and
                 not for private use by
                 the user?

           4     Are policy documents and
                 security guidelines
                 considered during
                 introduction of new

           5     Are security              The requirements must
                 requirements included in  be included from the
                 the demand specification  beginning.
                 when buying or changing

           6     Is a security validation  New hardware might
                 made before introducing   create new holes in
                 new hardware?             the system.

           7     Is there a person
                 responsible for each

           8. Documentation                                          [Top]

           Nr     Question                  Comment               Yes/No

           1      Is the management policy
                  document printed and
                  distributed to all
                  members of staff and
                  subsequently to new

           2      Is there an Information
                  Security handbook?

           3      Are systems and manual    To prevent the
                  routines well             dependence on key-
                  documented?               persons.

           4      Are there documents

                     * Hardware
                     * Software
                     * Applications
                     * Communication

                  Are they up to date?

           5      Do handbooks for each
                  staff category exist?

                     * Developer
                     * Administrators
                       (network, database
                     * Users
                     * Helpdesk
                     * etc.

           6      Are there any written
                  rules defining
                  responsibility and
                  authority for each staff

           7      Are system documents
                  stored in a safe place?

           8      Is the access to the
                  system documents

           9. Computer media                                         [Top]

           Nr     Question                Comment                 Yes/No

           1      Are there any routines
                  for labelling media?

           2      Are all media listed
                  in an inventory?

           3      Are media handed over
                  with receipts?

           4      Is the existence of     Media in the inventory
                  media checked on a      list.
                  regular base?

           5      Are there any routines
                  to handle missing

           6      Are there any routines
                  for archiving media?

           7      Are there any routines
                  for transporting

           8      Are there any routines
                  for destroying media?

           9      Are there any routines  Don't leave media
                  for how to handle       unattended during
                  media during service?   service and don't let
                                          media with secret
                                          information leave your

           10. Identification and Authorisation                      [Top]

           Nr  Question                       Comment              Yes/No


           1   Is there an                    Should be.
               system that controls both
               users and resources?

           2   Is the system built on         A system with both
               'something you know and        password/PIN and
               something you have'?           something the users
                                              have (Smart-
                                              card/Biometrics) is

           3   Does the system include        Preferable.
               logging and alarm functions?   Necessary to be
                                              able to trace
                                              incidents and to
                                              get quick alerts.

           4   Is there an organisation to    Shouldn't be the
               administer the                 computer
               Identification/Authorisation   department.

           5   Does the system include
               access control to

           6   Is it quality tested on        Don't allow too
               password/PIN?                  short PW/PIN codes
                                              or codes with just
                                              alphabetic or
                                              numeric characters.

           7   Is it possible to reuse old    Shouldn't.

           8   Is it possible to use the      Shouldn't.
               user id as password/PIN?

           9   Are there any routines to      Most software,
               change software default        including the
               passwords?                     operating system
                                              has a lot of
                                              defaults known by a
                                              lot of people. Must
                                              be changed.

           10  Is the number of log in        Should be to
               attempts limited?              prevent hacking.

           11  Is the change of password/PIN  Should be.
               compulsory after a certain
               number of days?

           12  Is the system administrator    Should be.
               password (root) changed

           13  Does the system block an       Should be.
               account if the password is
               not changed within the time
               limit or the account has been
               remained unused?

           14  Is it possible for a user to   Shouldn't.
               change their own privileges?

           15  Is the password/PIN            Should never be
               encrypted? (one way            transported or
               encryption)                    stored in an
                                              unencrypted way.

           16  Is the user authentication so  Preferable.
               called 'strong'

           17  Is the password/PIN            Must be.

           11. System Security                                       [Top]

           Nr      Question                 Comment               Yes/No

           1       Is there a routine to
                   ensure the correct date
                   and time in all systems
                   and are they

           2       Are there enhanced
                   logging facilities in
                   critical systems?

           12. Communication                                         [Top]

           Nr    Question                Comment                  Yes/No


           1     Are there documented
                 procedures for
                 changing the network?

           2     Are all changes to the
                 network documented?

           3     Is access to
                 communication ports
                 for service protected?

           4     Is the network
                 privilege restricted
                 to a few users?

           5     Is all network
                 hardware (HUB,
                 Repeaters, Routers,
                 Gateways etc.) well

           6     Is the software in the
                 network hardware well
                 protected? Use strong
                 authentication for
                 changing the software
                 or configuration.

           7     Is an IDS (Intrusion    To prevent 'insiders'
                 Detection System)       from doing unauthorised
                 installed?              things. Will not replace
                                         the need for a firewall.


           8     Is a firewall

           9     Is there a routine for  Setting up a firewall is
                 the administration of   not a once-and-for-all
                 the firewall?           job. It must be updated

           10    Is the use of           Is there a trustworthy
                 encryption considered?  algorithm and key

           11    Is access to
                 communication ports
                 for service protected?

                Are the safeguards (including encryption when needed)
                                considered regarding:

           12    - E-mail

           13    - Telnet                Strong authentication

           14    - FTP

           15    - PPP

           16    - EDI

           17    - SNMP

           18    - DNS-services

           19    - Routing

           20    - WEB-sessions

           21    - Java, Javascript

           22    - ActiveX

           23    - Finger

           24    - Rlogin

           25    - Cookies

           26    Are closed user group

           27    Are VPN (Virtual
                 Private Networks)

           13. Logging                                               [Top]

           Nr     Question                  Comment               Yes/No

           1      Is the logging system

           2      Are the log files
                  protected against
                  unauthorised access?

           3      Is the system configured
                  in a way that the log
                  must be turned on?

           What events are logged:

           4      - Login

           5      - Logout

           6      - Failed login

           7      - Exceptional behaviour   User not acting
                                            normaly. Might be
                                            sorted out via an IDS

           8      - Access violation        Unauthorised access
                                            to resources

           9      - Activities in the       New users, change of
                  Identification and        privileges, remove of
                  Authorisation system?     users etc

           10     - Setting of date and

           11     - Introduction/removal
                  of new hardware

           12     - Introduction/removal
                  of new software

           13     - Introduction/removal
                  of files

           14     Are the log-files
                  archived in a proper

           14. Back-up                                               [Top]

           Nr     Question                Comment                 Yes/No

           1      Are backups taken on a
                  regular basis?

           2      Are backups stored and  According to
                  archived in safe        unauthorised access
                  place?                  and 'climate' (fire,
                                          water etc.)

           3      Are the backup
                  routines documented?

           4      Are the backups

           5      Is encryption of
                  backups considered for
                  secret information?

           15. Physical Protection                                   [Top]

           Nr     Question                  Comment               Yes/No

           1      Are all premises

           2      Are computers and
                  network components
                  placed in an
                  access-protected area?

           3      Is all system

           4      Are communication lines

           5      Is there an admission
                  and leaving control
                  system with a log?

           6      Are the premises divided  To restrict access
                  in different zones?

           7      Is there an up to date
                  list with authorised

           16. Incident handling                                     [Top]

           Nr      Question                 Comment               Yes/No

           1       Is there a plan for how
                   to handle incidents?

           2       Do you know the police
                   unit responsible for
                   computer crime?

           17. Contingency planning                                  [Top]

           Nr      Question                 Comment               Yes/No

           1       Is there a contingency
                   plan? How to recover the
                   system after an incident

                                           Home | Search | Contact | Help

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH